Hi Tom, Yes, you will need something to terminate the HTTPS requests before they get sent to HAProxy, because HAProxy is currently not able to handle such requests. I think it is a common practice to install the HTTPS termination software and HAProxy on the same box. Stunnel, Apache + mod_ssl, and nginx are all popular software that can be used for this task. As a personal preference I would recommend the last two, as I find stunnel a little cumbersome when dealing with multiple certificates.
For more information: http://haproxy.1wt.eu/download/1.3/doc/architecture.txt Hope this helps, Bryan On Wed, Jun 10, 2009 at 8:24 AM, Tom Potwin<[email protected]> wrote: > After going through these archives, I'm still not clear on if I need > something more than HAProxy to add SSL to my backend servers. Right now I > have HAProxy running on a virtual node (LB1) in front of another virtual > node with the web server (WEB1). This is all behind a firewall/router that's > routing one of my public IP's to the shared local address. I need to add at > least three SSL certificates to three sites on my web server. Here is my > current cfg setup: > global > log 127.0.0.1 local0 > log 127.0.0.1 local1 notice > maxconn 4096 > user haproxy > group haproxy > defaults > log global > mode http > option httplog > option dontlognull > retries 3 > redispatch > maxconn 2000 > contimeout 5000 > clitimeout 50000 > srvtimeout 50000 > listen webfarm 192.168.31.100:80, 192.168.31.100:443 > mode http > stats enable > stats auth netadmin:5bgr+bdd1WbA > balance roundrobin > cookie JSESSIONID prefix > option forceclose > option httpclose > option forwardfor > option httpchk HEAD /check.txt HTTP/1.0 > server web1 192.168.31.202:80 cookie w01 check inter 2000 rise 2 fall > 2 > server web2 192.168.31.212:80 cookie w02 check inter 2000 rise 2 fall > 2 > option persist > redispatch > contimeout 5000 > rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal > IP address > > I've read that all I need is to change mode http to mode tcp, balance > roundrobin to balance source, and option httpchk to option ssl-hello-chk, > and all should work. Then I also read that HAProxy can't do SSL so you have > to install something like stunnel to get it to work. I'm trying to keep > things as simple as I can, so what is the correct way for me to handle this? > > > > >
