Hi Thanks for the great explanation. I'm actually wondering if I should just get rid of HAProxy, and just use heartbeat to do failover. It all depends on how my backend works. I'm using a package called ISPConfig to maintain sites, including SSL certificates. I'm not sure how that would handle it if I had to switch the SSL certificate handling to the LB nodes.
Tom -----Original Message----- From: Holger Just [mailto:[email protected]] Sent: Wednesday, June 10, 2009 12:08 PM To: HAProxy Subject: Re: Do I need more than HAProxy for SSL webserver On 10.06.2009 17:26 Uhr, Tom Potwin wrote: > Thanks for that advice. > Does anyone know where there are any how-to's for setting up something > like this? The architecture.txt file doesn't go into much detail. At our site, we are using nginx for that task. This is layed out as follows: ----------- ---->| Backend 1 | / ----------- --------------- ------- --------- / ----------- | teh Internets |------>| nginx |----->| HAProxy |------>| Backend 2 | --------------- https ------- http --------- \ http ----------- \ ----------- ---->| Backend 3 | ----------- We are using something like the following as our nginx configuration: server { # This is the remote IP to listen to listen 192.168.1.1:443; ssl on; ssl_certificate /etc/ssl/certs/server.example.com.crt; ssl_certificate_key /etc/ssl/private/server.example.com.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:8000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X_FORWARDED_PROTO https; # The following options have to be tuned for local needs client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 30; proxy_send_timeout 300; proxy_read_timeout 300; proxy_buffers 32 4k; } } In your HAProxy configuration, you can then decide how that request has to be processed further by using * a special port (in this case 127.0.0.1:8000) which is used for unpacked https traffic only * an ACL and matching for the X_FORWARDED_PROTO header like acl ssl_origin hdr(X_FORWARDED_PROTO) https or the other inserted headers This alone might be unsafe, as users agents might set this header by themselves. You can however ensure, that the requests comes from localhost by additionally matching for localhost (which performs a layer 3 matching of the source ip of the request) For more information have a look at http://wiki.nginx.org/NginxHttpProxyModule as well as http://haproxy.1wt.eu/download/1.3/doc/configuration.txt In my opionion it is a good idea for all newbies to (at least) skim the complete second document as all options as well as details about the inner workings of HAProxy are thoroughly explained. I have it printed on my desk :) --Holger
