Hi Malte, >> So now when I got a working haproxy 1.4, I continued to try out >> the "option http-server-close" but I hit a problem with our >> stunnel (patched with stunnel-4.22-xforwarded-for.diff) instances. >> It does not support keep-alive, so only the first HTTP request in >> a keepalive-session gets the X-Forwarded-For header added (insert >> Homer "doh!" here :). When giving it some thought, I guess this is >> the expected behaviour for what stunnel actually is supposed to do. >> So, for now I'll stick with "option httpclose" for a while >> longer... >> > > Maybe it's worth a try for you to get along with nginx as stunnel > replacement ? > Its performance is quit good and the config can be held very short, > too for only accepting ssl traffic > and directing it to haproxy.
Thanks for the suggestion. I did give nginx a try in a lab setup, but for our application it did not work out with the "Transfer-Encoding: chunked" header, as nginx returns "411 Content-Length required" for such requests. I also tried with Pound, but got a similar error. There may be other products out there I have not yet tried however. What I am looking for in my SSL-decoding solution is support for TE:chunked, http keep-alive, option to set "SSL engine" (for h/w acceleration), soft-reconfiguration (something like haproxy's "-sf"), HTTP header manipulation, open-source, free, robust and efficient. This is beginning to sound like haproxy with SSL support :) Best regards Erik Gulliksson -- Erik Gulliksson, [email protected] System Administrator, Diino AB http://www.diino.com
