On Sun, Oct 17, 2010 at 09:15:18PM +0200, Mike Hoffs wrote: > > Hi Mike, > > > > > Is it possible to implement at forwardfor except ipv6 ? > > > > It should not be hard to do. However, as noted in the source, it's a bit > > useless, because while IPv6 is used over the net, it's particularly rare > > on the local network, and the "except" keyword is only used to reference > > your local SSL proxies. Most often, it will only contain 127.0.0.0/8 or > > your local LAN address. > > I know but then we need two entry's for haproxy for one single ipv6 address > that we tunnel to ipv4. > > > > > > Now it is only possible to except a ipv4 address. If that is possible we > > can also make the legacy stuff with ssl ipv6 reachable. > > > > In my opinion, this is independant. You can very well have your SSL reverse > > proxy receive IPv6 traffic and forward it to haproxy on 127.0.0.1 (IPv4). > > > > Do you have a concrete example where it's really needed ? > > Yes; > > Haproxy is configured to listen on ipv6 at port 80, both should be reachable > (80 & 443). With stunnel we capture 443 traffic, and tunnel it to the single > entry in haproxy. Haproxy is configured with forwardfor, stunnel also. Now we > have 2 ipv6 in the headers, and it would be nice to except the local ipv6. > With the solution to handle it on the local ipv4 should do the trick but with > many ssl hosts its a bit messy. With single entry we keep te haproxy config > clean.
OK I see. I agree with you that if your setup is IPv6-only, then it makes sense. It's not a common setup though. I'll try to figure out the required changes to support that. Regards, Willy
