Thanks. Are there any config examples I can take a look at? Specifically having HAPROXY load balance 2 backend SSL encrypted tomcat servers. As per your message, I would not be able to use POUND. How can I configure HAPROXY to only balance the 2 servers' port 443 and apply stickiness to the source IP's? are there any examples I can look at?
How can I modify the below config to also passthrough, balance and create the sticky sessions for SSL also? currently our port 80 load balancing looks like this: (entire config) global log 127.0.0.1:514 local7 # only send important events maxconn 4096 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 stats enable stats uri /stats frontend http-in bind *:80 acl is_ww2_test1_com hdr_end(host) -i ww2.test1.com use_backend ww2_test1_com if is_ww2_test1_com backend ww2_test1_com balance roundrobin cookie SERVERID insert nocache indirect option httpchk option httpclose option forwardfor server Server1 10.10.10.11:80 cookie Server1 server Server2 10.10.10.12:80 cookie Server2 thanks again. ts On Mon, 15 Nov 2010 14:39:13 -0500 "Hank A. Paulson" <h...@spamproof.nospammail.net> wrote: >Where is the rest of your haproxy config - if you are talking to >port 443 on >your tomcat servers... > >If you have have the 2 backend servers and you want haproxy to >talk to the >encrypted/ssl ports on them (and you want your end users to see >the certs that >are on the tomcat servers) then the only thing haproxy can "see" >is the source >IP and source port and try to create stickiness with the source >IP. So you >have to think in those terms - what is unencrypted at the time >each request >and response passes through haproxy. > >In this case the end user sees the cert installed on pound and >haproxy can use >all the layer 7/http capabilities: >ssl/443 -> pound -> non-ssl -> haproxy non-ssl -> tomcat(s) > >you can't do (AFAIK): > >ssl/443 -> pound -> non-ssl -> haproxy -> ssl -> tomcat(s) >because the user would still see only the pound cert and I don't >think haproxy >can initiate ssl sessions on its own. > >On 11/15/10 11:08 AM, t...@hush.com wrote: >> So we have 2 webservers on the backend with SSL encryption. >> We want to keep this the way it is. >> Is there a way for HAPROXY to balance these 2 servers with >sticky >> sessions enabled? >> >> how can this be done? >> >> Currently when trying it this way; >> >> defaults >> log global >> mode http >> option httplog >> option dontlognull >> retries 3 >> option redispatch >> maxconn 2000 >> contimeout 5000 >> clitimeout 50000 >> srvtimeout 50000 >> stats enable >> stats uri /stats >> >> >> frontend http-in >> bind *:80 >> acl is_ww2_test1_com hdr_end(host) -i ww2.test1.com >> use_backend ww2_test1_com if is_ww2_test1_com >> >> backend ww2_test1_com >> balance roundrobin >> cookie SERVERID insert nocache indirect >> option httpchk >> option httpclose >> option forwardfor >> server Server1 10.10.10.11:80 cookie Server1 >> server Server1 10.10.10.12:80 cookie Server2 >> >> Since the 2 servers are encrypted on port 443 (with the main >front >> page on port 80 not encrypted), >> the above setup works until it hits 443 where i get the error >> "Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many >> redirects.". >> Port 443 on the HAPROXY frontend is using Pound for the >encryption. >> However both backend servers have a Tomcat Keystore (signed >through >> thawte) which I doubt will be compatable with Pound. (and I >don't >> want to resign the cert or get a new cert) >> Can I somehow get HAPROXY to balance these 2 servers with proper >> sticky session handling? >> >> TIA! >> >>