Thanks.
Are there any config examples I can take a look at?
Specifically having HAPROXY load balance 2 backend SSL encrypted
tomcat servers.
As per your message, I would not be able to use POUND.
How can I configure HAPROXY to only balance the 2 servers' port 443
and apply stickiness to the source IP's?
are there any examples I can look at?
How can I modify the below config to also passthrough, balance and
create the sticky sessions for SSL also?
currently our port 80 load balancing looks like this: (entire
config)
global
log 127.0.0.1:514 local7 # only send important events
maxconn 4096
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
stats enable
stats uri /stats
frontend http-in
bind *:80
acl is_ww2_test1_com hdr_end(host) -i ww2.test1.com
use_backend ww2_test1_com if is_ww2_test1_com
backend ww2_test1_com
balance roundrobin
cookie SERVERID insert nocache indirect
option httpchk
option httpclose
option forwardfor
server Server1 10.10.10.11:80 cookie Server1
server Server2 10.10.10.12:80 cookie Server2
thanks again.
ts
On Mon, 15 Nov 2010 14:39:13 -0500 "Hank A. Paulson"
<h...@spamproof.nospammail.net> wrote:
>Where is the rest of your haproxy config - if you are talking to
>port 443 on
>your tomcat servers...
>
>If you have have the 2 backend servers and you want haproxy to
>talk to the
>encrypted/ssl ports on them (and you want your end users to see
>the certs that
>are on the tomcat servers) then the only thing haproxy can "see"
>is the source
>IP and source port and try to create stickiness with the source
>IP. So you
>have to think in those terms - what is unencrypted at the time
>each request
>and response passes through haproxy.
>
>In this case the end user sees the cert installed on pound and
>haproxy can use
>all the layer 7/http capabilities:
>ssl/443 -> pound -> non-ssl -> haproxy non-ssl -> tomcat(s)
>
>you can't do (AFAIK):
>
>ssl/443 -> pound -> non-ssl -> haproxy -> ssl -> tomcat(s)
>because the user would still see only the pound cert and I don't
>think haproxy
>can initiate ssl sessions on its own.
>
>On 11/15/10 11:08 AM, t...@hush.com wrote:
>> So we have 2 webservers on the backend with SSL encryption.
>> We want to keep this the way it is.
>> Is there a way for HAPROXY to balance these 2 servers with
>sticky
>> sessions enabled?
>>
>> how can this be done?
>>
>> Currently when trying it this way;
>>
>> defaults
>> log global
>> mode http
>> option httplog
>> option dontlognull
>> retries 3
>> option redispatch
>> maxconn 2000
>> contimeout 5000
>> clitimeout 50000
>> srvtimeout 50000
>> stats enable
>> stats uri /stats
>>
>>
>> frontend http-in
>> bind *:80
>> acl is_ww2_test1_com hdr_end(host) -i ww2.test1.com
>> use_backend ww2_test1_com if is_ww2_test1_com
>>
>> backend ww2_test1_com
>> balance roundrobin
>> cookie SERVERID insert nocache indirect
>> option httpchk
>> option httpclose
>> option forwardfor
>> server Server1 10.10.10.11:80 cookie Server1
>> server Server1 10.10.10.12:80 cookie Server2
>>
>> Since the 2 servers are encrypted on port 443 (with the main
>front
>> page on port 80 not encrypted),
>> the above setup works until it hits 443 where i get the error
>> "Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many
>> redirects.".
>> Port 443 on the HAPROXY frontend is using Pound for the
>encryption.
>> However both backend servers have a Tomcat Keystore (signed
>through
>> thawte) which I doubt will be compatable with Pound. (and I
>don't
>> want to resign the cert or get a new cert)
>> Can I somehow get HAPROXY to balance these 2 servers with proper
>> sticky session handling?
>>
>> TIA!
>>
>>
