On Mon, Nov 15, 2010 at 03:38:58PM -0500, t...@hush.com wrote:
> Thanks.
> Are there any config examples I can take a look at?
> Specifically having HAPROXY load balance 2 backend SSL encrypted
> tomcat servers.
> As per your message, I would not be able to use POUND.
if you need to re-encrypt the traffic between haproxy and tomcat,
then you can't do that much easily. I've already done it with stunnel,
but the overall chain gets quite complicated :
client
|
| HTTPS/443
v
stunnel in server mode
|
| HTTP/localhost:8443
v
haproxy
|
| HTTP/localhost:8000+#server
v
stunnel in client mode
|
| HTTPS/server:443
v
server
> How can I configure HAPROXY to only balance the 2 servers' port 443
> and apply stickiness to the source IP's?
You can do that in plain TCP mode, so there won't be any HTTP processing.
Source IP stickiness can be configured using the stick-tables. An
alternative generally is to simply perform a source IP hash.
Version 1.5-dev3 makes it possible to use SSL-ID for stickiness, which
is more reliable than the IP address, but is limited in time by some
browsers. A solution could be to mix IP hashing with SSL-ID stickiness
in order to get the best of both worlds: as long as at least one of
them remains, stickiness is maintained.
> are there any examples I can look at?
There are a bit in the doc, but really not that much. Look for "stick-table".
> How can I modify the below config to also passthrough, balance and
> create the sticky sessions for SSL also?
> currently our port 80 load balancing looks like this: (entire
> config)
>
> global
> log 127.0.0.1:514 local7 # only send important events
> maxconn 4096
> user haproxy
> group haproxy
> daemon
> defaults
> log global
> mode http
> option httplog
> option dontlognull
> retries 3
> option redispatch
> maxconn 2000
> contimeout 5000
> clitimeout 50000
> srvtimeout 50000
> stats enable
> stats uri /stats
> frontend http-in
> bind *:80
> acl is_ww2_test1_com hdr_end(host) -i ww2.test1.com
> use_backend ww2_test1_com if is_ww2_test1_com
> backend ww2_test1_com
> balance roundrobin
> cookie SERVERID insert nocache indirect
> option httpchk
> option httpclose
> option forwardfor
> server Server1 10.10.10.11:80 cookie Server1
> server Server2 10.10.10.12:80 cookie Server2
For port 443, it would approximately look like this (untested) :
frontend https-in
mode tcp
bind :443
default_backend bk-https
backend bk-https
mode tcp
balance src
option ssl-hello-chk
server Server1 10.10.10.11:443 check
server Server2 10.10.10.12:443 check
But be careful, your servers will only log haproxy's IP address,
and this can clearly become an issue.
Regards,
Willy
