What if I don't need to encrypt the traffic between the Haproxy front and the 2 backend servers? Is there a way just to have HAProxy passthrough any and all traffic and balance them? sort of like LVS works on Layer 4.
tia. On Tue, 16 Nov 2010 06:18:03 -0500 Willy Tarreau <w...@1wt.eu> wrote: >On Mon, Nov 15, 2010 at 03:38:58PM -0500, t...@hush.com wrote: >> Thanks. >> Are there any config examples I can take a look at? >> Specifically having HAPROXY load balance 2 backend SSL encrypted > >> tomcat servers. >> As per your message, I would not be able to use POUND. > >if you need to re-encrypt the traffic between haproxy and tomcat, >then you can't do that much easily. I've already done it with >stunnel, >but the overall chain gets quite complicated : > >client > | > | HTTPS/443 > v >stunnel in server mode > | > | HTTP/localhost:8443 > v >haproxy > | > | HTTP/localhost:8000+#server > v >stunnel in client mode > | > | HTTPS/server:443 > v >server > >> How can I configure HAPROXY to only balance the 2 servers' port >443 >> and apply stickiness to the source IP's? > >You can do that in plain TCP mode, so there won't be any HTTP >processing. >Source IP stickiness can be configured using the stick-tables. An >alternative generally is to simply perform a source IP hash. > >Version 1.5-dev3 makes it possible to use SSL-ID for stickiness, >which >is more reliable than the IP address, but is limited in time by >some >browsers. A solution could be to mix IP hashing with SSL-ID >stickiness >in order to get the best of both worlds: as long as at least one >of >them remains, stickiness is maintained. > >> are there any examples I can look at? > >There are a bit in the doc, but really not that much. Look for >"stick-table". > >> How can I modify the below config to also passthrough, balance >and >> create the sticky sessions for SSL also? >> currently our port 80 load balancing looks like this: (entire >> config) >> >> global >> log 127.0.0.1:514 local7 # only send important >events >> maxconn 4096 >> user haproxy >> group haproxy >> daemon >> defaults >> log global >> mode http >> option httplog >> option dontlognull >> retries 3 >> option redispatch >> maxconn 2000 >> contimeout 5000 >> clitimeout 50000 >> srvtimeout 50000 >> stats enable >> stats uri /stats >> frontend http-in >> bind *:80 >> acl is_ww2_test1_com hdr_end(host) -i ww2.test1.com >> use_backend ww2_test1_com if is_ww2_test1_com >> backend ww2_test1_com >> balance roundrobin >> cookie SERVERID insert nocache indirect >> option httpchk >> option httpclose >> option forwardfor >> server Server1 10.10.10.11:80 cookie Server1 >> server Server2 10.10.10.12:80 cookie Server2 > >For port 443, it would approximately look like this (untested) : > >frontend https-in > mode tcp > bind :443 > default_backend bk-https > >backend bk-https > mode tcp > balance src > option ssl-hello-chk > server Server1 10.10.10.11:443 check > server Server2 10.10.10.12:443 check > >But be careful, your servers will only log haproxy's IP address, >and this can clearly become an issue. > >Regards, >Willy
