Joe, You need to run as many stunnel instances as number of SSL certificates. If the sites share SSL certificate, then one stunnel instance will do.
I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/on port 443 and forward it to port 81 on the same machine which is bound to haproxy. My stunnel config looks like cert = /etc/stunnel.pem sslVersion = all chroot = /var/lib/stunnel/ setuid = stunnel setgid = stunnel pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [https] accept = 443 connect = 127.0.0.1:81 TIMEOUTclose = 0 xforwardedfor = yes Note that xforwardedfor option only works after the patch is installed. My haproxy config looks like frontend http bind 0.0.0.0:80 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTP option forwardfor frontend https bind 127.0.0.1:81 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTPS Note that I am passing a X-Forwarded-Proto to underlying application so that it can logic specific to https calls. Vivek On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby <[email protected]> wrote: > On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman <[email protected]> > wrote: > > Hi Guys, > > > > I was wondering if someone has a good example I could use for proxying > https > > traffic. We are trying to proxy multiple sites that use https and I was > > hoping for a way to see how to proxy that traffic between multiple IIS > > servers without having to setup many different backend sections. The way > > the sites are setup they use a couple of cookies but mostly session > > variables to track the user as they do their thing. Either I need to be > > able to pin the user to a single server using the mode tcp function when > > they come in or be able to use some form of mode http that doesn't break > the > > SSL function. > > > > This morning around 5am, I got one site running with only 1 backend using > > tcp but I really need to be able to load balance it between multiple > > servers. > > Joe, haproxy itself does not do SSL. That said, you can set up an SSL > server in front of it. Myself, I use stunnel. Stunnel strips the SSL > and forwards the traffic to haproxy. I have many instances of stunnel > (one per cert/ip) which all feed a single haproxy http listener. > > http://www.stunnel.org/ > > You could also use another server like nginx, apache etc. to strip the > SSL. However, I find stunnel well suited as all it does is SSL and it > is fast and efficient at it (similar to how haproxy does proxyinig > very well). > >
