BTW, will this patch ever go upstream? Why stunnel does not have this already?
On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik <vivek.ma...@gmail.com> wrote: > Joe, > You need to run as many stunnel instances as number of SSL certificates. If > the sites share SSL certificate, then one stunnel instance will do. > I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ > on port 443 and forward it to port 81 on the same machine which is bound to > haproxy. > My stunnel config looks like > cert = /etc/stunnel.pem > sslVersion = all > chroot = /var/lib/stunnel/ > setuid = stunnel > setgid = stunnel > pid = /stunnel.pid > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > [https] > accept = 443 > connect = 127.0.0.1:81 > TIMEOUTclose = 0 > xforwardedfor = yes > Note that xforwardedfor option only works after the patch is installed. My > haproxy config looks like > frontend http > bind 0.0.0.0:80 > reqidel ^X-Forwarded-Proto:.* > reqadd X-Forwarded-Proto:\ HTTP > option forwardfor > frontend https > bind 127.0.0.1:81 > reqidel ^X-Forwarded-Proto:.* > reqadd X-Forwarded-Proto:\ HTTPS > Note that I am passing a X-Forwarded-Proto to underlying application so that > it can logic specific to https calls. > Vivek > On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby <bti...@gmail.com> wrote: >> >> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman <jwharde...@gmail.com> >> wrote: >> > Hi Guys, >> > >> > I was wondering if someone has a good example I could use for proxying >> > https >> > traffic. We are trying to proxy multiple sites that use https and I was >> > hoping for a way to see how to proxy that traffic between multiple IIS >> > servers without having to setup many different backend sections. The >> > way >> > the sites are setup they use a couple of cookies but mostly session >> > variables to track the user as they do their thing. Either I need to be >> > able to pin the user to a single server using the mode tcp function when >> > they come in or be able to use some form of mode http that doesn't break >> > the >> > SSL function. >> > >> > This morning around 5am, I got one site running with only 1 backend >> > using >> > tcp but I really need to be able to load balance it between multiple >> > servers. >> >> Joe, haproxy itself does not do SSL. That said, you can set up an SSL >> server in front of it. Myself, I use stunnel. Stunnel strips the SSL >> and forwards the traffic to haproxy. I have many instances of stunnel >> (one per cert/ip) which all feed a single haproxy http listener. >> >> http://www.stunnel.org/ >> >> You could also use another server like nginx, apache etc. to strip the >> SSL. However, I find stunnel well suited as all it does is SSL and it >> is fast and efficient at it (similar to how haproxy does proxyinig >> very well). >> > > -- Germán Gutiérrez OLX Operation Center OLX Inc. Buenos Aires - Argentina Phone: 54.11.4775.6696 Mobile: 54.911.5669.6175 Skype: errare_est Email: germ...@olx.com Delivering common sense since 1969 <Epoch Fail!>. The Nature is not amiable; It treats impartially to all the things. The wise person is not amiable; He treats all people impartially. No afecta el sitio, no necesita QA.
