You probably need to ask that question on the stunnel mailing list.
Sent from my iPhone On Apr 10, 2011, at 8:20 AM, "German Gutierrez" <germ...@olx.com> wrote: > BTW, will this patch ever go upstream? Why stunnel does not have this already? > > On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik <vivek.ma...@gmail.com> wrote: >> Joe, >> You need to run as many stunnel instances as number of SSL certificates. If >> the sites share SSL certificate, then one stunnel instance will do. >> I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ >> on port 443 and forward it to port 81 on the same machine which is bound to >> haproxy. >> My stunnel config looks like >> cert = /etc/stunnel.pem >> sslVersion = all >> chroot = /var/lib/stunnel/ >> setuid = stunnel >> setgid = stunnel >> pid = /stunnel.pid >> socket = l:TCP_NODELAY=1 >> socket = r:TCP_NODELAY=1 >> [https] >> accept = 443 >> connect = 127.0.0.1:81 >> TIMEOUTclose = 0 >> xforwardedfor = yes >> Note that xforwardedfor option only works after the patch is installed. My >> haproxy config looks like >> frontend http >> bind 0.0.0.0:80 >> reqidel ^X-Forwarded-Proto:.* >> reqadd X-Forwarded-Proto:\ HTTP >> option forwardfor >> frontend https >> bind 127.0.0.1:81 >> reqidel ^X-Forwarded-Proto:.* >> reqadd X-Forwarded-Proto:\ HTTPS >> Note that I am passing a X-Forwarded-Proto to underlying application so that >> it can logic specific to https calls. >> Vivek >> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby <bti...@gmail.com> wrote: >>> >>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman <jwharde...@gmail.com> >>> wrote: >>>> Hi Guys, >>>> >>>> I was wondering if someone has a good example I could use for proxying >>>> https >>>> traffic. We are trying to proxy multiple sites that use https and I was >>>> hoping for a way to see how to proxy that traffic between multiple IIS >>>> servers without having to setup many different backend sections. The >>>> way >>>> the sites are setup they use a couple of cookies but mostly session >>>> variables to track the user as they do their thing. Either I need to be >>>> able to pin the user to a single server using the mode tcp function when >>>> they come in or be able to use some form of mode http that doesn't break >>>> the >>>> SSL function. >>>> >>>> This morning around 5am, I got one site running with only 1 backend >>>> using >>>> tcp but I really need to be able to load balance it between multiple >>>> servers. >>> >>> Joe, haproxy itself does not do SSL. That said, you can set up an SSL >>> server in front of it. Myself, I use stunnel. Stunnel strips the SSL >>> and forwards the traffic to haproxy. I have many instances of stunnel >>> (one per cert/ip) which all feed a single haproxy http listener. >>> >>> http://www.stunnel.org/ >>> >>> You could also use another server like nginx, apache etc. to strip the >>> SSL. However, I find stunnel well suited as all it does is SSL and it >>> is fast and efficient at it (similar to how haproxy does proxyinig >>> very well). >>> >> >> > > > > -- > Germán Gutiérrez > > OLX Operation Center > OLX Inc. > Buenos Aires - Argentina > Phone: 54.11.4775.6696 > Mobile: 54.911.5669.6175 > Skype: errare_est > Email: germ...@olx.com > > Delivering common sense since 1969 <Epoch Fail!>. > > The Nature is not amiable; It treats impartially to all the things. > The wise person is not amiable; He treats all people impartially. > > No afecta el sitio, no necesita QA. > >
