Hi Guys
The problem is that this is for a customer who is running IIS and already
has all their certs built for IIS, I don't know if the IIS cert would work
with stunnel.
I tried the following configuration which I had found and they said it was
working for them, but I am getting SSL to long errors:
#listen cust1_443
# maxconn 32000
# bind 0.0.0.0:443
# mode http
# cookie SERVERID insert indirect nocache
## cookie SERVERID rewrite nocache
# timeout client 70s
# timeout server 70s
# timeout connect 30s
# balance source
# reqadd X-Forwarded-Proto:\ https
# reqadd SSL-TERMINATION:\ ON
# server IIS1-443 192.168.0.206:443 cookie iis1ssl check inter 5000
fall 3 rise 1 maxconn 30
## server IIS2-443 192.168.0.207:443 cookie iis2ssl check inter 5000
fall 3 rise 1 maxconn 30
# option abortonclose
# option httpclose
# option forwardfor
# retries 3
# option redispatch
# log global
# option httplog
# option ssl-hello-chk
# option dontlognull
With the second IIS server commented out, they are able to serve 1 of their
largest customer with their SSL site, but I want to be able to load balance
the requests and at least pin each visitor to IIS server they are sent to.
listen cust1_443
mode tcp
bind 0.0.0.0:443
option ssl-hello-chk
balance roundrobin
server IIS1-443 192.168.0.206:443 check inter 5000 fall 3 rise 1
maxconn 300
# server IIS2-443 192.168.0.207:443 check inter 5000 fall 3 rise 1
maxconn 300
timeout client 70s
timeout server 70s
timeout connect 30s
Any ideas or thoughts on this?
Thanks
JOe
On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio <[email protected]> wrote:
> You probably need to ask that question on the stunnel mailing list.
>
>
> Sent from my iPhone
>
> On Apr 10, 2011, at 8:20 AM, "German Gutierrez" <[email protected]> wrote:
>
> > BTW, will this patch ever go upstream? Why stunnel does not have this
> already?
> >
> > On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik <[email protected]>
> wrote:
> >> Joe,
> >> You need to run as many stunnel instances as number of SSL certificates.
> If
> >> the sites share SSL certificate, then one stunnel instance will do.
> >> I run stunnel 4.32 with patch from
> http://haproxy.1wt.eu/download/patches/
> >> on port 443 and forward it to port 81 on the same machine which is bound
> to
> >> haproxy.
> >> My stunnel config looks like
> >> cert = /etc/stunnel.pem
> >> sslVersion = all
> >> chroot = /var/lib/stunnel/
> >> setuid = stunnel
> >> setgid = stunnel
> >> pid = /stunnel.pid
> >> socket = l:TCP_NODELAY=1
> >> socket = r:TCP_NODELAY=1
> >> [https]
> >> accept = 443
> >> connect = 127.0.0.1:81
> >> TIMEOUTclose = 0
> >> xforwardedfor = yes
> >> Note that xforwardedfor option only works after the patch is installed.
> My
> >> haproxy config looks like
> >> frontend http
> >> bind 0.0.0.0:80
> >> reqidel ^X-Forwarded-Proto:.*
> >> reqadd X-Forwarded-Proto:\ HTTP
> >> option forwardfor
> >> frontend https
> >> bind 127.0.0.1:81
> >> reqidel ^X-Forwarded-Proto:.*
> >> reqadd X-Forwarded-Proto:\ HTTPS
> >> Note that I am passing a X-Forwarded-Proto to underlying application so
> that
> >> it can logic specific to https calls.
> >> Vivek
> >> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby <[email protected]> wrote:
> >>>
> >>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman <[email protected]>
> >>> wrote:
> >>>> Hi Guys,
> >>>>
> >>>> I was wondering if someone has a good example I could use for proxying
> >>>> https
> >>>> traffic. We are trying to proxy multiple sites that use https and I
> was
> >>>> hoping for a way to see how to proxy that traffic between multiple IIS
> >>>> servers without having to setup many different backend sections. The
> >>>> way
> >>>> the sites are setup they use a couple of cookies but mostly session
> >>>> variables to track the user as they do their thing. Either I need to
> be
> >>>> able to pin the user to a single server using the mode tcp function
> when
> >>>> they come in or be able to use some form of mode http that doesn't
> break
> >>>> the
> >>>> SSL function.
> >>>>
> >>>> This morning around 5am, I got one site running with only 1 backend
> >>>> using
> >>>> tcp but I really need to be able to load balance it between multiple
> >>>> servers.
> >>>
> >>> Joe, haproxy itself does not do SSL. That said, you can set up an SSL
> >>> server in front of it. Myself, I use stunnel. Stunnel strips the SSL
> >>> and forwards the traffic to haproxy. I have many instances of stunnel
> >>> (one per cert/ip) which all feed a single haproxy http listener.
> >>>
> >>> http://www.stunnel.org/
> >>>
> >>> You could also use another server like nginx, apache etc. to strip the
> >>> SSL. However, I find stunnel well suited as all it does is SSL and it
> >>> is fast and efficient at it (similar to how haproxy does proxyinig
> >>> very well).
> >>>
> >>
> >>
> >
> >
> >
> > --
> > Germán Gutiérrez
> >
> > OLX Operation Center
> > OLX Inc.
> > Buenos Aires - Argentina
> > Phone: 54.11.4775.6696
> > Mobile: 54.911.5669.6175
> > Skype: errare_est
> > Email: [email protected]
> >
> > Delivering common sense since 1969 <Epoch Fail!>.
> >
> > The Nature is not amiable; It treats impartially to all the things.
> > The wise person is not amiable; He treats all people impartially.
> >
> > No afecta el sitio, no necesita QA.
> >
> >
>
