HI,
Considering these are for a customer and they have already purchased their
certs, I don't want to go through the hassle of converting them and causing
them any issues.
Now we can stick with the examples on the haproxy site using mode tcp, but I
was wondering is there a way via ACL's or something to do something along
the lines of reading the requested domain name and sending that traffic to a
specific server or set of servers?
For example:
listen cust1_443
mode tcp
bind 0.0.0.0:443
option ssl-hello-chk
balance roundrobin
timeout client 70s
timeout server 70s
timeout connect 30s
"some sort of check here for specific domain name"
server IIS1-443 192.168.0.206:443 check inter 5000 fall 3 rise 1
maxconn 300
server IIS2-443 192.168.0.207:443 check inter 5000 fall 3 rise 1
maxconn 300
"some sort of check here for specific domain name"
server IIS1-443 192.168.0.208:443 <http://192.168.0.206:443/> check
inter 5000 fall 3 rise 1 maxconn 300
server IIS2-443 192.168.0.209:443 <http://192.168.0.207:443/> check
inter 5000 fall 3 rise 1 maxconn 300
Just thinking that if I could do that, then it would save wasting IP's from
applying a different one to the haproxy system and then again another couple
to the IIS servers.
Anyway, would appreciate some in site and advise on if this can be
accomplished in this sort of fashion.
Thanks
Joe
On Sun, Apr 10, 2011 at 5:14 PM, Brian Carpio <[email protected]> wrote:
> Of course you can export the cert and private keys from IIS and use them in
> stunnel. You will need to use OpenSSL to convert the certificate but it will
> work.
>
> Sent from my iPhone
>
> On Apr 10, 2011, at 11:59 AM, "Joseph Hardeman" <[email protected]>
> wrote:
>
> Hi Guys
>
> The problem is that this is for a customer who is running IIS and already
> has all their certs built for IIS, I don't know if the IIS cert would work
> with stunnel.
>
> I tried the following configuration which I had found and they said it was
> working for them, but I am getting SSL to long errors:
>
> #listen cust1_443
> # maxconn 32000
> # bind 0.0.0.0:443
> # mode http
> # cookie SERVERID insert indirect nocache
> ## cookie SERVERID rewrite nocache
> # timeout client 70s
> # timeout server 70s
> # timeout connect 30s
> # balance source
> # reqadd X-Forwarded-Proto:\ https
> # reqadd SSL-TERMINATION:\ ON
> # server IIS1-443 192.168.0.206:443 cookie iis1ssl check inter 5000
> fall 3 rise 1 maxconn 30
> ## server IIS2-443 192.168.0.207:443 cookie iis2ssl check inter
> 5000 fall 3 rise 1 maxconn 30
> # option abortonclose
> # option httpclose
> # option forwardfor
> # retries 3
> # option redispatch
> # log global
> # option httplog
> # option ssl-hello-chk
> # option dontlognull
>
>
> With the second IIS server commented out, they are able to serve 1 of their
> largest customer with their SSL site, but I want to be able to load balance
> the requests and at least pin each visitor to IIS server they are sent to.
>
> listen cust1_443
> mode tcp
> bind 0.0.0.0:443
> option ssl-hello-chk
> balance roundrobin
> server IIS1-443 192.168.0.206:443 check inter 5000 fall 3 rise 1
> maxconn 300
> # server IIS2-443 192.168.0.207:443 check inter 5000 fall 3 rise 1
> maxconn 300
> timeout client 70s
> timeout server 70s
> timeout connect 30s
>
> Any ideas or thoughts on this?
>
> Thanks
>
> JOe
>
>
> On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio < <[email protected]>
> [email protected]> wrote:
>
>> You probably need to ask that question on the stunnel mailing list.
>>
>>
>> Sent from my iPhone
>>
>> On Apr 10, 2011, at 8:20 AM, "German Gutierrez" < <[email protected]>
>> [email protected]> wrote:
>>
>> > BTW, will this patch ever go upstream? Why stunnel does not have this
>> already?
>> >
>> > On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik < <[email protected]>
>> [email protected]> wrote:
>> >> Joe,
>> >> You need to run as many stunnel instances as number of SSL
>> certificates. If
>> >> the sites share SSL certificate, then one stunnel instance will do.
>> >> I run stunnel 4.32 with patch from
>> <http://haproxy.1wt.eu/download/patches/>
>> http://haproxy.1wt.eu/download/patches/
>> >> on port 443 and forward it to port 81 on the same machine which is
>> bound to
>> >> haproxy.
>> >> My stunnel config looks like
>> >> cert = /etc/stunnel.pem
>> >> sslVersion = all
>> >> chroot = /var/lib/stunnel/
>> >> setuid = stunnel
>> >> setgid = stunnel
>> >> pid = /stunnel.pid
>> >> socket = l:TCP_NODELAY=1
>> >> socket = r:TCP_NODELAY=1
>> >> [https]
>> >> accept = 443
>> >> connect = 127.0.0.1:81
>> >> TIMEOUTclose = 0
>> >> xforwardedfor = yes
>> >> Note that xforwardedfor option only works after the patch is installed.
>> My
>> >> haproxy config looks like
>> >> frontend http
>> >> bind 0.0.0.0:80
>> >> reqidel ^X-Forwarded-Proto:.*
>> >> reqadd X-Forwarded-Proto:\ HTTP
>> >> option forwardfor
>> >> frontend https
>> >> bind 127.0.0.1:81
>> >> reqidel ^X-Forwarded-Proto:.*
>> >> reqadd X-Forwarded-Proto:\ HTTPS
>> >> Note that I am passing a X-Forwarded-Proto to underlying application so
>> that
>> >> it can logic specific to https calls.
>> >> Vivek
>> >> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby < <[email protected]>
>> [email protected]> wrote:
>> >>>
>> >>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman <<[email protected]>
>> [email protected]>
>> >>> wrote:
>> >>>> Hi Guys,
>> >>>>
>> >>>> I was wondering if someone has a good example I could use for
>> proxying
>> >>>> https
>> >>>> traffic. We are trying to proxy multiple sites that use https and I
>> was
>> >>>> hoping for a way to see how to proxy that traffic between multiple
>> IIS
>> >>>> servers without having to setup many different backend sections. The
>> >>>> way
>> >>>> the sites are setup they use a couple of cookies but mostly session
>> >>>> variables to track the user as they do their thing. Either I need to
>> be
>> >>>> able to pin the user to a single server using the mode tcp function
>> when
>> >>>> they come in or be able to use some form of mode http that doesn't
>> break
>> >>>> the
>> >>>> SSL function.
>> >>>>
>> >>>> This morning around 5am, I got one site running with only 1 backend
>> >>>> using
>> >>>> tcp but I really need to be able to load balance it between multiple
>> >>>> servers.
>> >>>
>> >>> Joe, haproxy itself does not do SSL. That said, you can set up an SSL
>> >>> server in front of it. Myself, I use stunnel. Stunnel strips the SSL
>> >>> and forwards the traffic to haproxy. I have many instances of stunnel
>> >>> (one per cert/ip) which all feed a single haproxy http listener.
>> >>>
>> >>> <http://www.stunnel.org/>http://www.stunnel.org/
>> >>>
>> >>> You could also use another server like nginx, apache etc. to strip the
>> >>> SSL. However, I find stunnel well suited as all it does is SSL and it
>> >>> is fast and efficient at it (similar to how haproxy does proxyinig
>> >>> very well).
>> >>>
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Germán Gutiérrez
>> >
>> > OLX Operation Center
>> > OLX Inc.
>> > Buenos Aires - Argentina
>> > Phone: 54.11.4775.6696
>> > Mobile: 54.911.5669.6175
>> > Skype: errare_est
>> > Email: <[email protected]>[email protected]
>> >
>> > Delivering common sense since 1969 <Epoch Fail!>.
>> >
>> > The Nature is not amiable; It treats impartially to all the things.
>> > The wise person is not amiable; He treats all people impartially.
>> >
>> > No afecta el sitio, no necesita QA.
>> >
>> >
>>
>
>
