I put my comments below... Wayne
-----Original Message----- From: Baptiste [mailto:[email protected]] Sent: Friday, August 31, 2012 12:13 AM To: Manley,Jason Cc: [email protected]; Aulner,Wayne; Scheidter,Ryan; Baranowski,Steve; Stuppy,Mark Subject: Re: HAProxy stunnel Mutual Auth HTTPS Hello, Is your problem related to health check only or related to your mutual authentication not working with HAProxy? [Wayne] It both really. When HAProxy goes to do its health check on the HTTPS web service it fails the Security handshake (certificate exchange) because it doesn't have a client side certificate, which would normally be presented by a real client to the web service. Have you tried with a simple TCP health check? [Wayne] Actually I don't think we have. We will have to try this today. Otherwise you could use stunnel in client mode and run a HTTP check which would be encrypted by stunnel before hitting the web server. [Wayne] Thought about this but we were told it wouldn't scale well and we would ideally like to SSL terminate at the actual application. Thanks for your suggestions! cheers On Thu, Aug 30, 2012 at 9:36 PM, Manley,Jason <[email protected]> wrote: > Hello. I am the support engineer for a cloud based platform running > HAProxy to load balance to nodes running Gigaspaces. One of our > gigaspaces feeds will be using Mutual Authentication HTTPS, and the > health check, even with option ssl-hello-chk enabled gives errors about bad > SSL handshake. > > What are some steps we can consider in running stunnel on the same > node as HAProxy to perform SSL termination there, and have HAProxy > forward normal HTTP back to the backend servers? And is this a good idea? > > Jason Manley | System Engineer | Cerner Corporation | > [email protected] | WWW.CERNER.COM | 816-201-8686 > > > > ________________________________ > CONFIDENTIALITY NOTICE This message and any included attachments are > from Cerner Corporation and are intended only for the addressee. The > information contained in this message is confidential and may > constitute inside or non-public information under international, > federal, or state securities laws. Unauthorized forwarding, printing, > copying, distribution, or use of such information is strictly > prohibited and may be unlawful. If you are not the addressee, please > promptly delete this message and notify the sender of the delivery > error by e-mail or you may call Cerner's corporate offices in Kansas City, > Missouri, U.S.A at (+1) (816)221-1024.
