Hi Mark,
Le 21/07/2013 22:38, Mark Ruys a écrit :
We're building a HA-cluster which will run a lot of different sites of which
many offer https. Tools we plan to use are Keepalived, stunnel, HAProxy, Apache
and PHP. All VPSses run Ubuntu 12.04. Some of our PHP applications need to
check the client IP address. Simplified setup:
client --> Keepalived/HAProxy --> Apache
The LB's do NAT and the Apache VPSses run in a private network.
Initially I thought it would be best to do the SSL offloading at the Apache
servers. I guess (not sure however) that in that case Apache/PHP would know
the client remote IP address. A drawback seems that we need additional vip's
and backend listeners for each certificate. So we decided to configure stunnel
in front of HAProxy:
client --> Keepalived/stunnel/HAProxy --> Apache
Now to have Apache know the client's remote IP address, I think we have two
options:
1) X-Forwarded-For patched stunnel, or
2) stunnel + HAProxy with the proxy protocol.
Drawback of 1 is that it's not supported by the stunnel developers because of
it's problems to support keepalive connections from the client.
Drawback of 2 is that it needs HAProxy 1.5 which is not stable yet.
Lukas already replied to talk about the ssl support in HAProxy 1.5, but
if you're stucked to HAProxy 1.4 and still and to use option 2, you can
consider this patch that I still maintain and use at work :
https://github.com/cbonte/haproxy-patches/blob/master/proxy-protocol/haproxy-1.4-proxy-protocol.patch
It's a backport of the Proxy Protocol (only the "accept-proxy side") for
HAProxy 1.4.We use it on a lot of platforms even if we plan to ugprade
to HAProxy 1.5 (and we're also about to use the aloha appliance from
Exceliance).
--
Cyril Bonté
