Hi Cyril, Lucas, Op 21 jul. 2013, om 23:25 heeft Cyril Bonté <[email protected]> het volgende geschreven:
> Hi Mark, > > Le 21/07/2013 22:38, Mark Ruys a écrit : >> We're building a HA-cluster which will run a lot of different sites of which >> many offer https. Tools we plan to use are Keepalived, stunnel, HAProxy, >> Apache >> and PHP. All VPSses run Ubuntu 12.04. Some of our PHP applications need to >> check the client IP address. Simplified setup: >> >> client --> Keepalived/HAProxy --> Apache >> >> The LB's do NAT and the Apache VPSses run in a private network. >> >> Initially I thought it would be best to do the SSL offloading at the Apache >> servers. I guess (not sure however) that in that case Apache/PHP would know >> the client remote IP address. A drawback seems that we need additional vip's >> and backend listeners for each certificate. So we decided to configure >> stunnel >> in front of HAProxy: >> >> client --> Keepalived/stunnel/HAProxy --> Apache >> >> Now to have Apache know the client's remote IP address, I think we have two >> options: >> 1) X-Forwarded-For patched stunnel, or >> 2) stunnel + HAProxy with the proxy protocol. >> Drawback of 1 is that it's not supported by the stunnel developers because of >> it's problems to support keepalive connections from the client. >> Drawback of 2 is that it needs HAProxy 1.5 which is not stable yet. > > Lukas already replied to talk about the ssl support in HAProxy 1.5, Yes, I should have listed this as alternative 3. Altough we're willing to adopt HAProxy 1.5 in production for it's implementation of the proxy protocol, I'm a bit more conservative as for the new embedded SSL offloader in HAProxy. Also I would expect that stunnel/HAProxy scales better than HAProxy+SSL. > but if you're stucked to HAProxy 1.4 and still and to use option 2, you can > consider this patch that I still maintain and use at work : > https://github.com/cbonte/haproxy-patches/blob/master/proxy-protocol/haproxy-1.4-proxy-protocol.patch > It's a backport of the Proxy Protocol (only the "accept-proxy side") for > HAProxy 1.4.We use it on a lot of platforms even if we plan to ugprade to > HAProxy 1.5 (and we're also about to use the aloha appliance from Exceliance). This is a great idea and seems the way to go. I give it try. Thanks, Mark > > -- > Cyril Bonté --- Oudenhof 4c, 4191NW Geldermalsen, The Netherlands Web site and travel directions: www.peercode.nl Phone +31.88.0084124 :: Mobile +31.6.51298623
