Hello again Baptiste,
Thank you for replying back to my questions, they are very helpful answers
and I really do appreciate your time.
Concerning your question back about persistence or stickiness:
> - Sessions need to stay alive after being offloaded to the backend web
> servers to port 80 on them. (Session keepalive or stickiness?)
do you mean persistence or connection keepalives ???
I meant for session persistence, and does the following allow persistence
to happen correctly?:
option http-server-close
If it does, one final question would be how does one control the length of
persistence, is that something controlled with a specific timeout variable?
Thank you so much again, I really appreciate your help a lot.
Chris
-Chris
On Tue, Oct 22, 2013 at 2:13 AM, Baptiste <bed...@gmail.com> wrote:
> Hi Chris,
>
> My answers inline.
>
> On Mon, Oct 21, 2013 at 10:57 PM, Chris <bludge...@gmail.com> wrote:
> > - If any of these domains and subdomains are called with http://, they
> need
> > to be redirected to https://
>
> # redirect http to https when connection is not ciphered
> http-request redirect scheme https if !{ ssl_fc } { hdr(host)
> www.test.com broker.test.com eclose.test.com images.test.com }
>
>
> > - If a call comes in just to test.com, it needs to be redirected to
> https
> > www.test.com:443
>
> # redirect text.com:80 to https://www.test.com:443
> http-request redirect prefix https://www.test.com if !{ ssl_fc } {
> hdr(host) test.com }
>
>
> > - Sessions need to stay alive after being offloaded to the backend web
> > servers to port 80 on them. (Session keepalive or stickiness?)
>
> do you mean persistence or connection keepalives ???
>
>
> > - images.test.com does not need to have SSL offloaded and I'm wondering
> if I
> > should incorporate this into haproxy at all, maybe for load balancing at
> > some point, this seems like a good idea)
>
> well, this is not what you asked in your first question, you wanted to
> offload SSL on all your domains.
> That said, I agree, ciphering images (usually) is useless.
>
> # redirect http to https when connection is not ciphered
> http-request redirect scheme https if !{ ssl_fc } { hdr(host)
> www.test.com broker.test.com eclose.test.com }
>
> since images.test.com is not in the list, the traffic will be accepted
> on port 80.
>
> > defaults
> > mode http
> > maxconn 512
> > option dontlognull
> > option http-server-close
> > retries 3
> > contimeout 60000
> > clitimeout 60000
> > srvtimeout 60000
> >
> > frontend haproxy_http
> > bind 0.0.0.0:80
> > timeout client 86400000
> > acl is_test hdr_end(host) -i www.test.com
> > acl is_broker_test hdr_end(host) -i broker.test.com
> > acl is_eclose_test hdr_end(host) -i eclose.test.com
> > acl is_images_test hdr_end(host) -i images.test.com
> >
> >
> # redirect http to https when connection is not ciphered
> http-request redirect scheme https if !{ ssl_fc } { hdr(host)
> www.test.com broker.test.com eclose.test.com images.test.com }
> # redirect text.com:80 to https://www.test.com:443
> http-request redirect prefix https://www.test.com if !{ ssl_fc }
> { hdr(host) test.com }
>
> use_backend is_images_test if { hdr(host) images.test.com }
>
> >
> >
> >
> > frontend haproxy_https
> > bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/wildcard.pem
> > log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\
> %CC\
> > %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
> > {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],{+Q[ssl_c_i_dn]}\ %{+Q}r
> > acl is_test_https hdr_end(host) -i www.test.com
> > acl is_broker_test_https hdr_end(host) -i broker.test.com
> > acl is_eclose_test_https hdr_end(host) -i eclose.test.com
> > use_backend is_test_https_backend if is_test_https
> > use_backend is_broker_https_backend if
> is_broker_test_https
> > use_backend is_eclose_https_backend if is_eclose_test_https
> >
> >
> >
> > # backends
> >
> > backend is_test_https_backend
> > mode http
> > balance source
> > option http-server-close
> > server server1 192.168.33.70
> > server server2 192.168.33.170
> >
> > backend is_broker_https_backend
> > mode http
> > balance source
> > option http-server-close
> > server server1 192.168.33.71
> > server server2 192.168.33.171
> >
> > backend is_eclose_https_backend
> > mode http
> > balance source
> > option http-server-close
> > server server1 192.168.33.72
> > server server2 192.168.33.172
> >
> > backend is_images_test
> > mode http
> > balance source
> > option http-server-close
> > server server1 192.168.33.73
> > server server2 192.168.33.13
> >
> >
> > I think I'm close, but just not sure if I'm sanely doing things. I've
> tried
> > to put piece of information together from several different posts around
> the
> > Internet, but I have found nothing that is concise enough to really make
> me
> > understand what I'm doing wrong.
> >
> > Thank you SO much,
> >
> > Chris
>
>
> configuration out of my head, with no testing, but should work.
>
> Baptiste
>
