Hi Jacob, 1) HTTPS all the way through ==> 'mode tcp' is your friend
2) Web servers need to see the IP of the user ==> 'source 0.0.0.0 usesrc clientip' is what you're looking for Or proxy protocol, if your web server is compatible: http://blog.exceliance.fr/haproxy/proxy-protocol/ 3) Users need sticky sessions to a web server (where the sticky assignment counter gets refreshed on each user request) ==> ah!!!! must turn on 'mode http' + SSL decypher + SSL cypher to the server + stick table and store http_req_cnt Why do you need this information?? 4) HTTPS Keep-Alive support ==> can you clarify, it could mean different type of things. 5) Mobile and older browser support (I say this because I keep reading this about SNI, but I don't know if that applies to us) ==> no SNI means one IP per certificate, or use SAN/wildcard certificates Baptiste On Wed, Nov 6, 2013 at 10:12 PM, Jacob Gibson <[email protected]> wrote: > I was happily using HAProxy, until I received word that we need to also > encrypt traffic to the web servers. So, internet --https--> load balancer > --https--> web servers. Can I still do this with HAProxy? We don't need > any Layer 7 rules. If so, what would the config look like? > > We do need the following: > > 1) HTTPS all the way through > 2) Web servers need to see the IP of the user > 3) Users need sticky sessions to a web server (where the sticky assignment > counter gets refreshed on each user request) > 4) HTTPS Keep-Alive support > 5) Mobile and older browser support (I say this because I keep reading this > about SNI, but I don't know if that applies to us) > > Would #4 cause problems because HAProxy is a proxy and not a forwarder? > > Thanks
