Hi Geoff,
On Thu, Feb 20, 2014 at 03:54:52PM -0800, Geoff Bucar wrote:
> Hi all,
>
> I'm pretty sure this isn't possible, but can HAProxy detect whether the
> communication coming in is SSL or not, and speak the appropriate way? For
> instance, what I'm trying to accomplish is basically:
>
> listen doublerainbow
> bind 192.168.1.100:80
> bind 192.168.1.100:80 ssl crt /etc/haproxy/certs/wildcard.pem
> mode http
> option http-server-close
> server system1:80
>
> The backend system would be unencrypted http. Clients would connect on
> port 80 'possibly' using ssl. Is this possible?
Not this way, because the SSL API uses its own read() call to retrieve
bytes from the socket (technically it would be possible to use recv(MSG_PEEK)
to check the contents but we don't do that now). However, it's possible to
divert the stream by chaining two entries :
listen front
bind :80
mode tcp
tcp-request inspect-delay 10s
tcp-request content accept if { req.proto_http } || { req.ssl_ver gt 0 }
use_server clear if { req.proto_http }
use_server ssl if { req.ssl_ver gt 0 }
use_server other
server clear 127.0.0.1:8080
server ssl 127.0.0.1:8443
server other 127.0.0.1:8888
listen clear
bind 127.0.0.1:8080
mode http
...
listen ssl
bind 127.0.0.1:8443 ssl
...
etc...
Last point is that you may pass the client's IP address along this chain
by using "send-proxy" on the servers lines of the first stage, and
"accept-proxy" on the "bind" lines in the second stage.
Hoping this helps,
Willy
