Hi,
> Basic question on send-proxy: > > If the HAProxy server configuration has both SSL and send-proxy, should > the proxy protocol header be sent encrypted within the SSL packet? Good question. In my opinion send_proxy should be cleartext, as a proxy may or may not terminate SSL. Imagine if you have a two tier proxy layering, where the first layer just load-balances TCP and the second layer of proxies terminates SSL. You wouldn't be able to use the proxy protocol between those 2 layers, and that defeats the purpose of the proxy protocol, imo. > 1.5-dev22, I see it being sent outside of the encrypted envelope. This is what I would expect. > This causes a handshake failure, even when connecting to another HAProxy > (that is, one with SSL and accept-proxy configured). If my thinking is correct, we would need to parse and remove the proxy header before passing the data to openssl. Willy, Emeric, whats your opinion on this? Regards, Lukas
