Hi Bob,
On Tue, Mar 25, 2014 at 01:58:12PM -0400, Bob S wrote:
> Basic question on send-proxy:
>
> If the HAProxy server configuration has both SSL and send-proxy, should the
> proxy protocol header be sent encrypted within the SSL packet? On
> 1.5-dev22, I see it being sent outside of the encrypted envelope.
Yes, as documented in the protocol spec. PROXY protocol is application-layer
agnostic and must be sent as the very first thing. Think of it as a TCP
extension.
However, it's planned in the spec to support an alternative mode where we
would wait for the PROXY protocol line after the incoming SSL session is
accepted. I know it's not necessarily obvious, but it's the following line
in the roadmap file :
tcp-request session expect-proxy {L4|L5} if ...
L4 means we have it on top of TCP, L5 means we have it on top of SSL. And
equivalently we'd have "send-proxy-l5" on the server side *if needed*,
which is still unsure to me.
> This
> causes a handshake failure, even when connecting to another HAProxy (that
> is, one with SSL and accept-proxy configured).
I'm having a hard time believing this, I've been using this combination a
lot during tests to ensure there was no issue, simply because it involves
multiple processing during connection accept or setup. That does not mean
there was no regression since, but I'd like to see the exact setup that is
exhibiting a handshake failure.
Regards,
Willy
