Re: SSL on plain TCP mode

[Steven Haigh]

On 16/07/2014 4:28 PM, Baptiste wrote:
> On Wed, Jul 16, 2014 at 4:52 AM, Steven Haigh <net...@crc.id.au> wrote:
>> Hi guys,
>>
>> I've been hunting through the haproxy documentation, but haven't managed
>> to confirm one way or another as to if what I want is possible.
>>
>> The situation I'm using is closely related to SMTP (however it isn't ;)).
>>
>> I would like to use haproxy in TCP mode - however I would like to
>> terminate the SSL side of things at haproxy and have a plain TCP session
>> sent to the server. By way of example, the basic config I have as a
>> proof of concept is:
>>
>> global
>>         log 127.0.0.1 local2
>>         user haproxy
>>         group haproxy
>>         daemon
>>
>> defaults
>>         log             global
>>         mode            tcp
>>         option          tcp-smart-accept
>>         option          tcp-smart-connect
>>         contimeout      5000
>>         clitimeout      50000
>>         srvtimeout      50000
>>
>> listen smtps :465
>>         option  tcplog
>>         server  mail mail.server.com:25 check
>>
>> The idea is that haproxy takes the SSL connect, then forwards plain TCP
>> to the mail server on port 25 - thereby providing an SMTP over SSL
>> connection.
>>
>> Is this possible with haproxy?
> 
> Hi Steven,
> 
> this is technically doable.
> May work better like this:
> 
> listen smtps
>         bind :465 ssl
>         option  tcplog
>         server  mail mail.server.com:25 check

I tried this, but get:
[ALERT] 196/162927 (8567) : parsing [/etc/haproxy/haproxy.cfg:17] :
'bind' only supports the 'transparent', 'defer-accept', 'name', 'id',
'mss' and 'interface' options.
[ALERT] 196/162927 (8567) : Error(s) found in configuration file :
/etc/haproxy/haproxy.cfg
[ALERT] 196/162927 (8567) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.

I should have mentioned that I'm using 1.4.24 right now on RHEL6.

Does this need a certain version? I'm happy to rebuild to a newer
version if required.

I'm also wondering how I'd then pass the SSL cert to haproxy (I assume
via a .pem)?

-- 
Steven Haigh

Email: net...@crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299

signature.asc
Description: OpenPGP digital signature