Re: SSL on plain TCP mode

Tue, 15 Jul 2014 23:39:13 -0700 

On Wed, Jul 16, 2014 at 8:32 AM, Steven Haigh <[email protected]> wrote:
> On 16/07/2014 4:28 PM, Baptiste wrote:
>> On Wed, Jul 16, 2014 at 4:52 AM, Steven Haigh <[email protected]> wrote:
>>> Hi guys,
>>>
>>> I've been hunting through the haproxy documentation, but haven't managed
>>> to confirm one way or another as to if what I want is possible.
>>>
>>> The situation I'm using is closely related to SMTP (however it isn't ;)).
>>>
>>> I would like to use haproxy in TCP mode - however I would like to
>>> terminate the SSL side of things at haproxy and have a plain TCP session
>>> sent to the server. By way of example, the basic config I have as a
>>> proof of concept is:
>>>
>>> global
>>>         log 127.0.0.1 local2
>>>         user haproxy
>>>         group haproxy
>>>         daemon
>>>
>>> defaults
>>>         log             global
>>>         mode            tcp
>>>         option          tcp-smart-accept
>>>         option          tcp-smart-connect
>>>         contimeout      5000
>>>         clitimeout      50000
>>>         srvtimeout      50000
>>>
>>> listen smtps :465
>>>         option  tcplog
>>>         server  mail mail.server.com:25 check
>>>
>>> The idea is that haproxy takes the SSL connect, then forwards plain TCP
>>> to the mail server on port 25 - thereby providing an SMTP over SSL
>>> connection.
>>>
>>> Is this possible with haproxy?
>>
>> Hi Steven,
>>
>> this is technically doable.
>> May work better like this:
>>
>> listen smtps
>>         bind :465 ssl
>>         option  tcplog
>>         server  mail mail.server.com:25 check
>
> I tried this, but get:
> [ALERT] 196/162927 (8567) : parsing [/etc/haproxy/haproxy.cfg:17] :
> 'bind' only supports the 'transparent', 'defer-accept', 'name', 'id',
> 'mss' and 'interface' options.
> [ALERT] 196/162927 (8567) : Error(s) found in configuration file :
> /etc/haproxy/haproxy.cfg
> [ALERT] 196/162927 (8567) : Fatal errors found in configuration.
> Errors in configuration file, check with haproxy check.
>
> I should have mentioned that I'm using 1.4.24 right now on RHEL6.
>
> Does this need a certain version? I'm happy to rebuild to a newer
> version if required.
>
> I'm also wondering how I'd then pass the SSL cert to haproxy (I assume
> via a .pem)?
>
> --
> Steven Haigh
>
> Email: [email protected]
> Web: http://www.crc.id.au
> Phone: (03) 9001 6090 - 0412 935 897
> Fax: (03) 8338 0299
>

Yes, you need haproxy 1.5 and I forgot to mention you need a pem file
provided through the crt directive:
listen smtps
         bind :465 ssl crt /path/to/cert.pem
         option  tcplog
         server  mail mail.server.com:25 check

Baptiste

Reply via email to