On Wed, Aug 19, 2015 at 3:26 PM, Rich Vigorito <[email protected]> wrote:
> I should also clarify the goal of using this approach was to do TLS from > router to haproxy and onto webservers but to preserve the client IP. The > other thought I had was to SSL terminate on haproxy box and initiate new > TLS handshake from haproxy to webservers. Though Im assuming transparent > proxy will mean less work for haproxy server. Is this second approach even > possible? to accomplish the goal of TLS all the way through the call all > ive seen is the transparent proxy solution which Ive been struggling with. > Transparent proxying might be one way to get the client IP onto the backend servers but there are others too as you've mentioned and those might be much easier. Yes, you can terminate SSL on haproxy and make a new SSL connection to the backend. With that, you'd probably need to add the X-Forwarded-For http header (use 'mode http') and configure your webserver to use XFF too. If your webserver or app can support the haproxy "PROXY" protocol, that might also be an option for you and allows you to pass-through the SSL (not terminated at haproxy) to the backend if you need that. -Bryan
