Hello list
I'm quite new to haproxy, and I've managed to use it with SSL passthru
and as SSL termination.
I've also startet looking into the code to find the answers or solutions
to what I want to achieve.
I have OpenVPN and HTTPS running on the same port. This can be done with
several setups whereof using the openvpn port sharing feature is the
easiest.
But now I need to know the remote IP addresses in order to be able to
lock out abusive access to the web server. Https used to be unharmed by
exploitative access, but now it's getting a problem. With http, I can
reduce the traffic by locking out ip adresses using fail2ban. With
https, I cannot see the ip address, so there is no way to lock them out
selectively.
Any tool that does the backend switching cannot add an x-forwarded-for
http header and be the SSL end point at the same time. Haproxy seems to
be the only tool that might be able to handle both.
Looking at the code of haproxy, it seems to me that once I configure a
bind with ssl, it just drops all connections that do not begin wih a SSL
handshake.
However, it seems to be feasible to alter the code in order to fall back
to a non-ssl connection if the hadshake fails.
Has someone of you already tried to accomplish such, or am I missing a
detail that makes this impossible?
Regards
Martin
- Accepting both, SSL- and non-SSL connections when acting as ... Martin Schmid
-
