ssl sni and client certificate verification
Hi all, The last 2 task I need to to after final decision of the migration from NGINX is 1) SSL SNI with SSL offload As I read the docs, this is supported only in version 1.%, which is still not stable. Is there any way how to do this on 1.$ without nginx as frontend? 2) SSL client verfication I did not found the how to enforce the client verification on the haproxy ;( If there are some docs or examples point me to them please. Best regards Peter Hudec
RE: ssl sni and client certificate verification
Hi Peter! 1) SSL SNI with SSL offload As I read the docs, this is supported only in version 1.%, which is still not stable. Is there any way how to do this on 1.$ without nginx as frontend? SSL offload does work only in 1.5. In 1.4 you need to do this with stunnel or stud, but that's a lot more complex and error prone than to simple use 1.5. I'm not sure client verification is supported with stunnel or stud. I suggest you give haproxy 1.5-dev19 a try. It's already in use by a lot of people in production despite its not declared stable. 2) SSL client verfication I did not found the how to enforce the client verification on the haproxy On the bind line, add verify required: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-verify You will also need to configure the CA file for verification (keyword: ca-file). Regards, Lukas
Re: ssl sni and client certificate verification
Thanks Lukas, I will try 1.5 version. But for Debian this version is in experimental now ;( I will look if some already done for Wheezy. Best regards Peter Hudec -Original Message- From: Lukas Tribus luky...@hotmail.com Date: Tuesday, July 2, 2013 10:24 AM To: Hudec Peter phu...@cnc.sk, haproxy@formilux.org haproxy@formilux.org Subject: RE: ssl sni and client certificate verification Hi Peter! 1) SSL SNI with SSL offload As I read the docs, this is supported only in version 1.%, which is still not stable. Is there any way how to do this on 1.$ without nginx as frontend? SSL offload does work only in 1.5. In 1.4 you need to do this with stunnel or stud, but that's a lot more complex and error prone than to simple use 1.5. I'm not sure client verification is supported with stunnel or stud. I suggest you give haproxy 1.5-dev19 a try. It's already in use by a lot of people in production despite its not declared stable. 2) SSL client verfication I did not found the how to enforce the client verification on the haproxy On the bind line, add verify required: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-verify You will also need to configure the CA file for verification (keyword: ca-file). Regards, Lukas
Re: ssl sni and client certificate verification
Hi Peter, A few more information about HAProxy features and client certificate: http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/ http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/ Baptiste On Tue, Jul 2, 2013 at 10:39 AM, Hudec Peter phu...@cnc.sk wrote: Thanks Lukas, I will try 1.5 version. But for Debian this version is in experimental now ;( I will look if some already done for Wheezy. Best regards Peter Hudec -Original Message- From: Lukas Tribus luky...@hotmail.com Date: Tuesday, July 2, 2013 10:24 AM To: Hudec Peter phu...@cnc.sk, haproxy@formilux.org haproxy@formilux.org Subject: RE: ssl sni and client certificate verification Hi Peter! 1) SSL SNI with SSL offload As I read the docs, this is supported only in version 1.%, which is still not stable. Is there any way how to do this on 1.$ without nginx as frontend? SSL offload does work only in 1.5. In 1.4 you need to do this with stunnel or stud, but that's a lot more complex and error prone than to simple use 1.5. I'm not sure client verification is supported with stunnel or stud. I suggest you give haproxy 1.5-dev19 a try. It's already in use by a lot of people in production despite its not declared stable. 2) SSL client verfication I did not found the how to enforce the client verification on the haproxy On the bind line, add verify required: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-verify You will also need to configure the CA file for verification (keyword: ca-file). Regards, Lukas
Re: ssl sni and client certificate verification
Hi Baptiste, Thanks for links. It's all working. I need to test one more setup SNI + clientsserver on one IP To have SNI based SSL off load virtual hosting and dome of the domains must require SSL VERIFIY. To the BIND directive the CA-FILE directive could be specified only once. For NGINX si this setting in each server directive. Best regards Peter -Original Message- From: Baptiste bed...@gmail.com Date: Tuesday, July 2, 2013 11:13 AM To: Hudec Peter phu...@cnc.sk Cc: Lukas Tribus luky...@hotmail.com, haproxy@formilux.org haproxy@formilux.org Subject: Re: ssl sni and client certificate verification Hi Peter, A few more information about HAProxy features and client certificate: http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at- application-level/ http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in -http-headers-and-logs/ Baptiste On Tue, Jul 2, 2013 at 10:39 AM, Hudec Peter phu...@cnc.sk wrote: Thanks Lukas, I will try 1.5 version. But for Debian this version is in experimental now ;( I will look if some already done for Wheezy. Best regards Peter Hudec -Original Message- From: Lukas Tribus luky...@hotmail.com Date: Tuesday, July 2, 2013 10:24 AM To: Hudec Peter phu...@cnc.sk, haproxy@formilux.org haproxy@formilux.org Subject: RE: ssl sni and client certificate verification Hi Peter! 1) SSL SNI with SSL offload As I read the docs, this is supported only in version 1.%, which is still not stable. Is there any way how to do this on 1.$ without nginx as frontend? SSL offload does work only in 1.5. In 1.4 you need to do this with stunnel or stud, but that's a lot more complex and error prone than to simple use 1.5. I'm not sure client verification is supported with stunnel or stud. I suggest you give haproxy 1.5-dev19 a try. It's already in use by a lot of people in production despite its not declared stable. 2) SSL client verfication I did not found the how to enforce the client verification on the haproxy On the bind line, add verify required: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-verify You will also need to configure the CA file for verification (keyword: ca-file). Regards, Lukas
Re: ssl sni and client certificate verification
On 02.07.2013 10:39, Hudec Peter wrote: Thanks Lukas, I will try 1.5 version. But for Debian this version is in experimental now ;( I will look if some already done for Wheezy. I have 1.5 packages for amd64 on my site. They are based on the packaging done by Vincent Bernat. They Work For Me (tm) Look at http://www.roedie.nl/downloads/haproxy/ I also put snapshots there every once in a while if I hit a bug which bothers me. Which hasn't happened for some time now... Greets, Sander
Sticky Session Help
Hello all, I have built a small environment which has two web servers sat behind HAProxy (1.5) plus three MariaDB servers clustered using Galera. I am finding that some web applications Admin panels eg. Wordpress/Joomla do not work if the MySQL session is being constantly re-directed to another node. I thought I could use a sticky table and the source IP, but as I am proxying the web servers as-well all traffic gets directed to one server :( Any thoughts on how to resolve this conundrum ? Is it even possible to resolve ? Thanks.
Re: Can HAProxy Reverse Proxy SSL to Backend?
Hello Willy, I am still unclear how could 1 daemon HAProxy process handle thousands requests/connections simultaneously or concurrently? I thought the daemon should fork children to handle connections, but I could not see any children spawned when did a load-test with 100 concurrent users. Could you help me to understand it? Thanks, Q.Xie From: Willy Tarreau w...@1wt.eu To: Qingshan Xie xieq...@yahoo.com Cc: Lukas Tribus luky...@hotmail.com; haproxy@formilux.org haproxy@formilux.org; Nenad Merdanovic ni...@nimzo.info Sent: Monday, July 1, 2013 3:26 PM Subject: Re: Can HAProxy Reverse Proxy SSL to Backend? Hi, On Mon, Jul 01, 2013 at 03:06:36PM -0700, Qingshan Xie wrote: Hello Willy and Lukas, I have 3 questions regarding HAProxy listed below, Please help. 1. Can HAProxy handle 1000 ACL lines in one frontend service? what it's limit? There is no limit. ACLs by themselves do not hurt, they just consume a little bit of memory. Using them is what you should care about. That said, the worst config I have ever seen had 45 ACLs and as many use_backend rules. It was not very fast as you can imagine :-) 2. For 1 process of HAProxy, how many concurrent connections it can handle? That can be configured in the global section for the process and in each frontend section or in the default section for the services themselves, please check the doc for this. Can HAProxy configure Threads? no. 3. Can HAProxy set a default frontend service? I don't understand what you mean here. Regards, Willy
RE: Can HAProxy Reverse Proxy SSL to Backend?
Hi! Hello Willy, I am still unclear how could 1 daemon HAProxy process handle thousands requests/connections simultaneously or concurrently? I thought the daemon should fork children to handle connections, but I could not see any children spawned when did a load-test with 100 concurrent users. Could you help me to understand it? HAProxy doesn't use multiple processes, threads. Its fully event driven and does everything with a single process and a single thread. You can read more about it in the Design Choices and history section on the website: http://haproxy.1wt.eu/#desi Also adding the 10g benchmarks in case you have doubts about the design :) http://haproxy.1wt.eu/10g.html Lukas
Re: Can HAProxy Reverse Proxy SSL to Backend?
Hi, On Tue, Jul 02, 2013 at 12:08:31PM -0700, Qingshan Xie wrote: Hello Willy, I am still unclear how could 1 daemon HAProxy process handle thousands requests/connections simultaneously or concurrently? I thought the daemon should fork children to handle connections, but I could not see any children spawned when did a load-test with 100 concurrent users. Fortunately it does not, we're in the 21th century now! Last I did something like this was in 1996 with my webroute project (haproxy's far ancestor). It's far too slow and you can't easily control resource usage when you proceed like this. Could you help me to understand it? You should search on the net for event driven programming, multiplexing and asynchronous I/O. There is a lot of litterature on the subject and you'll probably find articles covering other products using the same principle such as nginx or squid. But I won't enter into a lesson here, the subject is too vast for this, it could take an entire book! Hoping this helps, Willy
Re: Can HAProxy Reverse Proxy SSL to Backend?
Hi Lukas, On Tue, Jul 02, 2013 at 09:24:49PM +0200, Lukas Tribus wrote: Hi! Hello Willy, I am still unclear how could 1 daemon HAProxy process handle thousands requests/connections simultaneously or concurrently? I thought the daemon should fork children to handle connections, but I could not see any children spawned when did a load-test with 100 concurrent users. Could you help me to understand it? HAProxy doesn't use multiple processes, threads. Its fully event driven and does everything with a single process and a single thread. You can read more about it in the Design Choices and history section on the website: http://haproxy.1wt.eu/#desi Ah you beat me on this one! Also adding the 10g benchmarks in case you have doubts about the design :) http://haproxy.1wt.eu/10g.html I hope to have time to update this one with new tests. I've run at 40G a few weeks ago, and I couldn't go beyond by lack of machines :-) I'll retry when I have more time and more hardware. Cheers, Willy
Re: ssl sni and client certificate verification
On Tue, Jul 2, 2013 at 9:39 AM, Hudec Peter phu...@cnc.sk wrote: Thanks Lukas, I will try 1.5 version. But for Debian this version is in experimental now ;( I will look if some already done for Wheezy. It's really easy to build from source http://efemoral.lovius.net/building-haproxy-from-git-on-ubuntu-12-04/
Re: ssl sni and client certificate verification
❦ 2 juillet 2013 10:39 CEST, Hudec Peter phu...@cnc.sk : But for Debian this version is in experimental now ;( I will look if some already done for Wheezy. It's really easy to backport the version in experimental for Wheezy: dget http://http.debian.net/debian/pool/main/h/haproxy/haproxy_1.5~dev19-1.dsc cd haproxy-1.5~dev19 dpkg-buildpackage -us -uc -- Use uniform input formats. - The Elements of Programming Style (Kernighan Plauger)
X-Forward-For logging
I have a situation where I need to log the value of X-Forwarded-For in the haproxy log. The default currently logs the last IP in the chain, but the majority of our traffic is via proxies, so I actually need to log the *previous* IP. So, in the standard httplog output, I'd like to get the second-to-last IP from the X-Forwarded-For header that's coming in. I believe I could do a capture header to get it, but I want to preserve the list of IPs it passed through to get to me. On a tangent question, can I use two different log formats in one frontend? So I could log the regular httplog as well as a custom log that contains just the info I need? Thanks for any help you can offer.
Socket commands to all processes
We are running 1.5-dev19 with upwards of 30 processes to handle the SSL load on our production site, and I need to find a way to guarantee that all processes will receive commands via the socket interface. We use this to enable and disable backend servers cleanly when we do pushes, but since we had to go to multi-process it's stopped working as not all processes receive the command. Is there a method I can use to have this work again?