RE: stunnel + haproxy + ssl + ddns + multiple domains

[Rob Cluett]

Thank you Baptiste. I am implementing this now. The procedure I was looking
at had me making it more complicated than it needed to be.

-Original Message-
From: Baptiste [mailto:bed...@gmail.com]
Sent: Thursday, November 29, 2012 2:29 AM
To: Rob Cluett
Cc: haproxy@formilux.org
Subject: Re: stunnel + haproxy + ssl + ddns + multiple domains

Hi Rob,

Just make you stunnel point to your frontend on the port 80, and you're
done.

cheers

On Thu, Nov 29, 2012 at 1:05 AM, Rob Cluett r...@robcluett.com wrote:
 All, wondering if you can  point me in the right direction. I have
 stunnel installed with the x-forwarded-for patch. I also have haproxy
 working so all incoming http requests are forwarded from my router to
 happroxy. haproxy then determines where to route the request based on the
domain name.
 Configs below.  I'd like to implement something similar with stunnel
 and haproxy so that all inbound requests can be routed in the same
 manner for https.



 global

 log 127.0.0.1 local2

 chroot  /var/lib/haproxy

 pidfile /var/run/haproxy.pid

 maxconn 4000

 userhaproxy

 group   haproxy

 daemon

 # turn on stats unix socket

 stats socket /var/lib/haproxy/stats



 defaults

 modehttp

 log global

 option  httplog

 option  dontlognull

 option http-server-close

 option forwardfor   except 127.0.0.0/8

 option  redispatch

 retries 3

 timeout http-request10s

 timeout queue   1m

 timeout connect 10s

 timeout client  1m

 timeout server  1m

 timeout http-keep-alive 10s

 timeout check   10s

 maxconn 3000



 frontend http_proxy

   bind *:80

   acl is_rbc-com hdr_dom(host) -i robcluett.com

   acl is_rbc-net hdr_dom(host) -i robcluett.net

   acl is_iom-com hdr_dom(host) -i iomerge.com

   use_backend cluster1 if is_rbc-com

   use_backend cluster2 if is_rbc-net

   use_backend cluster3 if is_iom-com



 backend cluster1

   server web2 10.10.10.51:80

   #server web5 192.168.1.128



 backend cluster2

   server web3 10.10.10.52:80

   #server web6 192.168.1.129:80



 backend cluster3

   server web4 10.10.10.53:80



 Rob Cluett

 r...@robcluett.com

 978.381.3005



 *Please use this address for all email correspondence. The phone
 number listed in the signature above replaces any other phone number
 you may have for me.



 This email contains a digitally signed certificate authenticating the
 sender. This certificate prevents others from posing as or spoofing
 the sender, guarantees that it was sent from the named sender and when
 necessary encrypts the email such that only the sender and
 reciepient(s) can read it's contents. If you receive an email from
 this sender without the digitally signed certificate it is not from
 the sender and therefore it's contents should be disregarded.



 This e-mail, and any files transmitted with it, is intended solely for
 the use of the recipient(s) to whom it is addressed and may contain
 confidential information. If you are not the intended recipient,
 please notify the sender immediately and delete the record from your
 computer or other device as its contents may be confidential and its
 disclosure, copying or distribution unlawful.




smime.p7s
Description: S/MIME cryptographic signature

Re: stunnel + haproxy + ssl + ddns + multiple domains

[Baptiste]

Hi Rob,

Just make you stunnel point to your frontend on the port 80, and you're done.

cheers

On Thu, Nov 29, 2012 at 1:05 AM, Rob Cluett r...@robcluett.com wrote:
 All, wondering if you can  point me in the right direction. I have stunnel
 installed with the x-forwarded-for patch. I also have haproxy working so all
 incoming http requests are forwarded from my router to happroxy. haproxy
 then determines where to route the request based on the domain name.
 Configs below.  I'd like to implement something similar with stunnel and
 haproxy so that all inbound requests can be routed in the same manner for
 https.



 global

 log 127.0.0.1 local2

 chroot  /var/lib/haproxy

 pidfile /var/run/haproxy.pid

 maxconn 4000

 userhaproxy

 group   haproxy

 daemon

 # turn on stats unix socket

 stats socket /var/lib/haproxy/stats



 defaults

 modehttp

 log global

 option  httplog

 option  dontlognull

 option http-server-close

 option forwardfor   except 127.0.0.0/8

 option  redispatch

 retries 3

 timeout http-request10s

 timeout queue   1m

 timeout connect 10s

 timeout client  1m

 timeout server  1m

 timeout http-keep-alive 10s

 timeout check   10s

 maxconn 3000



 frontend http_proxy

   bind *:80

   acl is_rbc-com hdr_dom(host) -i robcluett.com

   acl is_rbc-net hdr_dom(host) -i robcluett.net

   acl is_iom-com hdr_dom(host) -i iomerge.com

   use_backend cluster1 if is_rbc-com

   use_backend cluster2 if is_rbc-net

   use_backend cluster3 if is_iom-com



 backend cluster1

   server web2 10.10.10.51:80

   #server web5 192.168.1.128



 backend cluster2

   server web3 10.10.10.52:80

   #server web6 192.168.1.129:80



 backend cluster3

   server web4 10.10.10.53:80



 Rob Cluett

 r...@robcluett.com

 978.381.3005



 *Please use this address for all email correspondence. The phone number
 listed in the signature above replaces any other phone number you may have
 for me.



 This email contains a digitally signed certificate authenticating the
 sender. This certificate prevents others from posing as or spoofing the
 sender, guarantees that it was sent from the named sender and when necessary
 encrypts the email such that only the sender and reciepient(s) can read it's
 contents. If you receive an email from this sender without the digitally
 signed certificate it is not from the sender and therefore it's contents
 should be disregarded.



 This e-mail, and any files transmitted with it, is intended solely for the
 use of the recipient(s) to whom it is addressed and may contain confidential
 information. If you are not the intended recipient, please notify the sender
 immediately and delete the record from your computer or other device as its
 contents may be confidential and its disclosure, copying or distribution
 unlawful.