Re: Help with SSL
Hi Christophe, On 03.11.2011 22:00, Christophe Rahier wrote: Hello, My config of HAProxy is: -- CUT -- [snipp] -- CUT -- The problem with SSL is that the IP address that I get to the web server is the IP address of the loadbalancer and not the original IP address. This is a big problem for me and it's essential that I can have the right IP address. How can I do, is it possible? I've heard of stunnel but I don't understand how to use it. Thank you in advance for your help, you must use http://www.stunnel.org/static/stunnel.html protocol = proxy in stunnel and use 'accept-proxy' in haproxy http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1580 as bind option http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1453 and the 'option forwardfor' http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l3111 haproxy fill automatically the client ip into X-Forwarded-For header field. I assume this from the doc. Please can you tell us if this is right? Hth Aleks PS: do you have received my answer on the stunnel list?
Re: Help with SSL
Hi Aleks, Thanks for your help, I received your answer yesterday but it was too late for answering, I was too tired :-) I'll check what you proposed. Thanks once again, Christophe Le 04/11/11 09:41, « Aleksandar Lazic » al-hapr...@none.at a écrit : Hi Christophe, On 03.11.2011 22:00, Christophe Rahier wrote: Hello, My config of HAProxy is: -- CUT -- [snipp] -- CUT -- The problem with SSL is that the IP address that I get to the web server is the IP address of the loadbalancer and not the original IP address. This is a big problem for me and it's essential that I can have the right IP address. How can I do, is it possible? I've heard of stunnel but I don't understand how to use it. Thank you in advance for your help, you must use http://www.stunnel.org/static/stunnel.html protocol = proxy in stunnel and use 'accept-proxy' in haproxy http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1580 as bind option http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1453 and the 'option forwardfor' http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l3111 haproxy fill automatically the client ip into X-Forwarded-For header field. I assume this from the doc. Please can you tell us if this is right? Hth Aleks PS: do you have received my answer on the stunnel list?
Re: Help with SSL
On Fri, 04 Nov 2011 09:41:00 +0100, Aleksandar Lazic wrote: you must use http://www.stunnel.org/static/stunnel.html protocol = proxy In this case, you need the latest stunnel (4.45).
Re: Help with SSL
Hi Christophe, Use the HAProxy box in transparent mode: HAProxy will get connected to your application server using the client IP. In your backend, just add the line: source 0.0.0.0 usesrc clientip Bear in mind that in such configuration, the default gateway of your server must be the HAProxy box. Or you have to configure PBR on your network. Stunnel can be used in front of HAProxy to uncrypt the traffic. But if your main issue is to get the client IP, then it won't help you unless you setup transparent mode as explained above. cheers On Thu, Nov 3, 2011 at 10:00 PM, Christophe Rahier christo...@qualifio.com wrote: Hello, My config of HAProxy is: -- CUT -- global log 192.168.0.2 local0 log 127.0.0.1 local1 notice maxconn 10240 defaults log global option dontlognull retries 2 timeout client 35s timeout server 90s timeout connect 5s timeout http-keep-alive 10s listen WebPlayer-Farm 192.168.0.2:80 mode http option httplog balance source #balance leastconn option forwardfor stats enable option http-server-close server Player4 192.168.0.13:80 check server Player3 192.168.0.12:80 check server Player1 192.168.0.10:80 check server Player2 192.168.0.11:80 check server Player5 192.168.0.14:80 check option httpchk HEAD /checkCF.cfm HTTP/1.0 listen WebPlayer-Farm-SSL 192.168.0.2:443 mode tcp option ssl-hello-chk balance source server Player4 192.168.0.13:443 check server Player3 192.168.0.12:443 check server Player1 192.168.0.10:443 check server Player2 192.168.0.11:443 check server Player5 192.168.0.14:443 check listen Manager-Farm 192.168.0.2:81 mode http option httplog balance source option forwardfor stats enable option http-server-close server Manager1 192.168.0.60:80 check server Manager2 192.168.0.61:80 check server Manager3 192.168.0.62:80 check option httpchk HEAD /checkCF.cfm HTTP/1.0 listen Manager-Farm-SSL 192.168.0.2:444 mode tcp option ssl-hello-chk balance source server Manager1 192.168.0.60:443 check server Manager2 192.168.0.61:443 check server Manager3 192.168.0.62:443 check listen info 192.168.0.2:90 mode http balance source stats uri / -- CUT -- The problem with SSL is that the IP address that I get to the web server is the IP address of the loadbalancer and not the original IP address. This is a big problem for me and it's essential that I can have the right IP address. How can I do, is it possible? I've heard of stunnel but I don't understand how to use it. Thank you in advance for your help, Christophe
Re: Help on SSL termination and balance source
On Thu, Jun 9, 2011 at 7:33 AM, habeeb rahman pk.h...@gmail.com wrote: apache rewrite rule: RewriteRule ^/(.*)$ http://127.0.0.1:2443%{REQUEST_URI} [P,QSA,L] Why are you using a rewrite instead of mod_proxy? ProxyPass does some nice things by default, like adding the X-Forwarded-For header which will provide the address of the client. Otherwise, you will need to do this manually with rewrite rules. -jim
Re: Help on SSL termination and balance source
James, Thanks for your points. Rewrite rule was set up by some other guys and is being used for some time now and works well with round robin. Anyhow I will look at mod_proxy in detail. Not sure how SSL termination can be done with it and moreover how haproxy gonna balance based on client IP. Any insight? Anyone else has any thoughts or insights to share? -Habeeb On Thu, Jun 9, 2011 at 7:11 PM, James Bardin jbar...@bu.edu wrote: On Thu, Jun 9, 2011 at 7:33 AM, habeeb rahman pk.h...@gmail.com wrote: apache rewrite rule: RewriteRule ^/(.*)$ http://127.0.0.1:2443%{REQUEST_URI} [P,QSA,L] Why are you using a rewrite instead of mod_proxy? ProxyPass does some nice things by default, like adding the X-Forwarded-For header which will provide the address of the client. Otherwise, you will need to do this manually with rewrite rules. -jim
Re: Help on SSL termination and balance source
Habeeb, given your Apache does actually insert/append an X-Forwarded-For header you can use this statement instead of balance source in HAProxy: balance hdr(X-Forwarded-For) This has a few caveats you should be aware. Users can set the X-Forwarded-Header themselves (which is done by some upstream proxies). Most forwarders (HAProxy included) just append their IP to the list by default. I don't know how Apache can be configured, but you should try to delete and upstream X-Forwarded-For headers and just include the IP of the last visible source to avoid users messing with the balancing. Hope that helps, Holger On 09.06.2011 15:54, habeeb rahman wrote: James, Thanks for your points. Rewrite rule was set up by some other guys and is being used for some time now and works well with round robin. Anyhow I will look at mod_proxy in detail. Not sure how SSL termination can be done with it and moreover how haproxy gonna balance based on client IP. Any insight? Anyone else has any thoughts or insights to share? -Habeeb On Thu, Jun 9, 2011 at 7:11 PM, James Bardin jbar...@bu.edu mailto:jbar...@bu.edu wrote: On Thu, Jun 9, 2011 at 7:33 AM, habeeb rahman pk.h...@gmail.com mailto:pk.h...@gmail.com wrote: apache rewrite rule: RewriteRule ^/(.*)$ http://127.0.0.1:2443%{REQUEST_URI} [P,QSA,L] Why are you using a rewrite instead of mod_proxy? ProxyPass does some nice things by default, like adding the X-Forwarded-For header which will provide the address of the client. Otherwise, you will need to do this manually with rewrite rules. -jim