Re: Help with SSL

2011-11-04 Thread Aleksandar Lazic

Hi Christophe,

On 03.11.2011 22:00, Christophe Rahier wrote:

Hello,

 My config of HAProxy is:

-- CUT --


[snipp]


-- CUT --

 The problem with SSL is that the IP address that I get to the web 
server
is the IP address of the loadbalancer and not the original IP 
address.


 This is a big problem for me and it's essential that I can have the
right IP address.

 How can I do, is it possible? I've heard of stunnel but I don't
understand how to use it.

 Thank you in advance for your help,


you must use

http://www.stunnel.org/static/stunnel.html
protocol = proxy

in stunnel and use 'accept-proxy' in haproxy

http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx=
t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1580

as bind option

http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx=
t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1453

and the 'option forwardfor'

http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx=
t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l3111

haproxy fill automatically the client ip into X-Forwarded-For
header field.

I assume this from the doc.
Please can you tell us if this is right?

Hth

Aleks

PS: do you have received my answer on the stunnel list?



Re: Help with SSL

2011-11-04 Thread Christophe Rahier
Hi Aleks,

Thanks for your help, I received your answer yesterday but it was too late
for answering, I was too tired :-)

I'll check what you proposed.

Thanks once again,

Christophe



Le 04/11/11 09:41, « Aleksandar Lazic » al-hapr...@none.at a écrit :

Hi Christophe,

On 03.11.2011 22:00, Christophe Rahier wrote:
 Hello,

  My config of HAProxy is:

 -- CUT --

[snipp]

 -- CUT --

  The problem with SSL is that the IP address that I get to the web
 server
 is the IP address of the loadbalancer and not the original IP
 address.

  This is a big problem for me and it's essential that I can have the
 right IP address.

  How can I do, is it possible? I've heard of stunnel but I don't
 understand how to use it.

  Thank you in advance for your help,

you must use

http://www.stunnel.org/static/stunnel.html
protocol = proxy

in stunnel and use 'accept-proxy' in haproxy

http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t
x=
t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1580

as bind option

http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t
x=
t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1453

and the 'option forwardfor'

http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t
x=
t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l3111

haproxy fill automatically the client ip into X-Forwarded-For
header field.

I assume this from the doc.
Please can you tell us if this is right?

Hth

Aleks

PS: do you have received my answer on the stunnel list?







Re: Help with SSL

2011-11-04 Thread Vincent Bernat

On Fri, 04 Nov 2011 09:41:00 +0100, Aleksandar Lazic wrote:


you must use

http://www.stunnel.org/static/stunnel.html
protocol = proxy


In this case, you need the latest stunnel (4.45).



Re: Help with SSL

2011-11-03 Thread Baptiste
Hi Christophe,

Use the HAProxy box in transparent mode: HAProxy will get connected to
your application server using the client IP.
In your backend, just add the line:
source 0.0.0.0 usesrc clientip

Bear in mind that in such configuration, the default gateway of your
server must be the HAProxy box. Or you have to configure PBR on your
network.

Stunnel can be used in front of HAProxy to uncrypt the traffic.
But if your main issue is to get the client IP, then it won't help you
unless you setup transparent mode as explained above.

cheers


On Thu, Nov 3, 2011 at 10:00 PM, Christophe Rahier
christo...@qualifio.com wrote:
 Hello,

  My config of HAProxy is:

 -- CUT --
 global
 log 192.168.0.2 local0
 log 127.0.0.1 local1 notice
 maxconn     10240
 defaults
 log    global
 option dontlognull
 retries    2
 timeout client 35s
 timeout server 90s
 timeout connect 5s
 timeout http-keep-alive 10s

 listen WebPlayer-Farm 192.168.0.2:80
 mode http
 option httplog
 balance source
 #balance leastconn
 option forwardfor
 stats enable
 option http-server-close
 server Player4 192.168.0.13:80 check
 server Player3 192.168.0.12:80 check
 server Player1 192.168.0.10:80 check
 server Player2 192.168.0.11:80 check
 server Player5 192.168.0.14:80 check
 option httpchk HEAD /checkCF.cfm HTTP/1.0

 listen WebPlayer-Farm-SSL 192.168.0.2:443
 mode tcp
 option ssl-hello-chk
 balance source
 server Player4 192.168.0.13:443 check
 server Player3 192.168.0.12:443 check
 server Player1 192.168.0.10:443 check
 server Player2 192.168.0.11:443 check
 server Player5 192.168.0.14:443 check

 listen  Manager-Farm    192.168.0.2:81
 mode http
 option httplog
 balance source
 option forwardfor
 stats enable
 option http-server-close
 server  Manager1 192.168.0.60:80 check
 server  Manager2 192.168.0.61:80 check
 server  Manager3 192.168.0.62:80 check
 option httpchk HEAD /checkCF.cfm HTTP/1.0

 listen Manager-Farm-SSL 192.168.0.2:444
 mode tcp
 option ssl-hello-chk
 balance source
 server Manager1 192.168.0.60:443 check
 server Manager2 192.168.0.61:443 check
 server Manager3 192.168.0.62:443 check

 listen  info 192.168.0.2:90
 mode http
 balance source
 stats uri /


 -- CUT --

  The problem with SSL is that the IP address that I get to the web server
 is the IP address of the loadbalancer and not the original IP address.

  This is a big problem for me and it's essential that I can have the
 right IP address.

  How can I do, is it possible? I've heard of stunnel but I don't
 understand how to use it.

  Thank you in advance for your help,

  Christophe





Re: Help on SSL termination and balance source

2011-06-09 Thread James Bardin
On Thu, Jun 9, 2011 at 7:33 AM, habeeb rahman pk.h...@gmail.com wrote:

 apache rewrite rule:
  RewriteRule ^/(.*)$ http://127.0.0.1:2443%{REQUEST_URI} [P,QSA,L]


Why are you using a rewrite instead of mod_proxy?
ProxyPass does some nice things by default, like adding the
X-Forwarded-For header which will provide the address of the client.
Otherwise, you will need to do this manually with rewrite rules.

-jim



Re: Help on SSL termination and balance source

2011-06-09 Thread habeeb rahman
James,

Thanks for your points. Rewrite rule was set up by some other guys and is
being used for some time now and works well with round robin.
Anyhow I will look at mod_proxy in detail. Not sure how SSL termination can
be done with it and moreover how haproxy gonna balance based on client IP.
Any insight?

Anyone else has any thoughts or insights to share?

-Habeeb

On Thu, Jun 9, 2011 at 7:11 PM, James Bardin jbar...@bu.edu wrote:

 On Thu, Jun 9, 2011 at 7:33 AM, habeeb rahman pk.h...@gmail.com wrote:

  apache rewrite rule:
   RewriteRule ^/(.*)$ http://127.0.0.1:2443%{REQUEST_URI} [P,QSA,L]


 Why are you using a rewrite instead of mod_proxy?
 ProxyPass does some nice things by default, like adding the
 X-Forwarded-For header which will provide the address of the client.
 Otherwise, you will need to do this manually with rewrite rules.

 -jim



Re: Help on SSL termination and balance source

2011-06-09 Thread Holger Just
Habeeb,

given your Apache does actually insert/append an X-Forwarded-For header
you can use this statement instead of balance source in HAProxy:

balance hdr(X-Forwarded-For)

This has a few caveats you should be aware. Users can set the
X-Forwarded-Header themselves (which is done by some upstream proxies).
Most forwarders (HAProxy included) just append their IP to the list by
default. I don't know how Apache can be configured, but you should try
to delete and upstream X-Forwarded-For headers and just include the IP
of the last visible source to avoid users messing with the balancing.

Hope that helps,
Holger

On 09.06.2011 15:54, habeeb rahman wrote:
 James,
 
 Thanks for your points. Rewrite rule was set up by some other guys and
 is being used for some time now and works well with round robin.
 Anyhow I will look at mod_proxy in detail. Not sure how SSL termination
 can be done with it and moreover how haproxy gonna balance based on
 client IP. Any insight?
 
 Anyone else has any thoughts or insights to share?
 
 -Habeeb
 
 On Thu, Jun 9, 2011 at 7:11 PM, James Bardin jbar...@bu.edu
 mailto:jbar...@bu.edu wrote:
 
 On Thu, Jun 9, 2011 at 7:33 AM, habeeb rahman pk.h...@gmail.com
 mailto:pk.h...@gmail.com wrote:
 
  apache rewrite rule:
   RewriteRule ^/(.*)$ http://127.0.0.1:2443%{REQUEST_URI} [P,QSA,L]
 
 
 Why are you using a rewrite instead of mod_proxy?
 ProxyPass does some nice things by default, like adding the
 X-Forwarded-For header which will provide the address of the client.
 Otherwise, you will need to do this manually with rewrite rules.
 
 -jim