Re: Help with SSL
Hi Christophe, On 03.11.2011 22:00, Christophe Rahier wrote: Hello, My config of HAProxy is: -- CUT -- [snipp] -- CUT -- The problem with SSL is that the IP address that I get to the web server is the IP address of the loadbalancer and not the original IP address. This is a big problem for me and it's essential that I can have the right IP address. How can I do, is it possible? I've heard of stunnel but I don't understand how to use it. Thank you in advance for your help, you must use http://www.stunnel.org/static/stunnel.html protocol = proxy in stunnel and use 'accept-proxy' in haproxy http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1580 as bind option http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1453 and the 'option forwardfor' http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.tx= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l3111 haproxy fill automatically the client ip into X-Forwarded-For header field. I assume this from the doc. Please can you tell us if this is right? Hth Aleks PS: do you have received my answer on the stunnel list?
Re: Help with SSL
Hi Aleks, Thanks for your help, I received your answer yesterday but it was too late for answering, I was too tired :-) I'll check what you proposed. Thanks once again, Christophe Le 04/11/11 09:41, « Aleksandar Lazic » al-hapr...@none.at a écrit : Hi Christophe, On 03.11.2011 22:00, Christophe Rahier wrote: Hello, My config of HAProxy is: -- CUT -- [snipp] -- CUT -- The problem with SSL is that the IP address that I get to the web server is the IP address of the loadbalancer and not the original IP address. This is a big problem for me and it's essential that I can have the right IP address. How can I do, is it possible? I've heard of stunnel but I don't understand how to use it. Thank you in advance for your help, you must use http://www.stunnel.org/static/stunnel.html protocol = proxy in stunnel and use 'accept-proxy' in haproxy http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1580 as bind option http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1453 and the 'option forwardfor' http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l3111 haproxy fill automatically the client ip into X-Forwarded-For header field. I assume this from the doc. Please can you tell us if this is right? Hth Aleks PS: do you have received my answer on the stunnel list?
Re: Help with SSL
On Fri, 04 Nov 2011 09:41:00 +0100, Aleksandar Lazic wrote: you must use http://www.stunnel.org/static/stunnel.html protocol = proxy In this case, you need the latest stunnel (4.45).
Re: Haproxy 502 errors, all the time on specific sites or backend
By the way, this one is useless as long as you enable mode http, because it's implied in it. # Every header should end with a colon followed by one space. reqideny^[^:\ ]*[\ ]*$ Cheers On Thu, Nov 3, 2011 at 5:47 PM, Cyril Bonté cyril.bo...@free.fr wrote: Le Jeudi 3 Novembre 2011 17:34:38 Benoit GEORGELIN a écrit : Can you give me more details about your analyse? (examples) I will try to understand more what's happen Is the response who is not complete or the header only? The body is not complete. I tried with the examples I provided in my first mail. Examples : curl -si http://sandka.org/portfolio/; = HTTP/1.0 200 OK with html cut in the middle. curl -si http://sandka.org/portfolio/foobar; = HTTP/1.0 404 Not Found with html cut in the middle. There's something bad in ZenPhoto : it forces the response in HTTP/1.0, which prevents chunked transfer. That also can explain why mod_deflate generated 502 errors. One thing you can try : Edit the file index.php in ZenPhoto and replace HTTP/1.0 occurences (one for 200, one for 404) by HTTP/1.1. Hopefully, this will allow apache+php to use chunked responses and solve the problem. -- Cyril Bonté
RE: Haproxy timing issues
I get some problems on step 5 where it doesn't seem to do the ./Configure properly. I moved the existing Configure and made a symlink named Configure that pointed to config. When running step 5 again it seemed to jump into an endless making of openssl :/ Meaning that it is starting to do something but it never finish, waited for ~20min. Any ideas? /E -Original Message- From: Vincent Bernat [mailto:ber...@luffy.cx] Sent: den 2 november 2011 23:16 To: Erik Torlen Cc: haproxy@formilux.org Subject: Re: Haproxy timing issues OoO En cette nuit nuageuse du jeudi 03 novembre 2011, vers 01:21, Erik Torlen erik.tor...@apicasystem.com disait : Yes, I'm currently on Ubuntu 10.04. So basically I could grab this (http://packages.ubuntu.com/oneiric/openssl) .deb package and then add the patch you linked for me to it? Can I then compile stud as default or do I have to modify the Makefile? On a development machine : 1. dget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.0e-2ubuntu4.dsc 2. cd openssl-1.0.0e 3. curl https://raw.github.com/gist/1272151/7f1c3cfa9e95474cfac7c248c7ab41b4fd9e1632/openssl-1.0.0e-backport.patch | patch -p1 4. Update debian/changelog like the first hunk of the patch (which will not apply cleanly since it is not targeted at the same version) 5. dpkg-buildpackage -us -uc 6. dpkg -i ../openssl*deb ../libssl*deb 7. cd ../stud 8. make USE_SHARED_CACHE=1 9. You get your stud linked against OpenSSL 1.0.0e. Now, on your server, install libssl1.0.0_1.0.0e-2ubuntu4~bpoXXX1.deb then stud. -- Vincent Bernat ☯ http://vincent.bernat.im /* * For moronic filesystems that do not allow holes in file. * We may have to extend the file. */ 2.4.0-test2 /usr/src/linux/fs/buffer.c
Re: Haproxy timing issues
OoO Pendant le repas du vendredi 04 novembre 2011, vers 19:22, Erik Torlen erik.tor...@apicasystem.com disait : I get some problems on step 5 where it doesn't seem to do the ./Configure properly. I moved the existing Configure and made a symlink named Configure that pointed to config. When running step 5 again it seemed to jump into an endless making of openssl :/ Meaning that it is starting to do something but it never finish, waited for ~20min. Symlink seems a wrong idea. Why doesn't it seem to do the ./Configure properly? -- Vincent Bernat ☯ http://vincent.bernat.im Document your data layouts. - The Elements of Programming Style (Kernighan Plauger)
