Re: ssl offloading and send-proxy-v2-ssl

Le 27/12/2016 à 00:35, Patrick Hemmer a écrit : On 2016/12/23 09:28, Arnall wrote: Hi everyone, i'm using a nbproc > 1 configuration for ssl offloading : listen web_tls mode http bind *:443 ssl crt whatever.pem process 2 bind *:443 ssl crt whatever.pem process 3 ../..

Re: ssl offloading and send-proxy-v2-ssl

Hi, thanks for your answer, didn't know the src_is_local feature as it's a 1.7 feature, we're still in 1.6. the dst_port seems ok to me, will use it ! Happy new year ! Le 27/12/2016 à 08:29, Elias Abacioglu a écrit : Sorry just realized, src_is_local won't work when using proxy protocol.

Re: ssl offloading and send-proxy-v2-ssl

Hi Patrick, On Mon, Dec 26, 2016 at 11:35:51PM +, Patrick Hemmer wrote: > On 2016/12/23 09:28, Arnall wrote: > > I though that send-proxy-v2-ssl could help but i have no idea how ... > > src and src_port are OK with the proxy protocol but ssl_fc in > > web_plain keeps answering false ( 0 )

Re: ssl offloading and send-proxy-v2-ssl

Sorry just realized, src_is_local won't work when using proxy protocol. Proxy protocol will preserve initial source information. You can probably use dst_port like this instead: acl secure dst_port 443 if is secure On Mon, Dec 26, 2016 at 11:09 PM, Elias Abacioglu <

Re: ssl offloading and send-proxy-v2-ssl

On 2016/12/23 09:28, Arnall wrote: > Hi everyone, > > i'm using a nbproc > 1 configuration for ssl offloading : > > listen web_tls > mode http > bind *:443 ssl crt whatever.pem process 2 > bind *:443 ssl crt whatever.pem process 3 > > ../.. > server web_plain u...@plain.sock

Re: ssl offloading and send-proxy-v2-ssl

Perhaps you could use src_is_local. Something like this frontend web_plain acl is_local src_is_local http-response add-header X-External-Protocol https if is_local /Elias On Fri, Dec 23, 2016 at 3:28 PM, Arnall wrote: > Hi everyone, > > i'm using a nbproc > 1

Re: ssl offloading

wow! Thanks, again Gerd Weitergeleitete Nachricht Von: Pavlos Parissis <pavlos.paris...@gmail.com> An: Andrew Hayworth <andrew.haywo...@getbraintree.com>, Gerd Mueller Kopie: haproxy@formilux.org <haproxy@formilux.org> Betreff: Re: ssl offloading Datum: Sun

Re: ssl offloading

On 01/04/2016 04:20 μμ, Andrew Hayworth wrote: > Hi there - > > Have you considered HAProxy in multiprocess mode? You could have a > frontend spread across multiple threads that terminates SSL. We're > experimenting with such a design here. > It has been mentioned before that you can increase

Re: ssl offloading

d. Thanks for the input. > > Gerd > > Weitergeleitete Nachricht > Von: Vincent Bernat <ber...@luffy.cx> > An: Conrad Hoffmann <con...@soundcloud.com> > Kopie: Gerd Mueller <gerd.muel...@mikatiming.de>, haproxy@formilux.org > <haproxy@formilux.

Re: ssl offloading

Ok sounds good. Thanks for the input. Gerd Weitergeleitete Nachricht Von: Vincent Bernat <ber...@luffy.cx> An: Conrad Hoffmann <con...@soundcloud.com> Kopie: Gerd Mueller <gerd.muel...@mikatiming.de>, haproxy@formilux.org <haproxy@formilux.org> Betreff:

Re: ssl offloading

❦ 1 avril 2016 11:11 +0200, Conrad Hoffmann  : > I can't really back this up with reliable numbers, but a company I once > worked for experimented with such hardware. The outcome was, and I would > still always recommend this today, to rather throw more regular hardware

Re: ssl offloading

erd%20mueller%20%3cgerd.muel...@mikatiming.de%3e>>, > haproxy@formilux.org > <haproxy@formilux.org<mailto:%22hapr...@formilux.org%22%20%3chapr...@formilux.org%3e>> > Betreff: Re: ssl offloading > Datum: Fri, 1 Apr 2016 01:54:29 + > > > stunnel's what w

Re: ssl offloading

stunnel's what we used before Haproxy had it built in, which worked fine, but SSL offloading in Haproxy's been excellent in our experience, so my guess would be that you could make it work with some config tuning. On Thu, Mar 31, 2016, 12:45 PM Lukas Tribus wrote: > > Hi

RE: ssl offloading

> Hi list, > > what are your ideas about offloading of ssl? ssl inside haproxy is nice > but is very expensive. Why would you think that? Lukas

Re: SSL offloading configuration

Hi Chriss, That seams possible already.?. If you have the configuration for SSL offloading configured already all you need to add is the ssl option to your backend servers. -- http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2 -- *ssl

Re: SSL offloading configuration

Haproxy 1.5-Dev can do this already Sent from my iPhone On Apr 30, 2013, at 8:47 AM, Chris Sarginson ch...@sargy.co.uk wrote: Hi, Are there any plans to allow HAProxy to take the traffic that it can now SSL offload, perform header analysis, and then use an SSL encrypted connection to

Re: SSL offloading configuration

That's AWESOME! Can't believe I didn't think of that, thanks a lot guys :) Chris On 30/04/2013 13:53, PiBa-NL wrote: Hi Chriss, That seams possible already.?. If you have the configuration for SSL offloading configured already all you need to add is the ssl option to your backend

Re: SSL offloading with NTLM auth

Could you please remove this pretent keepalive option from your configuration and give it a try? HAProxy may close the connection because of it. And yes, a tcpdump between haproxy and the CAS server may help as well. cheers On Fri, Feb 1, 2013 at 7:11 AM, Roland r...@bayreuth.tk wrote: Hi

Re: SSL offloading with NTLM auth

Hi, 401 is absolutely normal in NTLM. There are 2 or 3 request/response before the user is really authenticated when using NTLM. When HAProxy load-balances NTLM based services, the only log line you'll see will be 401 errors. Even if the connection works properly. This is due to the tunnel mode,

Re: SSL offloading with NTLM auth

Hi Baptiste, thanks a lot! If I connect the same computer with the same account and unchanged settings (except the URL of webaccess) directly to the CAS it works without any problems. Connection is established immediately. I also verified with Microsoft Remote Connectivity Analyzer. It