Re: acl routing/redirect to specific backend system
Thank you for your reply Bapiste. My setup is using HTTPS so I can't use your suggestion. Is there any other solution when using HTTPS? Thanks in advance! On Mon, Jun 25, 2012 at 6:54 PM, Baptiste bed...@gmail.com wrote: Hi, Lately, a use-server directive has been added in HAProxy, you should have a look at it ;) Note that it will work only if HAProxy can see plain HTTP protocol. In your example, you're using HTTPS, so everything is encrypted from a HAProxy point of view. cheers On Mon, Jun 25, 2012 at 5:44 PM, Joeri Blokhuis | DongIT joeri.blokh...@dongit.nl wrote: Hi, I need my 'administrators' to reach specific backend systems. I was hoping this can be done using ACL based on the URL or if there is a more simple way I'm open to suggestions. For example: https://domain.com/x/ where x stands for a specific system. So far I only found ways to balance using ACL on an entire backend but not on a specifc system like test-web01 or test-web02. So is this possible and how would you recommend to implement this (without having to create multiple backends). Thanks in advance! Joeri My config below: default - global - frontend test-https-in #IP-address to bind to bind 10.0.0.217:443 #Loadbalancing on TCP level mode tcp #set backend default_backend test-https-out #client max timeout clitimeout 5000 backend test-https-out #set loadbalancing schema (roundrobin, source, etc) balance source #Loadbalancing on TCP level mode tcp #check backend health by doing SSL-hello #option ssl-hello-chk option tcpka option httpchk HEAD / HTTP/1.0 server test-web01 10.0.0.211 weight 1 check port 80 inter 5s rise 2 fall 1 server test-web02 10.0.0.212 weight 1 check port 80 inter 5s rise 2 fall 1 -- Tel: 06-14108403 | 071-5249213 Email: joeri.blokh...@dongit.nl LinkedIn http://nl.linkedin.com/pub/joeri-blokhuis/32/8a2/784 www.dongit.nl -- Tel: 06-14108403 | 071-5249213 Email: joeri.blokh...@dongit.nl LinkedIn http://nl.linkedin.com/pub/joeri-blokhuis/32/8a2/784 www.dongit.nl
Re: acl routing/redirect to specific backend system
On 06/26/2012 10:17 AM, Joeri Blokhuis | DongIT wrote: Thank you for your reply Bapiste. My setup is using HTTPS so I can't use your suggestion. Is there any other solution when using HTTPS? Yes, you can put ssl offloader (stud, stunnel, nginx) in front of haproxy. Cheers, Brane
Re: acl routing/redirect to specific backend system
Brane, I need to have encrypted communication between my frontend and backend. Therefore I don't want to offload SSL on the loadbalancer and then create a new SSL package. The measurement to do this is a little to drastic(e.g. consumes to much resources) for what I want. I can workaround the problem in another way, but was just wondering if it is possible with HAproxy and my setup. Cheers. On Tue, Jun 26, 2012 at 2:44 PM, Brane F. Gračnar brane.grac...@tsmedia.si wrote: On 06/26/2012 10:17 AM, Joeri Blokhuis | DongIT wrote: Thank you for your reply Bapiste. My setup is using HTTPS so I can't use your suggestion. Is there any other solution when using HTTPS? Yes, you can put ssl offloader (stud, stunnel, nginx) in front of haproxy. Cheers, Brane -- Tel: 06-14108403 | 071-5249213 Email: joeri.blokh...@dongit.nl LinkedIn http://nl.linkedin.com/pub/joeri-blokhuis/32/8a2/784 www.dongit.nl
Re: acl routing/redirect to specific backend system
How do you want to do content switching when the traffic is encrypted
nobody can't.
The only thing you can use is SNI or TCP port which are not encrypted
You could dedicate a port per server, leaving the 443 for the global farm.
IE: use-server srv1 if { dst_port eq 444 }
And in your bind section, don't forget to bind port 444 ;)
there is no other option.
(SNI example:
http://blog.exceliance.fr/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
)
cheers
acl routing/redirect to specific backend system
Hi, I need my 'administrators' to reach specific backend systems. I was hoping this can be done using ACL based on the URL or if there is a more simple way I'm open to suggestions. For example: https://domain.com/x/ where x stands for a specific system. So far I only found ways to balance using ACL on an entire backend but not on a specifc system like test-web01 or test-web02. So is this possible and how would you recommend to implement this (without having to create multiple backends). Thanks in advance! Joeri My config below: default - global - frontend test-https-in #IP-address to bind to bind 10.0.0.217:443 #Loadbalancing on TCP level mode tcp #set backend default_backend test-https-out #client max timeout clitimeout 5000 backend test-https-out #set loadbalancing schema (roundrobin, source, etc) balance source #Loadbalancing on TCP level mode tcp #check backend health by doing SSL-hello #option ssl-hello-chk option tcpka option httpchk HEAD / HTTP/1.0 server test-web01 10.0.0.211 weight 1 check port 80 inter 5s rise 2 fall 1 server test-web02 10.0.0.212 weight 1 check port 80 inter 5s rise 2 fall 1 -- Tel: 06-14108403 | 071-5249213 Email: joeri.blokh...@dongit.nl LinkedIn http://nl.linkedin.com/pub/joeri-blokhuis/32/8a2/784 www.dongit.nl
Re: acl routing/redirect to specific backend system
Hi, Lately, a use-server directive has been added in HAProxy, you should have a look at it ;) Note that it will work only if HAProxy can see plain HTTP protocol. In your example, you're using HTTPS, so everything is encrypted from a HAProxy point of view. cheers On Mon, Jun 25, 2012 at 5:44 PM, Joeri Blokhuis | DongIT joeri.blokh...@dongit.nl wrote: Hi, I need my 'administrators' to reach specific backend systems. I was hoping this can be done using ACL based on the URL or if there is a more simple way I'm open to suggestions. For example: https://domain.com/x/ where x stands for a specific system. So far I only found ways to balance using ACL on an entire backend but not on a specifc system like test-web01 or test-web02. So is this possible and how would you recommend to implement this (without having to create multiple backends). Thanks in advance! Joeri My config below: default - global - frontend test-https-in #IP-address to bind to bind 10.0.0.217:443 #Loadbalancing on TCP level mode tcp #set backend default_backend test-https-out #client max timeout clitimeout 5000 backend test-https-out #set loadbalancing schema (roundrobin, source, etc) balance source #Loadbalancing on TCP level mode tcp #check backend health by doing SSL-hello #option ssl-hello-chk option tcpka option httpchk HEAD / HTTP/1.0 server test-web01 10.0.0.211 weight 1 check port 80 inter 5s rise 2 fall 1 server test-web02 10.0.0.212 weight 1 check port 80 inter 5s rise 2 fall 1 -- Tel: 06-14108403 | 071-5249213 Email: joeri.blokh...@dongit.nl LinkedIn http://nl.linkedin.com/pub/joeri-blokhuis/32/8a2/784 www.dongit.nl
