Re: ssl offloading and send-proxy-v2-ssl

2016-12-31 Thread Arnall
Le 27/12/2016 à 00:35, Patrick Hemmer a écrit : On 2016/12/23 09:28, Arnall wrote: Hi everyone, i'm using a nbproc > 1 configuration for ssl offloading : listen web_tls mode http bind *:443 ssl crt whatever.pem process 2 bind *:443 ssl crt whatever.pem proces

Re: ssl offloading and send-proxy-v2-ssl

2016-12-31 Thread Arnall
nall2...@gmail.com>> wrote: Hi everyone, i'm using a nbproc > 1 configuration for ssl offloading : listen web_tls mode http bind *:443 ssl crt whatever.pem process 2 bind *:443 ssl crt whatever.pem process 3 ../..

Re: ssl offloading and send-proxy-v2-ssl

2016-12-27 Thread Willy Tarreau
Hi Patrick, On Mon, Dec 26, 2016 at 11:35:51PM +, Patrick Hemmer wrote: > On 2016/12/23 09:28, Arnall wrote: > > I though that send-proxy-v2-ssl could help but i have no idea how ... > > src and src_port are OK with the proxy protocol but ssl_fc in > > web_plain keeps answering false ( 0 )

Re: ssl offloading and send-proxy-v2-ssl

2016-12-26 Thread Elias Abacioglu
Arnall <arnall2...@gmail.com> wrote: > >> Hi everyone, >> >> i'm using a nbproc > 1 configuration for ssl offloading : >> >> listen web_tls >> mode http >> bind *:443 ssl crt whatever.pem process 2 >> bind *:443 ssl crt wh

Re: ssl offloading and send-proxy-v2-ssl

2016-12-26 Thread Patrick Hemmer
On 2016/12/23 09:28, Arnall wrote: > Hi everyone, > > i'm using a nbproc > 1 configuration for ssl offloading : > > listen web_tls > mode http > bind *:443 ssl crt whatever.pem process 2 > bind *:443 ssl crt whatever.pem process 3 > > ../.. > s

Re: ssl offloading and send-proxy-v2-ssl

2016-12-26 Thread Elias Abacioglu
ng a nbproc > 1 configuration for ssl offloading : > > listen web_tls > mode http > bind *:443 ssl crt whatever.pem process 2 > bind *:443 ssl crt whatever.pem process 3 > > ../.. > server web_plain u...@plain.sock send-proxy-v2-ssl > > frontend web_pla

ssl offloading and send-proxy-v2-ssl

2016-12-23 Thread Arnall
Hi everyone, i'm using a nbproc > 1 configuration for ssl offloading : listen web_tls mode http bind *:443 ssl crt whatever.pem process 2 bind *:443 ssl crt whatever.pem process 3 ../.. server web_plain u...@plain.sock send-proxy-v2-ssl frontend web_plain bind*

RE: tcpdump and Haproxy SSL Offloading

2016-06-08 Thread mlist
m>; mlist <ml...@apsystems.it> Cc: HAProxy <haproxy@formilux.org> Subject: Re: tcpdump and Haproxy SSL Offloading Hi, Am 05.06.2016 um 02:19 schrieb Igor Cicimov: > > > In haproxy.cfg I used these cipher I found recommended: > > ciphers ECDHE-RSA-AES256-SH

Haproxy with mixed modes: SSL offloading and passthrough

2016-06-06 Thread DjamOlsky
acl is_sub01 hdr_end(host) -i sub01.mydomain.com use_backend BE-sub01 if is_sub01 default_backend BE-default # SSL Offloading for *.sub01.mydomain.com backend BE-sub01 modehttp server srv1 10.10.10.10:443 # SSL passthrough for *.mydomain.com backend BE-default

Re: tcpdump and Haproxy SSL Offloading

2016-06-05 Thread Lukas Tribus
Hi, Am 05.06.2016 um 02:19 schrieb Igor Cicimov: > In haproxy.cfg I used these cipher I found recommended: > ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM I would not recommend this. Check [1] and [2] for some uptodate recommendations. Yes, removing

RE: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread Igor Cicimov
> > > but I do not understand well the mapping with those recognized by test (FS = I think are Forward Secrecy) an these configured and how to find if they support or not PFS. Your help will be appreciated, so I can change haproxy configuration to quickly disable/enable cipher so I ca

RE: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread mlist
;lu...@gmx.net> Cc: mlist <ml...@apsystems.it>; haproxy@formilux.org Subject: Re: tcpdump and Haproxy SSL Offloading Hi Lukas, On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus <lu...@gmx.net<mailto:lu...@gmx.net>> wrote: Hello, you can dump the symmetric keys from the browser and

Re: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread Lukas Tribus
Hi, Am 04.06.2016 um 02:14 schrieb Igor Cicimov: you can dump the symmetric keys from the browser and import them in wireshark to decrypt PFS protected TLS sessions [1] Yes in case you want to troubleshoot something generic this is a good approach but if you want to troubleshoot

Re: tcpdump and Haproxy SSL Offloading

2016-06-03 Thread Igor Cicimov
Hi Lukas, On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus wrote: > Hello, > > > you can dump the symmetric keys from the browser and import them in > wireshark to decrypt PFS protected TLS sessions [1] Yes in case you want to troubleshoot something generic this is a good approach

Re: tcpdump and Haproxy SSL Offloading

2016-06-03 Thread Lukas Tribus
Hello, you can dump the symmetric keys from the browser and import them in wireshark to decrypt PFS protected TLS sessions [1] or downgrade your ciphers settings to non-PF ciphers. Properly decrypting the TLS session is the only way to really make sure you see what happens, even if there is

Re: tcpdump and Haproxy SSL Offloading

2016-06-02 Thread Igor Cicimov
On Fri, Jun 3, 2016 at 3:14 AM, mlist wrote: > Often I need to take tcpdump to analyze haproxy communication to clients > and to backend servers. > > As we use haproxy as SSL termination point (haproxy SSL ofloading), at low > levels (so tcpdump level) > > we see

tcpdump and Haproxy SSL Offloading

2016-06-02 Thread mlist
Often I need to take tcpdump to analyze haproxy communication to clients and to backend servers. As we use haproxy as SSL termination point (haproxy SSL ofloading), at low levels (so tcpdump level) we see communication with client encrypted. There are simple solution so I can do a tcpdump

Re: ssl offloading

2016-04-08 Thread Gerd Mueller
wow! Thanks, again Gerd Weitergeleitete Nachricht Von: Pavlos Parissis <pavlos.paris...@gmail.com> An: Andrew Hayworth <andrew.haywo...@getbraintree.com>, Gerd Mueller Kopie: haproxy@formilux.org <haproxy@formilux.org> Betreff: Re: ssl offloading Datum: Sun

Re: ssl offloading

2016-04-03 Thread Pavlos Parissis
On 01/04/2016 04:20 μμ, Andrew Hayworth wrote: > Hi there - > > Have you considered HAProxy in multiprocess mode? You could have a > frontend spread across multiple threads that terminates SSL. We're > experimenting with such a design here. > It has been mentioned before that you can increase

Re: ssl offloading

2016-04-01 Thread Andrew Hayworth
d. Thanks for the input. > > Gerd > > Weitergeleitete Nachricht > Von: Vincent Bernat <ber...@luffy.cx> > An: Conrad Hoffmann <con...@soundcloud.com> > Kopie: Gerd Mueller <gerd.muel...@mikatiming.de>, haproxy@formilux.org > <haproxy@formilux.

Re: ssl offloading

2016-04-01 Thread Gerd Mueller
Ok sounds good. Thanks for the input. Gerd Weitergeleitete Nachricht Von: Vincent Bernat <ber...@luffy.cx> An: Conrad Hoffmann <con...@soundcloud.com> Kopie: Gerd Mueller <gerd.muel...@mikatiming.de>, haproxy@formilux.org <haproxy@formilux.org> Betreff:

Re: ssl offloading

2016-04-01 Thread Vincent Bernat
❦ 1 avril 2016 11:11 +0200, Conrad Hoffmann  : > I can't really back this up with reliable numbers, but a company I once > worked for experimented with such hardware. The outcome was, and I would > still always recommend this today, to rather throw more regular hardware

Re: ssl offloading

2016-04-01 Thread Conrad Hoffmann
erd%20mueller%20%3cgerd.muel...@mikatiming.de%3e>>, > haproxy@formilux.org > <haproxy@formilux.org<mailto:%22hapr...@formilux.org%22%20%3chapr...@formilux.org%3e>> > Betreff: Re: ssl offloading > Datum: Fri, 1 Apr 2016 01:54:29 +0000 > > > stunnel's what w

Re: ssl offloading

2016-03-31 Thread Nathan Williams
stunnel's what we used before Haproxy had it built in, which worked fine, but SSL offloading in Haproxy's been excellent in our experience, so my guess would be that you could make it work with some config tuning. On Thu, Mar 31, 2016, 12:45 PM Lukas Tribus <luky...@hotmail.com> wrote:

RE: ssl offloading

2016-03-31 Thread Lukas Tribus
> Hi list, > > what are your ideas about offloading of ssl? ssl inside haproxy is nice > but is very expensive. Why would you think that? Lukas

ssl offloading

2016-03-31 Thread Gerd Mueller
Hi list, what are your ideas about offloading of ssl? ssl inside haproxy is nice but is very expensive. So I would like to offload the ssl to something else.  Any ideas? Thanks, Gerd

Re: FW: SSL offloading in HAProxy

2015-07-17 Thread Baptiste
Hi, SSL offloading in front of IMAPs (port 993) is supported. If you try to do STARTTLS over IMAP, it is not supported. Baptiste On Wed, Jul 15, 2015 at 10:38 AM, Cohen Galit galit.co...@comverse.com wrote: Hello HAProxy team, I see that the SSL offloading for http protocol is already

FW: SSL offloading in HAProxy

2015-07-15 Thread Cohen Galit
Hello HAProxy team, I see that the SSL offloading for http protocol is already supported ( http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ ) I would like to know if there is an option of SSL offloading for IMAP protocol. Thanks, Galit

is it possible to SSL offloading and then re-pack as SSL?

2014-10-16 Thread Robert Chen
I want to do haproxy 1.5 SSL offloading, filter/processing some headers and then re-send as SSL? thanks, Robert

Re: is it possible to SSL offloading and then re-pack as SSL?

2014-10-16 Thread Thomas Heil
Hi, On 16.10.2014 22:36, Lukas Tribus wrote: I want to do haproxy 1.5 SSL offloading, filter/processing some headers and then re-send as SSL? Yes, it is. Lukas Have a look at http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications

Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections

2013-11-12 Thread Baptiste
in HTTP (clear) - the application works well without HAProxy Note that SSL offloading may have some impacts on web application: http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Can you enable logs as described in the link above and check the result? Baptiste On Mon

Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections

2013-11-12 Thread Chris
confirm whether: - the application works well in HTTP (clear) - the application works well without HAProxy Note that SSL offloading may have some impacts on web application: http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Can you enable logs as described

Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections

2013-11-12 Thread Baptiste
need persistence ;) Can you confirm whether: - the application works well in HTTP (clear) - the application works well without HAProxy Note that SSL offloading may have some impacts on web application: http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Can you

Haproxy SSL offloading to nginx backend web servers - need persistent connections

2013-11-11 Thread Chris
Hello everyone, I have a question concerning session persistence with offloading SSL via haproxy to backend nginx web servers running a PHP website. Basically, I have a configuration that is performing the SSL offloading successfully, however, it seems that session persistence is not working

Re: I'm so close (I Think) - need a little help finishing this - Haproxy SSL offloading with ACLs and a wildcard cert

2013-10-31 Thread Baptiste
Hi Chris, the option you mentioned keeps alive TCP connection on the client side, if the client is compatible with HTTP keep alive. The connection is kept alive as long as it needs to be, it can be driven by HAProxy through the timeout http-keepalive parameter. It does not mean all the requests

Re: I'm so close (I Think) - need a little help finishing this - Haproxy SSL offloading with ACLs and a wildcard cert

2013-10-28 Thread Chris
Hello again Baptiste, Thank you for replying back to my questions, they are very helpful answers and I really do appreciate your time. Concerning your question back about persistence or stickiness: - Sessions need to stay alive after being offloaded to the backend web servers to port 80 on

Re: I'm so close (I Think) - need a little help finishing this - Haproxy SSL offloading with ACLs and a wildcard cert

2013-10-22 Thread Baptiste
Hi Chris, My answers inline. On Mon, Oct 21, 2013 at 10:57 PM, Chris bludge...@gmail.com wrote: - If any of these domains and subdomains are called with http://, they need to be redirected to https:// # redirect http to https when connection is not ciphered http-request redirect scheme https

I'm so close (I Think) - need a little help finishing this - Haproxy SSL offloading with ACLs and a wildcard cert

2013-10-21 Thread Chris
to use for SSL offloading, I have compiled it with 1.5-dev19 and added the SSL options into the build out, this part is done. I simply need this haproxy to redirect port 80 traffic to 443 for 3 of the 4 sub-domains listed below, and then the haproxy server to offload SSL to some backend web servers s

SSL offloading configuration

2013-04-30 Thread Chris Sarginson
Hi, Are there any plans to allow HAProxy to take the traffic that it can now SSL offload, perform header analysis, and then use an SSL encrypted connection to the backend server? I have a situation where I need to be able to use ACLs against SSL encrypted traffic, but then continue passing

Re: SSL offloading configuration

2013-04-30 Thread PiBa-NL
Hi Chriss, That seams possible already.?. If you have the configuration for SSL offloading configured already all you need to add is the ssl option to your backend servers. -- http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2 -- *ssl

Re: SSL offloading configuration

2013-04-30 Thread David Coulson
Haproxy 1.5-Dev can do this already Sent from my iPhone On Apr 30, 2013, at 8:47 AM, Chris Sarginson ch...@sargy.co.uk wrote: Hi, Are there any plans to allow HAProxy to take the traffic that it can now SSL offload, perform header analysis, and then use an SSL encrypted connection to

Re: SSL offloading configuration

2013-04-30 Thread Chris Sarginson
That's AWESOME! Can't believe I didn't think of that, thanks a lot guys :) Chris On 30/04/2013 13:53, PiBa-NL wrote: Hi Chriss, That seams possible already.?. If you have the configuration for SSL offloading configured already all you need to add is the ssl option to your backend

Re: SSL offloading with NTLM auth

2013-02-01 Thread Baptiste
option redispatch server juno 172.17.336.433:80 cookie oasrv1 weight 1 check ... The one active CAS server used for testing purposes (juno) is configured for SSL offloading for RPC. All other Exchange directories in IIS are set to not require SSL on this system. When

SSL offloading with NTLM auth

2013-01-31 Thread Roland
redispatch server juno 172.17.336.433:80 cookie oasrv1 weight 1 check ... The one active CAS server used for testing purposes (juno) is configured for SSL offloading for RPC. All other Exchange directories in IIS are set to not require SSL on this system. When running HAProxy in debug

Re: SSL offloading with NTLM auth

2013-01-31 Thread Baptiste
for testing purposes (juno) is configured for SSL offloading for RPC. All other Exchange directories in IIS are set to not require SSL on this system. When running HAProxy in debug mode an Outlook Anywhere session looks like: 0005:WebAccess.clireq[000d:]: RPC_IN_DATA /Rpc/RpcProxy.dll

Re: SSL offloading with NTLM auth

2013-01-31 Thread Roland
oasrv1 weight 1 check ... The one active CAS server used for testing purposes (juno) is configured for SSL offloading for RPC. All other Exchange directories in IIS are set to not require SSL on this system. When running HAProxy in debug mode an Outlook Anywhere session looks like: 0005