On Mon, Jul 20, 2009 at 03:23:22PM +0100, Malcolm Turnbull wrote: > Many thanks to Ivansceó Krisztián for working on the TPROXY patch for > Pound for us, we can finally do SSL termination -> HAProxy -> backend > with TPROXY. > > http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/ > > Patches to Pound are here: > http://www.loadbalancer.org/download/PoundSSL-Tproxy/poundtp-2.4.5.tgz > > Willy, > > You mentioned that it may be more sensible to do something like: > > source 0.0.0.0 usesrc hdr(x-forwarded-for) > > rather than having 2 sets of TPROXY set up.. but I don't think this is > possible yet?
Unfortunately not yet. I've had to arbitrate between that and the ability to perform content-switching on TCP frontends and the priority went to the later. Another issue you might run into is the reduced number of source ports for the same source IP, because now you have the client, pound, and haproxy all using the same source IP, so you need to be careful that the client never hits haproxy directly on the same port as pound, otherwise it may use a same source port as pound and conflict with an existing session. A trick might consist in using a distinct port on haproxy for direct client connection and pound connections. Regards, Willy
