One option that I am using is to pass the SSL traffic to your SSL processor and then pass it back to haproxy. This way haproxy sees the decrypted traffic in this second front-end and you can use HTTP layer ACL rules against the traffic.
I very handy feature could be if 443 traffic is on the front-end and the the SSL processor sends the traffic back to haproxy like this would be to have HAProxy magically associate these connections and then add the x-forward-for header so you don't lose the client IP. Not sure of how that might be accomplished though... -Kyle On Wed, Oct 20, 2010 at 4:21 PM, Clark, Ryan <ryan.cl...@xerox.com> wrote: > I guess ACL’s don’t work in TCP mode… It doesn’t work after all. Any others > get ACL’s to work in TCP mode? > > > > *From:* Mike Hoffs [mailto:m.ho...@mijn-sleutel.com] > *Sent:* Wednesday, October 20, 2010 2:11 PM > *To:* Clark, Ryan > *Subject:* RE: HAProxy Stunnel end-to-end SSL > > > > Hi Ryan, > > > > Note offside mailinglist, last days there was someone with simular > situation; > > > > > > http://www.formilux.org/archives/haproxy/1010/3922.html > > http://www.formilux.org/archives/haproxy/1010/date.html > > > > Met een vriendelijke groet, > > > > ---- > > Mike Hoffs > > > > Mijn-Sleutel > > Peperstraat 33 > > 6678 AL Oosterhout > > Tel: +31 (0)24 8200208 tijdens kantoor uren (09:00 - 17:00) > > Mail: m.ho...@mijn-sleutel.com > > Website: http://www.mijn-sleutel.com > > > > *Van:* Clark, Ryan [mailto:ryan.cl...@xerox.com] > *Verzonden:* woensdag 20 oktober 2010 20:00 > *Aan:* Mike Hoffs; haproxy@formilux.org > *Onderwerp:* RE: HAProxy Stunnel end-to-end SSL > > > > Yes I have, even with the *option ssl-hello-chk* enabled. > > > > *From:* Mike Hoffs [mailto:m.ho...@mijn-sleutel.com] > *Sent:* Wednesday, October 20, 2010 1:56 PM > *To:* Clark, Ryan; haproxy@formilux.org > *Subject:* RE: HAProxy Stunnel end-to-end SSL > > > > Have u tried mode tcp ? > > > > > > Met een vriendelijke groet, > > > > ---- > > Mike Hoffs > > >