Hi Willy, > Hello James, > > On Fri, Oct 07, 2011 at 01:09:23PM -0500, James Nelson wrote: >> Hello, >> >> My original entries to the mailing list seem to have bounced back, so I'm >> trying for #3 here. > > Don't worry, your mail reached the list, it's just that nobody replied to > it yet.
My apologies, I was getting error messages from formilux, and just figured my message was bouncing. > >> I have currently set up HAProxy and Openswan on an EC2 server to handle >> webservice requests to our client site. The original idea was to have all >> webservice requests be filtered by HAProxy, and then shipped appropriately >> via Openswan. The filtering was to be done by acl's and inspection of the >> URI strings. You can guess where this is headed. >> >> For our HTTP requests, this works great- no problems what-so-ever. For our >> TCP requests, we can't use this level 7 mechanism- and there are multiple >> backend destinations to choose from. >> >> So, my questions are as follows: >> - Is there anyway to differentiate these calls any other way in HAProxy? > > There currently are very few tests that can be operated at the TCP level > using "tcp inspect" rules. The reason is that anything may pass over TCP, > there is not a common way to use it, so all depends in the format of what > you're looking for in the payload. At one point I was planning on adding > more ACL matches at the TCP level, but first I want to make the ACL > framework work on top of the pattern framework, so that we stop doing the > work twice for every new match we implement, and that we manage to implement > variables that follow a session or a request. > >> - If not, is there any way I can send these calls to HAProxy via http/80, >> and then transform them into TCP/443 requests going out? > > I don't understand what you want to achieve this way. What transformation > would haproxy apply on your traffic ? Basically, I have a dev/test environment, and I don't care how messages get to HAProxy/my VPN server, as long as the backend server sees a https call at the end of the day. My dev environment is dealing with non-real data, and can be unencrypted until that endpoint. In that regard, is there any method in switching tcp ports with HAProxy? I could assign each call with a different tcp port, and based on that direct traffic to the correct server on 443 on the backend. > >> - If we're still stuck, is there any other piece of software I can combine >> with HAProxy to make this work? > > Maybe, but it's hard to tell if we don't know what traffic you're passing > on TCP and what you want to match. In a nutshell, we have 10 webservice calls, all going through a VPN server, and all needing to be sent to specific, different backends using https. I didn't write the rules, this is just the rules of the game I've been presented with, and I need to be able to develop a work around. Cheers, -James > > Regards, > Willy >