Allan, You need to place a packet load balancer such as LVS in front of haproxy, which directs SSL traffic to an SSL farm (which saves the client IP), and regular HTTP access to haproxy.
That's how I understand it at least. Thanks, Bar. On Tue, May 22, 2012 at 6:48 PM, Allan Wind <[email protected]>wrote: > I read through the last 6 months of archive and the usual answer > for SSL support is put nginx/stunnel/stud in front. This, as far > as I can tell, means a single server handling SSL, and this is > the what <http://haproxy.1wt.eu/#desi> suggest is a non-scalable > solution. > > You can obviously configure haproxy to route ssl connections to a > form via the tcp mode, but you then lose the client IP. The > transparent keyword is promising but apparently requires haproxy > box to be the gateway. Not sure that is possible with our cloud > environment. > > I understand from: > < > http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html#setting-a-session-cache-with-apache-nginx > > > that session reuse (i.e. mod_gnutls in our case) would need to be > configured on the backend to permit ssl resume. > > But how do you go about distributing traffic to a ssl form > without losing the client IP? > > > /Allan > -- > Allan Wind > Life Integrity, LLC > <http://lifeintegrity.com> > >
