We're building a HA-cluster which will run a lot of different sites of which
many offer https. Tools we plan to use are Keepalived, stunnel, HAProxy, Apache
and PHP. All VPSses run Ubuntu 12.04. Some of our PHP applications need to
check the client IP address. Simplified setup:
client --> Keepalived/HAProxy --> Apache
The LB's do NAT and the Apache VPSses run in a private network.
Initially I thought it would be best to do the SSL offloading at the Apache
servers. I guess (not sure however) that in that case Apache/PHP would know
the client remote IP address. A drawback seems that we need additional vip's
and backend listeners for each certificate. So we decided to configure stunnel
in front of HAProxy:
client --> Keepalived/stunnel/HAProxy --> Apache
Now to have Apache know the client's remote IP address, I think we have two
options:
1) X-Forwarded-For patched stunnel, or
2) stunnel + HAProxy with the proxy protocol.
Drawback of 1 is that it's not supported by the stunnel developers because of
it's problems to support keepalive connections from the client.
Drawback of 2 is that it needs HAProxy 1.5 which is not stable yet.
We're willing to use HAProxy 1.5-dev-latest in our new production cluster (and
report bugs if we encounter them).
Does my reasoning make sense? Any feedback on our architecture would highly
appreciated!
