We're building a HA-cluster which will run a lot of different sites of which many offer https. Tools we plan to use are Keepalived, stunnel, HAProxy, Apache and PHP. All VPSses run Ubuntu 12.04. Some of our PHP applications need to check the client IP address. Simplified setup:
client --> Keepalived/HAProxy --> Apache The LB's do NAT and the Apache VPSses run in a private network. Initially I thought it would be best to do the SSL offloading at the Apache servers. I guess (not sure however) that in that case Apache/PHP would know the client remote IP address. A drawback seems that we need additional vip's and backend listeners for each certificate. So we decided to configure stunnel in front of HAProxy: client --> Keepalived/stunnel/HAProxy --> Apache Now to have Apache know the client's remote IP address, I think we have two options: 1) X-Forwarded-For patched stunnel, or 2) stunnel + HAProxy with the proxy protocol. Drawback of 1 is that it's not supported by the stunnel developers because of it's problems to support keepalive connections from the client. Drawback of 2 is that it needs HAProxy 1.5 which is not stable yet. We're willing to use HAProxy 1.5-dev-latest in our new production cluster (and report bugs if we encounter them). Does my reasoning make sense? Any feedback on our architecture would highly appreciated!