Thanks, Baptiste. 3) The web servers I am load balancing make heavy use of sessions, which is quite unfortunate. As a result, I need to keep the users on the initial web server they were assigned to. So, "mode tcp" isn't possible here? What if I used the IP instead of a cookie? Right now I'm prefixing the JSESSOINID cookie with server1, server2, or server3.
4) By Keep-Alive support, I mean support for persistent HTTP connections from the browser to the load balancer. My concern was that it doesn't seem possible to do this with "mode tcp". I would have to do this by enabling KeepAlive on httpd of the web servers. In which case, I wasn't sure what would happen to the connection between HAProxy and the Web Servers (if they would never close). "Connection: Keep-Alive" is what I need. 5) We use a wildcard certificate On Thu, Nov 7, 2013 at 3:16 AM, Baptiste <[email protected]> wrote: > Hi Jacob, > > 1) HTTPS all the way through > ==> 'mode tcp' is your friend > > 2) Web servers need to see the IP of the user > ==> 'source 0.0.0.0 usesrc clientip' is what you're looking for > Or proxy protocol, if your web server is compatible: > http://blog.exceliance.fr/haproxy/proxy-protocol/ > > 3) Users need sticky sessions to a web server (where the sticky > assignment counter gets refreshed on each user request) > ==> ah!!!! must turn on 'mode http' + SSL decypher + SSL cypher to the > server + stick table and store http_req_cnt > Why do you need this information?? > > 4) HTTPS Keep-Alive support > ==> can you clarify, it could mean different type of things. > > 5) Mobile and older browser support (I say this because I keep reading > this about SNI, but I don't know if that applies to us) > ==> no SNI means one IP per certificate, or use SAN/wildcard certificates > > Baptiste > > > On Wed, Nov 6, 2013 at 10:12 PM, Jacob Gibson <[email protected]> > wrote: > > I was happily using HAProxy, until I received word that we need to also > > encrypt traffic to the web servers. So, internet --https--> load > balancer > > --https--> web servers. Can I still do this with HAProxy? We don't need > > any Layer 7 rules. If so, what would the config look like? > > > > We do need the following: > > > > 1) HTTPS all the way through > > 2) Web servers need to see the IP of the user > > 3) Users need sticky sessions to a web server (where the sticky > assignment > > counter gets refreshed on each user request) > > 4) HTTPS Keep-Alive support > > 5) Mobile and older browser support (I say this because I keep reading > this > > about SNI, but I don't know if that applies to us) > > > > Would #4 cause problems because HAProxy is a proxy and not a forwarder? > > > > Thanks >
