Am 18.07.14 15:48, schrieb Jacob Gibson:
> I realize that not everyone may have had those old messages around. I have
> included my original post below. Also, I've
> read that using the ssl sessionid is not reliable so I'm looking for an
> alternative.
>
> I was happily using HAProxy, until I received word that we need to also
> encrypt traffic to the web servers. So,
> internet --https--> load balancer --https--> web servers. Can I still do
> this with HAProxy? We don't need any Layer 7
> rules. If so, what would the config look like?
>
> We do need the following:
>
> 1) HTTPS all the way through
thats no problem. we do it in our setup.
this is (part) of our setup:
defaults
mode http
option forwardfor
frontend https
bind 12.23.45.56:443 ssl no-sslv3 crt /opt/haproxy/haproxy.ssl.crt
capture request header Host len 32
reqadd X-Forwarded-Proto:\ https
# you could add headers
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
default_backend lbhttps
monitor-uri /ok
backend lbhttps
server master 10.11.12.13:443 ssl maxconn 50 check weight 1 inter 5s rise
3 fall 2 verify none
server slave 10.11.12.14:443 ssl maxconn 50 check backup weight 1 inter 5s
rise 3 fall 2 verify none
> 2) Web servers need to see the IP of the user
thats a (small) problem with haproxy. as it acts as a http-proxy the webserver
will only see the ip-adress of haproxy.
but you can use x-forwared-for header or set it like in the example above. but
then your application will have to use
that header and not REMOTE_ADDR
> 3) Users need sticky sessions to a web server (where the sticky assignment
> counter gets refreshed on each user request)
i asume, that this will work. we only use one backend server for SSL. but the
setup for lbhttps is a fallback-setup. so
when "master" is not there all the requests are routet to slave.
> 5) Mobile and older browser support (I say this because I keep reading this
> about SNI, but I don't know if that applies
> to us)
this is nothing that is affected by haproxy. thats general. problem is, that
you only can have *one* ssl-server
listening/binding to an ip-address. multiple virtual servers like with http
will not work.
markus
