Am 18.07.14 15:48, schrieb Jacob Gibson: > I realize that not everyone may have had those old messages around. I have > included my original post below. Also, I've > read that using the ssl sessionid is not reliable so I'm looking for an > alternative. > > I was happily using HAProxy, until I received word that we need to also > encrypt traffic to the web servers. So, > internet --https--> load balancer --https--> web servers. Can I still do > this with HAProxy? We don't need any Layer 7 > rules. If so, what would the config look like? > > We do need the following: > > 1) HTTPS all the way through
thats no problem. we do it in our setup. this is (part) of our setup: defaults mode http option forwardfor frontend https bind 12.23.45.56:443 ssl no-sslv3 crt /opt/haproxy/haproxy.ssl.crt capture request header Host len 32 reqadd X-Forwarded-Proto:\ https # you could add headers http-request set-header X-SSL %[ssl_fc] http-request set-header X-SSL-Client-Verify %[ssl_c_verify] http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1] http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn] http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn] http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore] http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter] default_backend lbhttps monitor-uri /ok backend lbhttps server master 10.11.12.13:443 ssl maxconn 50 check weight 1 inter 5s rise 3 fall 2 verify none server slave 10.11.12.14:443 ssl maxconn 50 check backup weight 1 inter 5s rise 3 fall 2 verify none > 2) Web servers need to see the IP of the user thats a (small) problem with haproxy. as it acts as a http-proxy the webserver will only see the ip-adress of haproxy. but you can use x-forwared-for header or set it like in the example above. but then your application will have to use that header and not REMOTE_ADDR > 3) Users need sticky sessions to a web server (where the sticky assignment > counter gets refreshed on each user request) i asume, that this will work. we only use one backend server for SSL. but the setup for lbhttps is a fallback-setup. so when "master" is not there all the requests are routet to slave. > 5) Mobile and older browser support (I say this because I keep reading this > about SNI, but I don't know if that applies > to us) this is nothing that is affected by haproxy. thats general. problem is, that you only can have *one* ssl-server listening/binding to an ip-address. multiple virtual servers like with http will not work. markus