RE : FW: HAProxy

2015-10-11 Thread Cédric Petter 
Thanks Willy and thanks Thierry Fournier too (He answers some days before and 
didn't get the time to test before)

It work like a charm now :-)
It's weird but no blogs speaks about this. All blogs I found do redirect to 80 
on backend. Or they use 443 but there is nothing in the config explained :-(

So I really appreciate your help. 
It saves me some sleep hours :-)

Kind Regards

Cédric Petter
VP of Support & IT

BPA Solutions
Headquarters – Switzerland

Build Closer Relationships with SharePoint

p. +41 24 524 25 50
e. cedric.pet...@bpa-solutions.net


De : Willy Tarreau [w...@1wt.eu]
Date d'envoi : samedi 10 octobre 2015 08:12
À : Cédric Petter
Cc: haproxy@formilux.org
Objet : Re: FW: HAProxy

Hello Cédric,

On Tue, Oct 06, 2015 at 01:56:41PM +0000, Cédric Petter wrote:
> Bonjour
>
> First of all, if I need to explain in English, please tell me.

Yes the list is in english, but I understood your problem so I'll
put out a quick summary and will respond :-)

> Je suis bloqué avec HAProxy sur une VM.
> J'ai un serveur Debian 8.2 avec HAProxy 1.5.14.
> Et "derrière", j'ai 2 serveurs Windows avec IIS 8.5 & SharePoint 2013.
>
> Cela fonctionne bien en HTTP, mais pas en HTTPS.
> avec HTTPS j'ai soit des erreurs 503 & 504 en altérnance.
> Si quelqu'un à une idée ca serait cool.

In short Cedric faces an issue where he gets errors 503/504 on haproxy
when passing HTTPS requests to IIS but that's OK with HTTP.

Cedric, the problem is that you are connecting to port 443 in clear
because you didnt specify "ssl" on the server lines :

   backend www-backend-https
 server www-1 192.168.1.2:443 check
 server www-2 192.168.1.3:443 check

Just add "ssl" at the end of the line and it will work better. You'll
get a warning upon startup that you need to add "ssl-verify-none" or
to put a CA file. If haproxy and the servers are on the same local
network and you consider this network to be safe, you can easily add
that option.

Additionnally, maybe you don't even need to pass again via port 443
and you can pass everything to port 80 ? That can make a simpler
config and avoid to re-encrypt+decrypt.

Last, since you're on haproxy 1.5, if you're observing important
CPU usage when using SSL, you can enable HTTP keep-alive to the
servers by removing this line :

   option http-server-close

It will use more memory by maintaining more connections though.

Regards,
Willy

FW: HAProxy

2015-10-06 Thread Cédric Petter 
Bonjour

First of all, if I need to explain in English, please tell me.

Je suis bloqué avec HAProxy sur une VM.
J'ai un serveur Debian 8.2 avec HAProxy 1.5.14.
Et "derrière", j'ai 2 serveurs Windows avec IIS 8.5 & SharePoint 2013.

Cela fonctionne bien en HTTP, mais pas en HTTPS.
avec HTTPS j'ai soit des erreurs 503 & 504 en altérnance.
Si quelqu'un à une idée ca serait cool.
Voilà ma config

global
log /dev/loglocal0
log /dev/loglocal1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2048
tune.ssl.default-dh-param 2048
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 defaults
log global
modehttp
option forwardfor
option http-server-close
option  httplog
option  dontlognull
timeout connect 5000
timeout client  5
timeout server  5
frontend www-http
bind *:80
default_backend www-backend
frontend www-https
bind *:443 ssl crt ./monfichier.pem
default_backend www-backend-https backend www-backend
server www-1 192.168.1.2:80 check
server www-2 192.168.1.3:80 check backend www-backend-https
server www-1 192.168.1.2:443 check
server www-2 192.168.1.3:443 check

Cédric Petter
cedric.pet...@bpa-solutions.net