RE: stunnel + haproxy + ssl + ddns + multiple domains

[Rob Cluett]

Thank you Baptiste. I am implementing this now. The procedure I was looking
at had me making it more complicated than it needed to be.

-Original Message-
From: Baptiste [mailto:bed...@gmail.com]
Sent: Thursday, November 29, 2012 2:29 AM
To: Rob Cluett
Cc: haproxy@formilux.org
Subject: Re: stunnel + haproxy + ssl + ddns + multiple domains

Hi Rob,

Just make you stunnel point to your frontend on the port 80, and you're
done.

cheers

On Thu, Nov 29, 2012 at 1:05 AM, Rob Cluett r...@robcluett.com wrote:
 All, wondering if you can  point me in the right direction. I have
 stunnel installed with the x-forwarded-for patch. I also have haproxy
 working so all incoming http requests are forwarded from my router to
 happroxy. haproxy then determines where to route the request based on the
domain name.
 Configs below.  I'd like to implement something similar with stunnel
 and haproxy so that all inbound requests can be routed in the same
 manner for https.



 global

 log 127.0.0.1 local2

 chroot  /var/lib/haproxy

 pidfile /var/run/haproxy.pid

 maxconn 4000

 userhaproxy

 group   haproxy

 daemon

 # turn on stats unix socket

 stats socket /var/lib/haproxy/stats



 defaults

 modehttp

 log global

 option  httplog

 option  dontlognull

 option http-server-close

 option forwardfor   except 127.0.0.0/8

 option  redispatch

 retries 3

 timeout http-request10s

 timeout queue   1m

 timeout connect 10s

 timeout client  1m

 timeout server  1m

 timeout http-keep-alive 10s

 timeout check   10s

 maxconn 3000



 frontend http_proxy

   bind *:80

   acl is_rbc-com hdr_dom(host) -i robcluett.com

   acl is_rbc-net hdr_dom(host) -i robcluett.net

   acl is_iom-com hdr_dom(host) -i iomerge.com

   use_backend cluster1 if is_rbc-com

   use_backend cluster2 if is_rbc-net

   use_backend cluster3 if is_iom-com



 backend cluster1

   server web2 10.10.10.51:80

   #server web5 192.168.1.128



 backend cluster2

   server web3 10.10.10.52:80

   #server web6 192.168.1.129:80



 backend cluster3

   server web4 10.10.10.53:80



 Rob Cluett

 r...@robcluett.com

 978.381.3005



 *Please use this address for all email correspondence. The phone
 number listed in the signature above replaces any other phone number
 you may have for me.



 This email contains a digitally signed certificate authenticating the
 sender. This certificate prevents others from posing as or spoofing
 the sender, guarantees that it was sent from the named sender and when
 necessary encrypts the email such that only the sender and
 reciepient(s) can read it's contents. If you receive an email from
 this sender without the digitally signed certificate it is not from
 the sender and therefore it's contents should be disregarded.



 This e-mail, and any files transmitted with it, is intended solely for
 the use of the recipient(s) to whom it is addressed and may contain
 confidential information. If you are not the intended recipient,
 please notify the sender immediately and delete the record from your
 computer or other device as its contents may be confidential and its
 disclosure, copying or distribution unlawful.




smime.p7s
Description: S/MIME cryptographic signature

stunnel + haproxy + ssl + ddns + multiple domains

[Rob Cluett]

All, wondering if you can  point me in the right direction. I have stunnel
installed with the x-forwarded-for patch. I also have haproxy working so
all incoming http requests are forwarded from my router to happroxy.
haproxy then determines where to route the request based on the domain
name.  Configs below.  I'd like to implement something similar with stunnel
and haproxy so that all inbound requests can be routed in the same manner
for https.



global

log 127.0.0.1 local2

chroot  /var/lib/haproxy

pidfile /var/run/haproxy.pid

maxconn 4000

userhaproxy

group   haproxy

daemon

# turn on stats unix socket

stats socket /var/lib/haproxy/stats



defaults

modehttp

log global

option  httplog

option  dontlognull

option http-server-close

option forwardfor   except 127.0.0.0/8

option  redispatch

retries 3

timeout http-request10s

timeout queue   1m

timeout connect 10s

timeout client  1m

timeout server  1m

timeout http-keep-alive 10s

timeout check   10s

maxconn 3000



frontend http_proxy

  bind *:80

  acl is_rbc-com hdr_dom(host) -i robcluett.com

  acl is_rbc-net hdr_dom(host) -i robcluett.net

  acl is_iom-com hdr_dom(host) -i iomerge.com

  use_backend cluster1 if is_rbc-com

  use_backend cluster2 if is_rbc-net

  use_backend cluster3 if is_iom-com



backend cluster1

  server web2 10.10.10.51:80

  #server web5 192.168.1.128



backend cluster2

  server web3 10.10.10.52:80

  #server web6 192.168.1.129:80



backend cluster3

  server web4 10.10.10.53:80



Rob Cluett

r...@robcluett.com

978.381.3005



**Please use this address for all email correspondence. The phone number
listed in the signature above replaces any other phone number you may have
for me.*



*This email contains a digitally signed certificate authenticating the
sender. This certificate prevents others from posing as or spoofing the
sender, guarantees that it was sent from the named sender and when
necessary encrypts the email such that only the sender and reciepient(s)
can read it's contents. If you receive an email from this sender without
the digitally signed certificate it is not from the sender and therefore
it's contents should be disregarded. *

* *

*This e-mail, and any files transmitted with it, is intended solely for the
use of the recipient(s) to whom it is addressed and may contain
confidential information. If you are not the intended recipient, please
notify the sender immediately and delete the record from your computer or
other device as its contents may be confidential and its disclosure,
copying or distribution unlawful.***


smime.p7s
Description: S/MIME cryptographic signature