Re: Haproxy support for HTTPS (SSL) backend servers
On Tue, Oct 19, 2010 at 05:42:51PM +0300, Reinis Rozitis wrote: >> Have you tried Varnish? >> http://www.varnish-cache.org/ >> It's intended as a caching proxy but can do what you're after perfectly >> well. >> >> Also if there's anything it can't do, you can in-line drop in to C in >> the config files and make it do it! > > As far as I know varnish doesnt support SSL (neither as frontend nor in > backends)? > So you would have to implement some extra layers anyways. > > While I havent tried myself (the URL thing (with providing the key/cert > to the balancer)) you could try Pound ( http://www.apsis.ch/pound/ ) > which supports theclient <-- ssl --> balancer (url parsing) <-- ssl > --> backend scheme.. > Yep, I noticed Pound supports ssl to the backend in the latest version (2.5). Another question: Do you guys know if some balancer allows 'http connect' passthrough? I'd like to pass 'http connect' requests 'as is' to the backend server. For example Pound seems to drop that request.. -- Pasi
Re: Haproxy support for HTTPS (SSL) backend servers
Have you tried Varnish? http://www.varnish-cache.org/ It's intended as a caching proxy but can do what you're after perfectly well. Also if there's anything it can't do, you can in-line drop in to C in the config files and make it do it! As far as I know varnish doesnt support SSL (neither as frontend nor in backends)? So you would have to implement some extra layers anyways. While I havent tried myself (the URL thing (with providing the key/cert to the balancer)) you could try Pound ( http://www.apsis.ch/pound/ ) which supports theclient <-- ssl --> balancer (url parsing) <-- ssl --> backend scheme.. rr
Re: Haproxy support for HTTPS (SSL) backend servers
On Tue, Oct 19, 2010 at 11:46:23AM +, Simon Green - Centric IT Ltd wrote: > Have you tried Varnish? > http://www.varnish-cache.org/ > It's intended as a caching proxy but can do what you're after perfectly well. > > Also if there's anything it can't do, you can in-line drop in to C in the > config files and make it do it! > Thanks for the tip. I'll take a look at it. -- Pasi > -Original Message- > From: Pasi Kärkkäinen [mailto:pa...@iki.fi] > Sent: 19 October 2010 12:33 > To: Reinis Rozitis > Cc: haproxy@formilux.org > Subject: Re: Haproxy support for HTTPS (SSL) backend servers > > On Mon, Oct 18, 2010 at 07:00:37PM +0300, Reinis Rozitis wrote: > >> I meant the features that need to parse the HTTP request and do > >> things based on it.. > >> > >> So tcp/raw mode won't work.. > >> > >> Thanks for the reply though! > >> > >> -- Pasi > > > > I think you are better in this case using 'nginx' for example - > > http://wiki.nginx.org/HttpProxyModule (can do ACL / rewrites / header > > change and balancing on its own). > > > > Yeah, I've tried nginx aswell. It supports SSL on both the frontend > and backend, which is good, but the problem with nginx is that > it doesn't support http/1.1 on the backend side.. > > I have some application that also requires http/1.1 and refuses > to serve http/1.0 requests.. this is not easy :) > > -- Pasi > >
RE: Haproxy support for HTTPS (SSL) backend servers
Have you tried Varnish? http://www.varnish-cache.org/ It's intended as a caching proxy but can do what you're after perfectly well. Also if there's anything it can't do, you can in-line drop in to C in the config files and make it do it! -Original Message- From: Pasi Kärkkäinen [mailto:pa...@iki.fi] Sent: 19 October 2010 12:33 To: Reinis Rozitis Cc: haproxy@formilux.org Subject: Re: Haproxy support for HTTPS (SSL) backend servers On Mon, Oct 18, 2010 at 07:00:37PM +0300, Reinis Rozitis wrote: >> I meant the features that need to parse the HTTP request and do >> things based on it.. >> >> So tcp/raw mode won't work.. >> >> Thanks for the reply though! >> >> -- Pasi > > I think you are better in this case using 'nginx' for example - > http://wiki.nginx.org/HttpProxyModule (can do ACL / rewrites / header > change and balancing on its own). > Yeah, I've tried nginx aswell. It supports SSL on both the frontend and backend, which is good, but the problem with nginx is that it doesn't support http/1.1 on the backend side.. I have some application that also requires http/1.1 and refuses to serve http/1.0 requests.. this is not easy :) -- Pasi
Re: Haproxy support for HTTPS (SSL) backend servers
On Tue, Oct 19, 2010 at 02:35:01PM +0300, Pasi Kärkkäinen wrote: > On Mon, Oct 18, 2010 at 03:02:26PM +, Soren Hansen wrote: > > Terminate the ssl using apache+mod_ssl as a proxy to your HAproxy > > Do your ACL stuff in HAproxy > > Then have HAproxy send the request to a local stunnel client. > > stunnel will then forward the request as ssl to a backend server. > > > > You will need to define one stunnel client per backend server. > > In HAproxy, you will have the local stunnels defined as servers. > > > > I tried this earlier.. and I got some problems with sessions > timing out, and I could figure out what was causing it. > I was supposed to write "couldn't" .. -- Pasi > It's kind of difficult when you have separate frontend (stunnel/pound), > "middleware" (haproxy), and then also separate backend (stunnel). > > Replacing all that with nginx worked much better (no timeout problems), > but then I have the problem where nginx doesn't support http/1.1 on the > backend.. > > -- Pasi > >
Re: Haproxy support for HTTPS (SSL) backend servers
On Mon, Oct 18, 2010 at 03:02:26PM +, Soren Hansen wrote: > Terminate the ssl using apache+mod_ssl as a proxy to your HAproxy > Do your ACL stuff in HAproxy > Then have HAproxy send the request to a local stunnel client. > stunnel will then forward the request as ssl to a backend server. > > You will need to define one stunnel client per backend server. > In HAproxy, you will have the local stunnels defined as servers. > I tried this earlier.. and I got some problems with sessions timing out, and I could figure out what was causing it. It's kind of difficult when you have separate frontend (stunnel/pound), "middleware" (haproxy), and then also separate backend (stunnel). Replacing all that with nginx worked much better (no timeout problems), but then I have the problem where nginx doesn't support http/1.1 on the backend.. -- Pasi
Re: Haproxy support for HTTPS (SSL) backend servers
On Mon, Oct 18, 2010 at 07:00:37PM +0300, Reinis Rozitis wrote: >> I meant the features that need to parse the HTTP request and do things >> based on it.. >> >> So tcp/raw mode won't work.. >> >> Thanks for the reply though! >> >> -- Pasi > > I think you are better in this case using 'nginx' for example - > http://wiki.nginx.org/HttpProxyModule (can do ACL / rewrites / header > change and balancing on its own). > Yeah, I've tried nginx aswell. It supports SSL on both the frontend and backend, which is good, but the problem with nginx is that it doesn't support http/1.1 on the backend side.. I have some application that also requires http/1.1 and refuses to serve http/1.0 requests.. this is not easy :) -- Pasi
Re: Haproxy support for HTTPS (SSL) backend servers
Hello, You can use stunnel for decrypt/recrypt the ssl stuff : stunnel's config : http://vr.pastebin.com/Ay4e9wFk haproxy's config http://vr.pastebin.com/1uDMeavk Regards, Hervé. On Sat, 16 Oct 2010 13:34:04 +0300 Pasi Kärkkäinen wrote: > Hello, > > I'd like to use haproxy to loadbalance a service > that uses (only) https in the backend.. service in question > cannot be changed to provide http, it's https only. > (I know, it's stupid, but I cannot change that unfortunately..) > > I know I could use the haproxy 'raw' mode, but I need some of the > ACL features of haproxy, so I need to use the http mode instead. > > Does someone have a patch that allows using https on the backend? > > If there's no such patch, how big changes it would require? > I might work on it if there's nothing ready yet.. > > Thanks! > > -- Pasi > > -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: Haproxy support for HTTPS (SSL) backend servers
I meant the features that need to parse the HTTP request and do things based on it.. So tcp/raw mode won't work.. Thanks for the reply though! -- Pasi I think you are better in this case using 'nginx' for example - http://wiki.nginx.org/HttpProxyModule (can do ACL / rewrites / header change and balancing on its own). rr
Re: Haproxy support for HTTPS (SSL) backend servers
Terminate the ssl using apache+mod_ssl as a proxy to your HAproxy Do your ACL stuff in HAproxy Then have HAproxy send the request to a local stunnel client. stunnel will then forward the request as ssl to a backend server. You will need to define one stunnel client per backend server. In HAproxy, you will have the local stunnels defined as servers.
Re: Haproxy support for HTTPS (SSL) backend servers
On Sat, Oct 16, 2010 at 06:29:19AM -0700, Nicholas Hadaway wrote: > ACL features work just fine in TCP mode as well as HTTP mode. > I meant the features that need to parse the HTTP request and do things based on it.. So tcp/raw mode won't work.. Thanks for the reply though! -- Pasi > -nick > > On 10/16/2010 3:34 AM, Pasi Kärkkäinen wrote: >> Hello, >> >> I'd like to use haproxy to loadbalance a service >> that uses (only) https in the backend.. service in question >> cannot be changed to provide http, it's https only. >> (I know, it's stupid, but I cannot change that unfortunately..) >> >> I know I could use the haproxy 'raw' mode, but I need some of the >> ACL features of haproxy, so I need to use the http mode instead. >> >> Does someone have a patch that allows using https on the backend? >> >> If there's no such patch, how big changes it would require? >> I might work on it if there's nothing ready yet.. >> >> Thanks! >> >> -- Pasi >> >> > >
Re: Haproxy support for HTTPS (SSL) backend servers
ACL features work just fine in TCP mode as well as HTTP mode. -nick On 10/16/2010 3:34 AM, Pasi Kärkkäinen wrote: Hello, I'd like to use haproxy to loadbalance a service that uses (only) https in the backend.. service in question cannot be changed to provide http, it's https only. (I know, it's stupid, but I cannot change that unfortunately..) I know I could use the haproxy 'raw' mode, but I need some of the ACL features of haproxy, so I need to use the http mode instead. Does someone have a patch that allows using https on the backend? If there's no such patch, how big changes it would require? I might work on it if there's nothing ready yet.. Thanks! -- Pasi
