Re: SSL terminate mode

2013-05-05 Thread Igor 
Thanks, Willy. Frontend in http mode(may be called https terminate mode)
and backend in SSL is my goal, which uses remote https connection directly,
haproxy terminates SSL backend into http. this is what for performance
testing sometimes.

Bests,
-Igor


On Sun, May 5, 2013 at 5:55 PM, Willy Tarreau  wrote:

> Hi Igor,
>
> On Sun, May 05, 2013 at 05:42:21PM +0800, Igor wrote:
> > Hi,
> >
> > For some security purpose and performance testing purpose, is it possible
> > to use haproxy as SSL client?
>
> Yes and it was even our first goal when implementing native SSL support.
>
> > May config like:
> >
> > frontend HTTP
> > bind :80
> > mode httpsclient(?)
> > default_backend SSLPOOL
> >
> > backend SSLPOOL
> > mode tcp
> > server  ssl1  :443
>
> You need to add "ssl" at the end of the line above. Your backend needs
> to be in http mode if the frontend is also in http mode. If you need
> this for security, also take a look at the "verify" server keyword,
> which is used to validate the peer's certificate (otherwise SSL will
> not provide any security at all and will just make you feel safe).
>
> Willy
>
>

Re: SSL terminate mode

2013-05-05 Thread Willy Tarreau 
Hi Igor,

On Sun, May 05, 2013 at 05:42:21PM +0800, Igor wrote:
> Hi,
> 
> For some security purpose and performance testing purpose, is it possible
> to use haproxy as SSL client?

Yes and it was even our first goal when implementing native SSL support.

> May config like:
> 
> frontend HTTP
> bind :80
> mode httpsclient(?)
> default_backend SSLPOOL
> 
> backend SSLPOOL
> mode tcp
> server  ssl1  :443

You need to add "ssl" at the end of the line above. Your backend needs
to be in http mode if the frontend is also in http mode. If you need
this for security, also take a look at the "verify" server keyword,
which is used to validate the peer's certificate (otherwise SSL will
not provide any security at all and will just make you feel safe).

Willy

SSL terminate mode

2013-05-05 Thread Igor 
Hi,

For some security purpose and performance testing purpose, is it possible
to use haproxy as SSL client?

May config like:

frontend HTTP
bind :80
mode httpsclient(?)
default_backend SSLPOOL

backend SSLPOOL
mode tcp
server  ssl1  :443

I know some other tools can do termination, but I prefer to do it all in
haproxy, thanks for any advice.


Bests,
-Igor