Damn. I shouldn't respond to questions after midnight :-(. I completely
overread this is about client certificates until now. Sorry for missing that,
Sam; and thanks Willy for the interesting link.
One question comes up for me though, after reading it (unless I am still not
awake enough, in
On Fri, Feb 17, 2017 at 07:20:14PM -0500, Sam Crowell wrote:
> Thanks for the response Daniel. What is the best way to handle SSL traffic
> through a load balancer to maintain original client certificates? Just use
> mode TCP and passthrough? Is there a way to do that without turning off
>
Thanks a lot of the help.
Sam
On February 17, 2017 at 7:55:05 PM, Daniel Schneller (
daniel.schnel...@centerdevice.com) wrote:
You should be able to configure haproxy in TCP mode and have it appear
transparent, without the clients complaining. You won't be able to do
anything on the http level,
You should be able to configure haproxy in TCP mode and have it appear
transparent, without the clients complaining. You won't be able to do anything
on the http level, of course, but passing encrypted streams back and forth is a
completely valid use case. Just keep anything TLS out of the
I guess it’s probably the same answer, it’s working as intended and even
with passthrough the load balancer certificate does not match the backend
server so it still throws the warning which makes sense.
On February 17, 2017 at 7:20:14 PM, Sam Crowell (crowes...@gmail.com) wrote:
Thanks for the
Thanks for the response Daniel. What is the best way to handle SSL traffic
through a load balancer to maintain original client certificates? Just use
mode TCP and passthrough? Is there a way to do that without turning off
hostname verifier at the client level?
Thanks,
Sam
On February 17, 2017
Sam,
This not working the way you would like is the corner stone and one of the key
features of TLS. It is designed to ensure there is nothing in the middle
between the client and the server. If you need to inspect the traffic, by
definition you cannot without the clients trusting your
Is there a way to do SSL termination at the load balancer, but then send
the original certificate to the backend server? I have seen plenty of
notes and configs for SSL passthrough and SSL termination with
re-encryption by the load balancer certificate.
Even with passthrough, I still have to
Hi Roberto
> Le 17 févr. 2017 à 01:27, Roberto Guimaraes a écrit :
>
> greetings,
>
> just a heads up that we’ve seen client breakage when using haproxy with
> openssl-1.1 — dunno how far along you are concerning ossl1.1 usage, but it
> has become very clear that
Hi Christopher.
Am 17-02-2017 10:41, schrieb Christopher Faulet:
Le 16/02/2017 à 12:41, Aleksandar Lazic a écrit :
Do you think that there will be also big changes in the protocol?
No not really. The protocol should remain mostly unchanged. In fact,
except new "capabilities", there are no
Hi
I am having a strange error when sending requests back to haproxy. The
configuration is to have an additional layer of frontend/backend to
generate a unique request id for every request then redirect back to
haproxy to the real frontend.
This works fine in the the beginning, but after several
Le 16/02/2017 à 12:41, Aleksandar Lazic a écrit :
Do you think that there will be also big changes in the protocol?
No not really. The protocol should remain mostly unchanged. In fact,
except new "capabilities", there are no big changes. And these
capabilities will only influence how frames
12 matches
Mail list logo