carp

Stefan Dragnic Wed, 30 Jun 2010 04:56:41 -0700

Hi !

Cookie based forwarding to the matching backend server using haproxy works 
fine. SSL sessions should be decrypted by stunnel and then forwarded to haproxy 
for cookie based forwarding. But this didn't happen. Due to an not permitted 
operation the SSL connect would be closed.


the carp interfaces belong to loopback ?! should they not belong to the WAN 
interface ? 


stunnel log :

LOG5[15140:675287104]: stunnel 4.25 on i386-unknown-freebsd7.0 with OpenSSL 
0.9.8e 23 Feb 2007
LOG5[15140:675287104]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 
Auth:LIBWRAP
LOG5[15140:675287104]: 5417 clients allowed

LOG5[9813:675289552]: Shop_01 accepted connection from 80.xxx.xxx.xxx:6526
LOG3[9813:675289552]: remote connect (93.www.xxx.98:80): Operation not 
permitted (1)
LOG5[9813:675289552]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to 
socket



my conf :

pfsense interfaces:

WAN : 93.www.xxx.97 /zz
LAN : 192.168.0.222 /24


haproxy conf :

listen www1                     93.www.xxx.98:80
        mode                    http
        log                     global
        cookie                  funnySessionID prefix
        option                  dontlognull
        option                  httpclose
        option                  forwardfor except 93.www.xxx.98
        maxconn                 1000
        clitimeout              6000
        contimeout              12000
        srvtimeout              12000
        retries                 2
        server                  ap1 192.168.0.110:80 cookie ap1   check inter 
30000  weight 1
        server                  ap2 192.168.0.100:80 cookie ap2   check inter 
30000  weight 1

listen www2                     93.xxx.xxx.99:80
        mode                    http
        log                     global
        cookie                  funnySessionID prefix
        option                  dontlognull
        option                  forwardfor except 93.www.xxx.99
        option                  httpclose
        maxconn                 1000
        clitimeout              6000
        contimeout              12000
        srvtimeout              12000
        retries                 2
        server                  ap1 192.168.0.110:80 cookie ap1   check inter 
30000  weight 1
        server                  ap2 192.168.0.100:80 cookie ap2   check inter 
30000  weight 1


stunnel conf : 

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /usr/local/etc/stunnel/stun.log

[shop_01]
key = /usr/local/etc/stunnel/a0xxxxx.key
cert = /usr/local/etc/stunnel/a0xxxxx.chain
accept = 93.www.xxx.98:443
connect = 93.www.xxx.98:80
TIMEOUTclose = 0

[shop_02]
key = /usr/local/etc/stunnel/6byyyyy.key
cert = /usr/local/etc/stunnel/6byyyyy.chain
accept = 93.www.xxx.99:443
connect = 93.www.xxx.99:80
TIMEOUTclose = 0


carp interfaces :

carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 93.www.xxx.98 /zz
        carp: MASTER vhid 150 advbase 1 advskew 0
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 93.www.xxx.99 /zz
        carp: MASTER vhid 151 advbase 1 advskew 0



-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Commercial support available - https://portal.pfsense.org

[pfSense Support] stunnel / Haproxy / carp

Reply via email to