Hi ! solved !
-------- Original-Nachricht -------- > Datum: Wed, 30 Jun 2010 13:56:28 +0200 > Von: "Stefan Dragnic" <stefan_d...@gmx.de> > An: support@pfsense.com > Betreff: [pfSense Support] stunnel / Haproxy / carp > Hi ! > > Cookie based forwarding to the matching backend server using haproxy works > fine. SSL sessions should be decrypted by stunnel and then forwarded to > haproxy for cookie based forwarding. But this didn't happen. Due to an not > permitted operation the SSL connect would be closed. > > the carp interfaces belong to loopback ?! should they not belong to the > WAN interface ? > > > stunnel log : > > LOG5[15140:675287104]: stunnel 4.25 on i386-unknown-freebsd7.0 with > OpenSSL 0.9.8e 23 Feb 2007 > LOG5[15140:675287104]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 > Auth:LIBWRAP > LOG5[15140:675287104]: 5417 clients allowed > > LOG5[9813:675289552]: Shop_01 accepted connection from 80.xxx.xxx.xxx:6526 > LOG3[9813:675289552]: remote connect (93.www.xxx.98:80): Operation not > permitted (1) > LOG5[9813:675289552]: Connection reset: 0 bytes sent to SSL, 0 bytes sent > to socket > > > > my conf : > > pfsense interfaces: > > WAN : 93.www.xxx.97 /zz > LAN : 192.168.0.222 /24 > > > haproxy conf : > > listen www1 93.www.xxx.98:80 > mode http > log global > cookie funnySessionID prefix > option dontlognull > option httpclose > option forwardfor except 93.www.xxx.98 > maxconn 1000 > clitimeout 6000 > contimeout 12000 > srvtimeout 12000 > retries 2 > server ap1 192.168.0.110:80 cookie ap1 check > inter 30000 weight 1 > server ap2 192.168.0.100:80 cookie ap2 check > inter 30000 weight 1 > > listen www2 93.xxx.xxx.99:80 > mode http > log global > cookie funnySessionID prefix > option dontlognull > option forwardfor except 93.www.xxx.99 > option httpclose > maxconn 1000 > clitimeout 6000 > contimeout 12000 > srvtimeout 12000 > retries 2 > server ap1 192.168.0.110:80 cookie ap1 check > inter 30000 weight 1 > server ap2 192.168.0.100:80 cookie ap2 check > inter 30000 weight 1 > > > stunnel conf : > > chroot = /var/tmp/stunnel > setuid = stunnel > setgid = stunnel > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > output = /usr/local/etc/stunnel/stun.log > > [shop_01] > key = /usr/local/etc/stunnel/a0xxxxx.key > cert = /usr/local/etc/stunnel/a0xxxxx.chain > accept = 93.www.xxx.98:443 > connect = 93.www.xxx.98:80 > TIMEOUTclose = 0 > > [shop_02] > key = /usr/local/etc/stunnel/6byyyyy.key > cert = /usr/local/etc/stunnel/6byyyyy.chain > accept = 93.www.xxx.99:443 > connect = 93.www.xxx.99:80 > TIMEOUTclose = 0 > > > carp interfaces : > > carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 > inet 93.www.xxx.98 /zz > carp: MASTER vhid 150 advbase 1 advskew 0 > carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 > inet 93.www.xxx.99 /zz > carp: MASTER vhid 151 advbase 1 advskew 0 > > > > -- > GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org -- GMX DSL: Internet-, Telefon- und Handy-Flat ab 19,99 EUR/mtl. Bis zu 150 EUR Startguthaben inklusive! http://portal.gmx.net/de/go/dsl --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org