Re: Haproxy and ssl

From: Willy Tarreau <w#1wt.eu>
Date: Sun, 30 Sep 2007 05:31:13 +0200


On Sat, Sep 29, 2007 at 09:27:04PM -0400, Lauro, John wrote:
> I may need to support SSL soon. Would you run one SSL tunnel both
> between client and HAPROXY, and again between HAPROXY and each of the
> load balanced servers?

No, the principle is to have stunnel between the client and haproxy, then HTTP will be used between haproxy and the servers. It's generally pointless to use SSL between a load balancer and the servers, because :

  1. the one which is able to snif the trafic between the LB and the server generally has no problem doing the same on the LB itself
  2. all security information is between the client and stunnel (certificates, ...). The servers will get the load balancer's certificate and the LB will get the server's certificate. Pretty useless...

If you're crossing long distance WAN links, you may need to recipher, but then it's a general WAN problem, which is commonly solved by the use of VPNs or cipher boxes at both ends.

Take a look at the architecture manual, there are examples of how to set up stunnel between the client and haproxy. There are even config examples.

Regards,
Willy Received on 2007/09/30 05:31

This archive was generated by hypermail 2.2.0 : 2007/11/04 19:21 CET