Re: Obtaining the client address for SSL connections

From: Willy Tarreau <w#1wt.eu>
Date: Tue, 9 Oct 2007 07:07:02 +0200


On Mon, Oct 08, 2007 at 05:24:55PM -0700, Brian Staszewski wrote:
> I'm evaluating HAProxy as a replacement for our current load balancer.
> So far it has done everything I need it to do and setup was quite easy.
>
> Just one problem tho:
>
> With http connections I was able to use the forwardfor option to keep my
> apache logs useful, but this doesn't work for SSL connections and Apache
> sees the connection as originating from the load balancer. Any ideas?

Yes, check the architecture manual, there is an example involving the use of stunnel. I also put a patch on the haproxy page so that stunnel adds an X-Forwarded-For header to the HTTP request with the IP address of the client. The advantage is that your apache will only have to manage HTTP and that the SSL part will be processed by the front stunnel.

Regards,
Willy Received on 2007/10/09 07:07

This archive was generated by hypermail 2.2.0 : 2007/11/04 19:21 CET