Re: Forwarding SSL connections - forwardfor information is missing

From: Willy Tarreau <w#1wt.eu>
Date: Tue, 30 Oct 2007 23:03:34 +0100


Hello Jan,

On Fri, Oct 26, 2007 at 01:32:05PM +0200, Jan Miczaika wrote:
> Hello,
>
> we would like to load balance our https connections as well, using
> haproxy. The connections end up on a number of pound servers. They
> decrypt the SSL traffic and send it on to the apaches.
>
> We are able to forward the https connections using tcp mode, however we
> lose the "forwardfor" information. This is very important for us on
> https connections, as these are purchases and we need to save the IP
> address for fraud detection and prevention.

Yes, it's a very common problem.

> Forwarding the https connections using http mode does not work, obviously.
>
> What we would really like to do is:
>
> listen sslourpage.de:443 213.xxx.xxx.xxx147:443
> mode tcp
> -> forwardfor
> option ssl-hello-chk
> balance roundrobin
> server www1 192.168.xxx.xxx:443 maxconn 500 check
> server www2 192.168.xxx.xxx:443 maxconn 500 check
> server www3 192.168.xxx.xxx:443 maxconn 500 check
> server www4 192.168.xxx.xxx:443 maxconn 500 check
>
> As far as I know this option is not supported? The alternative would be
> to not use haproxy and set up a LVS cluster, with requests coming in to
> pound. But haproxy is so much easier and simpler. I would love to see a
> solution. Currently we are using haproxy 1.2.16.

It's not a matter of "option not supported", but a conceptual problem. What you're trying to do is configure a TCP proxy which is installed in the middle of an SSL connection so that it will insert data inside the protected and ciphered stream.

The only way to achieve this is to terminate the SSL connection on your load balancer, and make the SSL proxy add the header itself. Since haproxy does not yet support SSL, you have to do that outside of it. I think you can do this with Pound, I know you can do it with apache, but I'm only used to do this with stunnel (for which I have a patch on my site). In all cases, the principle is the same: you install your server's certificates on the SSL end on your load balancer (pound/stunnel/apache), and that one transforms HTTPS into HTTP sent to haproxy working in HTTP mode. It also adds the X-Forwarded-For header so after that, you're fine.

Take a look at the architecture manual, there are examples of such a setup.

Regards,
Willy Received on 2007/10/30 23:03

This archive was generated by hypermail 2.2.0 : 2007/11/04 19:21 CET