Hi guys,
On Mon, Nov 12, 2007 at 06:50:31PM +0100, Kevin Maziere - Amen wrote:
> Hi Rob,
>
> I'm new in Haproxy too, I mean I used it since several weeks for http
> and imap proxy. For imap I used tcp mode on port 143, this work fine
>
> listen imap 10.1.1.143:143
> maxconn 500
> mode tcp
> balance roundrobin
> server _1_ 10.1.1.144:143 c1 check inter 5000 fall 4 rise 1
> server _2_ 10.1.1.145:143 c2 check inter 5000 fall 4 rise 1
> stats enable
>
> But I also need to be able to forward the source adress, but due to the
> way it works, I don't imagine that haproxy can send it on an non layer7
> protocol, but as I said, I'm new in haproxy
It is possible if you patch your linux kernel with the CTTPROXY patch (from www.balabit.com). Then you build haproxy to use it and you add "source x.x.x.x usesrc clientip" to your configuration. It will then automatically create outgoing NAT entries making it look like haproxy connects to the server using the client's IP address. For this, the server mustt route through haproxy so that the packets are translated again in the other direction.
We do this on our appliances, and if we put aside the performance drop of about 30%, it works fine.
> I need the source IP on SSL two, but is there a way to do that without
> an ssl reverse-proxy, after reading docs on haproxy website, and on ssl
> protocol itself, not sur it is possible
If you need it for HTTPS, then simply install stunnel and apply the x-forwarded-for patch from my site. Stunnel will then append a header after the last request header, inserting the client's IP address there. The server will then be able to use it as it would with haproxy's x-forwarded-for. This is by far the easiest method today, and it offloads the server and brings you to the world of L7 mangling and persistence on HTTPS, which is quite appreciable ;-)
Regards,
Willy
Received on 2007/11/12 20:47
This archive was generated by hypermail 2.2.0 : 2007/11/12 21:30 CET