Hi,
Thanks for all these informations, I will try that as soon as possible :)
Kevin
Willy Tarreau a écrit :
> Hi guys,
>
> On Mon, Nov 12, 2007 at 06:50:31PM +0100, Kevin Maziere - Amen wrote:
>
>> Hi Rob,
>>
>> I'm new in Haproxy too, I mean I used it since several weeks for http
>> and imap proxy. For imap I used tcp mode on port 143, this work fine
>>
>> listen imap 10.1.1.143:143
>> maxconn 500
>> mode tcp
>> balance roundrobin
>> server _1_ 10.1.1.144:143 c1 check inter 5000 fall 4 rise 1
>> server _2_ 10.1.1.145:143 c2 check inter 5000 fall 4 rise 1
>> stats enable
>>
>> But I also need to be able to forward the source adress, but due to the
>> way it works, I don't imagine that haproxy can send it on an non layer7
>> protocol, but as I said, I'm new in haproxy
>>
>
> It is possible if you patch your linux kernel with the CTTPROXY patch
> (from www.balabit.com). Then you build haproxy to use it and you add
> "source x.x.x.x usesrc clientip" to your configuration. It will then
> automatically create outgoing NAT entries making it look like haproxy
> connects to the server using the client's IP address. For this, the
> server mustt route through haproxy so that the packets are translated
> again in the other direction.
>
> We do this on our appliances, and if we put aside the performance drop
> of about 30%, it works fine.
>
>
>> I need the source IP on SSL two, but is there a way to do that without
>> an ssl reverse-proxy, after reading docs on haproxy website, and on ssl
>> protocol itself, not sur it is possible
>>
>
> If you need it for HTTPS, then simply install stunnel and apply the
> x-forwarded-for patch from my site. Stunnel will then append a header
> after the last request header, inserting the client's IP address there.
> The server will then be able to use it as it would with haproxy's
> x-forwarded-for. This is by far the easiest method today, and it
> offloads the server and brings you to the world of L7 mangling and
> persistence on HTTPS, which is quite appreciable ;-)
>
> Regards,
> Willy
>
>
>
Received on 2007/11/13 10:21
This archive was generated by hypermail 2.2.0 : 2007/11/13 11:00 CET