Do I need more than HAProxy for SSL webserver

From: Tom Potwin <>
Date: Wed, 10 Jun 2009 08:24:04 -0400

After going through these archives, I'm still not clear on if I need something more than HAProxy to add SSL to my backend servers. Right now I have HAProxy running on a virtual node (LB1) in front of another virtual node with the web server (WEB1). This is all behind a firewall/router that's routing one of my public IP's to the shared local address. I need to add at least three SSL certificates to three sites on my web server. Here is my current cfg setup:

        log   local0
        log   local1 notice
        maxconn 4096
        user haproxy
        group haproxy
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        maxconn 2000
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000
listen webfarm,
       mode http
       stats enable
       stats auth netadmin:5bgr+bdd1WbA
       balance roundrobin
       cookie JSESSIONID prefix
       option forceclose
       option httpclose
       option forwardfor
       option httpchk HEAD /check.txt HTTP/1.0     
       server web1 cookie w01 check inter 2000 rise 2 fall
       server web2 cookie w02 check inter 2000 rise 2 fall
       option persist
       contimeout 5000
       rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal
IP address  

I've read that all I need is to change mode http to mode tcp, balance roundrobin to balance source, and option httpchk to option ssl-hello-chk, and all should work. Then I also read that HAProxy can't do SSL so you have to install something like stunnel to get it to work. I'm trying to keep things as simple as I can, so what is the correct way for me to handle this? Received on 2009/06/10 14:24

This archive was generated by hypermail 2.2.0 : 2009/06/10 14:30 CEST