RE: Do I need more than HAProxy for SSL webserver

From: Tom Potwin <>
Date: Wed, 10 Jun 2009 11:26:19 -0400

Thanks for that advice.
Does anyone know where there are any how-to's for setting up something like this? The architecture.txt file doesn't go into much detail.

-----Original Message-----
From: Bryan []
Sent: Wednesday, June 10, 2009 9:38 AM
Subject: Re: Do I need more than HAProxy for SSL webserver

Hi Tom,

Yes, you will need something to terminate the HTTPS requests before they get sent to HAProxy, because HAProxy is currently not able to handle such requests. I think it is a common practice to install the HTTPS termination software and HAProxy on the same box. Stunnel, Apache + mod_ssl, and nginx are all popular software that can be used for this task. As a personal preference I would recommend the last two, as I find stunnel a little cumbersome when dealing with multiple certificates.

For more information:

Hope this helps,

On Wed, Jun 10, 2009 at 8:24 AM, Tom Potwin<> wrote:
> After going through these archives, I'm still not clear on if I need
> something more than HAProxy to add SSL to my backend servers. Right
> now I have HAProxy running on a virtual node (LB1) in front of another
> virtual node with the web server (WEB1). This is all behind a
> firewall/router that's routing one of my public IP's to the shared
> local address. I need to add at least three SSL certificates to three
> sites on my web server. Here is my current cfg setup:
> global
>        log   local0
>        log   local1 notice
>        maxconn 4096
>        user haproxy
>        group haproxy
> defaults
>        log     global
>        mode    http
>        option  httplog
>        option  dontlognull
>        retries 3
>        redispatch
>        maxconn 2000
>        contimeout      5000
>        clitimeout      50000
>        srvtimeout      50000
> listen webfarm,
>       mode http
>       stats enable
>       stats auth netadmin:5bgr+bdd1WbA
>       balance roundrobin
>       cookie JSESSIONID prefix
>       option forceclose
>       option httpclose
>       option forwardfor
>       option httpchk HEAD /check.txt HTTP/1.0
>       server web1 cookie w01 check inter 2000 rise 2
> fall
> 2
>       server web2 cookie w02 check inter 2000 rise 2
> fall
> 2
>       option persist
>       redispatch
>       contimeout 5000
>       rspidel ^Set-cookie:\ IP= # do not let this cookie tell our
> internal IP address
> I've read that all I need is to change mode http to mode tcp, balance
> roundrobin to balance source, and option httpchk to option
> ssl-hello-chk, and all should work. Then I also read that HAProxy
> can't do SSL so you have to install something like stunnel to get it
> to work. I'm trying to keep things as simple as I can, so what is the
correct way for me to handle this?
Received on 2009/06/10 17:26

This archive was generated by hypermail 2.2.0 : 2009/06/10 17:45 CEST