HAProxy Stunnel end-to-end SSL

From: Clark, Ryan <Ryan.Clark#XEROX.COM>
Date: Wed, 20 Oct 2010 13:45:24 -0400


I'm trying to use haproxy to load balance and content switch for 3 separate farms. The servers in the farms themselves have SSL certs on them. I'm using haproxy and stunnel to decrypt the https requests so haproxy knows where to forward the traffic. E.g https://site/test1 forwards to test1farm https://site/test2 forwards to test2farm etc.etc.  

I'm running into a problem because the backend servers have certificate and are using https also. If I set them to run on port 80 it works fine but I cannot do that based on the way the application is written.  

Is it possible to use haproxy and stunnel with content switching using end-to-end SSL?  

Here is my haproxy config:  

global

   log 127.0.0.1 local0

   maxconn 4096

   uid 99

   gid 99

   daemon  

defaults

   mode http

   log global

   option tcplog

   option httpclose

   retries 3

  maxconn 2000

   contimeout 50000

   clitimeout 500000

   srvtimeout 500000    

frontend LB1 *:80

   option forwardfor except 10.0.5.161

   acl XSM-acl url_sub -i XeroxServicesManager

   acl XSP-acl url_sub -i XSP

   use_backend XSM if XSM-acl

   use_backend XSP if XSP-acl

   default_backend MPSAPI  

backend XSM

   stats enable

   stats auth admin:password10

   balance roundrobin

   server ROCPRDXSM1 10.0.5.155:443 check

   server ROCPRDXSM2 10.0.5.156:443 check  

backend XSP

   stats enable

   stats auth admin:password10

   balance roundrobin

   server ROCPRDXSP1 10.0.5.19:443 check

   server ROCPRDXSP2 10.0.5.91:443 check  

backend MPSAPI

   stats enable

   stats auth admin:password10

   balance roundrobin

   server ROCPRDXDMC 10.0.5.158:443 check

   server ROCPRDCMPS 10.0.5.185:443 check  

Here is my stunnel config  

cert=/etc/certs/OFFICEB2.pem

;setuid = nobody

;setgid = nogroup
 

pid = /etc/stunnel/stunnel.pid

debug = 3

output = /etc/stunnel/stunnel.log  

socket=l:TCP_NODELAY=1

socket=r:TCP_NODELAY=1  

[https]

accept=10.0.5.161:443

connect=10.0.5.161:80

TIMEOUTclose=0

xforwardedfor=yes Received on 2010/10/20 19:45

This archive was generated by hypermail 2.2.0 : 2010/10/20 20:00 CEST