Re: HAProxy Stunnel end-to-end SSL

From: Kyle Brandt <kyle#stackoverflow.com>
Date: Wed, 20 Oct 2010 16:29:56 -0400


One option that I am using is to pass the SSL traffic to your SSL processor and then pass it back to haproxy. This way haproxy sees the decrypted traffic in this second front-end and you can use HTTP layer ACL rules against the traffic.

I very handy feature could be if 443 traffic is on the front-end and the the SSL processor sends the traffic back to haproxy like this would be to have HAProxy magically associate these connections and then add the x-forward-for header so you don't lose the client IP. Not sure of how that might be accomplished though...

-Kyle

On Wed, Oct 20, 2010 at 4:21 PM, Clark, Ryan <Ryan.Clark#xerox.com> wrote:

> I guess ACL’s don’t work in TCP mode… It doesn’t work after all. Any others
> get ACL’s to work in TCP mode?
>
>
>
> *From:* Mike Hoffs [mailto:m.hoffs#mijn-sleutel.com]
> *Sent:* Wednesday, October 20, 2010 2:11 PM
> *To:* Clark, Ryan
> *Subject:* RE: HAProxy Stunnel end-to-end SSL
>
>
>
> Hi Ryan,
>
>
>
> Note offside mailinglist, last days there was someone with simular
> situation;
>
>
>
>
>
> http://www.formilux.org/archives/haproxy/1010/3922.html
>
> http://www.formilux.org/archives/haproxy/1010/date.html
>
>
>
> Met een vriendelijke groet,
>
>
>
> ----
>
> Mike Hoffs
>
>
>
> Mijn-Sleutel
>
> Peperstraat 33
>
> 6678 AL Oosterhout
>
> Tel: +31 (0)24 8200208 tijdens kantoor uren (09:00 - 17:00)
>
> Mail: m.hoffs#mijn-sleutel.com
>
> Website: http://www.mijn-sleutel.com
>
>
>
> *Van:* Clark, Ryan [mailto:Ryan.Clark#xerox.com]
> *Verzonden:* woensdag 20 oktober 2010 20:00
> *Aan:* Mike Hoffs; haproxy#formilux.org
> *Onderwerp:* RE: HAProxy Stunnel end-to-end SSL
>
>
>
> Yes I have, even with the *option ssl-hello-chk* enabled.
>
>
>
> *From:* Mike Hoffs [mailto:m.hoffs#mijn-sleutel.com]
> *Sent:* Wednesday, October 20, 2010 1:56 PM
> *To:* Clark, Ryan; haproxy#formilux.org
> *Subject:* RE: HAProxy Stunnel end-to-end SSL
>
>
>
> Have u tried mode tcp ?
>
>
>
>
>
> Met een vriendelijke groet,
>
>
>
> ----
>
> Mike Hoffs
>
>
>
Received on 2010/10/20 22:29

This archive was generated by hypermail 2.2.0 : 2010/10/20 22:45 CEST