Re: https from source to destination

From: James Bardin <jbardin#bu.edu>
Date: Wed, 13 Jul 2011 17:16:08 -0400


On Wed, Jul 13, 2011 at 5:04 PM, Christopher Ravnborg <christopher.ravnborg#gmail.com> wrote:
> Hi
> I'm looking for a solution which can do the following:
> Client need to connect to https webserver via haproxy. Encryption all the
> way.

You can't read the https stream, because it's encrypted.

> Log on webserver needs to contain client ip, this can be done, at least on
> http with forwardfor, that works fine.
> I have setup haproxy and read about stunnel with a patch to do https to
> haproxy, if i understand it right, stunnel will then decrypt/unwrap the
> stream, and pass it on to the server.
> If this is the case - does it send the non-https traffic to the https server
> - and will this be possible at all or am i misunderstanding this totally ?

No. You terminate the ssl at the load-balancer, and send the http to the backend. You need to configure the backend servers to accept and trust the http traffic from the LB.

If you *need* https the whole way, then you can only loadbalance at a lower level, i.e. in haproxy you use 'mode tcp' Received on 2011/07/13 23:16

This archive was generated by hypermail 2.2.0 : 2011/07/13 23:30 CEST