Setup HAProxy for SSL traffic

From: Wolf Siedler <siedler#hrd-asia.com>
Date: Tue, 28 Oct 2008 10:35:04 +0700


Hi!

I am new to HAProxy and looking for configuration advice.

I have a webserver which is offering SSl encrypted access only and would like to install HAProxy between client and the Apache webserver. The server is running Red Hat Enterprise Linux 5 with Apache 2.2.3 (from RH repository). HAProxy was installed from rpm and is at version 1.3.14.6.

The server is running three applications: 

1. CRM (https://admin.example.com/crm/)
2. Webmail (https://admin.example.com/webmail/)
3. CalDAV server, Scalable Open Groupware.org/SOGo
(https://admin.example.com/SOGo/)

I am trying to achieve a "split" of the incoming traffic: Every request for webmail and CRM application should go to the dfeault Apache host at port 443.
Every request should be distributed between three Apache virtual hosts at ports 50000, 50001 and 50002.

From reading the manual, it seems to me as if I could achieve this split by using ACLs. Currently, my haproxy.cnf draft looks like this: ===begin draft===
global
  daemon 

  maxconn       4096      # total max connections (dependent on ulimit)
  nbproc        4         # number of processing cores

defaults
  mode              http
  clitimeout        60000       # maximum inactivity time on the client
side
  srvtimeout        30000       # maximum inactivity time on the server
side
  timeout connect   4000        # maximum time to wait for a connection
attempt to a server to succeed

  option httpclose # disable keepalive (HAProxy does not yet support the HTTP keep-alive mode)
  option httpchk # enable HTTP protocol to check on servers health
  option forwardfor # enable insert of X-Forwarded-For headers

  balance roundrobin # each server is used in turns, according to assigned weight 

  stats enable                  # enable web-stats at /haproxy?stats
  stats refresh     5s		# refresh rate of stats page

backend standard
  server standard 127.0.0.1:443 weight 1 check inter 20000

backend sogo_hosts
  server sogo1 127.0.0.1:50000 weight 1 minconn 3 maxconn 6 check inter 20000
  server sogo2 127.0.0.1:50001 weight 1 minconn 3 maxconn 6 check inter 20000
  server sogo3 127.0.0.1:50002 weight 1 minconn 3 maxconn 6 check inter 20000

frontend gonzo_proxy *:443
  acl sogo path_dir SOGo .woa
  use_backend sogo_hosts if sogo
  default_backend standard
  ===end draft===

Will this work in the way described above?

Admittedly, I am a bit confused on handling of SSL traffic by HAProxy. My intention is to have Apache handle all SSL encryption related matters and let HAProxy "only" distribute traffic.

Needless to say, I would appreciate any advice!

Regards,
Wolf Received on 2008/10/28 04:35

This archive was generated by hypermail 2.2.0 : 2008/10/28 04:46 CET