Re: HTTP and HTTPS simultaneously to the same server

From: Julien Vehent <julien#linuxwall.info>
Date: Tue, 16 Dec 2008 09:49:27 +0100

Well, what you are trying to do here is to modify a ciphered data payload with
a component that doesn't have any knowledge of the ciphering key or algorithm...

HAProxy doesn't decode the SSL payload, your connexion is thereby only understandable by your client's browser and the web server that initiated the
SSL connexion.

As Patrick said, one solution could be to set up a reverse SSL proxy in front
of the HAProxy. You could then decode the SSL before it goes through the load
balancing engine, and use the HTTP capabilities of HAProxy.

Regards,
Julien

On Monday 15 December 2008 21:07:11 you wrote:
> use stunnel or nginx in front of haproxy to do the https part.
> otherwise haproxy cannot do anything
>
> Patrick
>
> 2008/12/15 "André Gustavo N. Lopes" <andre#ondacorp.com.br>:
> > hello list,
> >
> >
> > I'm using ha-proxy in recent weeks to balance the traffic of 2
> > webservers (iis 6).
> >
> > The web application published in that webservers runs over http and
> > https, and the client connection must be forwarded to the same
webserver
> > even when the proto is changed (http->https). But when i use http mode
> >
> > (Just like documentation):
> >> Examples :
> >> ----------
> >>
> >> # make a same IP go to the same server whatever the service
> >>
> >> listen http_proxy
> >> bind :80,:443
> >> mode http
> >> balance source
> >> server web1 192.168.1.1
> >> server web2 192.168.1.2
> >
> > i get some problems. Using a similar configuration, with http mode, the
> > connections on port 80 are ok, but https connections (443) simply
doesnt
> > work. Below my configuration.
> >
> >> global
> >> log 127.0.0.1 local1 info
> >> daemon
> >> nopoll
> >> maxconn 32000
> >> nbproc 8
> >>
> >> listen http_proxy
> >> bind 200.195.194.208:80,200.195.194.208:443
> >> clitimeout 180000
> >> srvtimeout 180000
> >> contimeout 4000
> >> mode http
> >> balance source
> >> option forwardfor except 127.0.0.1/8
> >> option dontlognull
> >> server web1 200.200.200.201 check port 80
> >> server web2 200.200.200.202 check port 80
> >
> > So i had to change the mode to tcp. Then both protocols works, but the
> > option forwardfor just works in http mode. I need x-forwarded-for
header
> > because i have to create some statics over the access of the web
> > application.
> >
> > I tried to create 2 listenners, one with http mode and listening the
> > port 80, and the other with tcp mode listening the port 443, but that
is
> > probally wrong, because the listenners probally will handle distinct
> > source hashs.
> >
> > Is there some way to handle https connections with http mode? If not
is
> > there some way to configure two listenners to use the same source hash?
> >
> > Is there some other alternative?
> >
> > Regards,
> >
> >
> > --
> > André Gustavo N. Lopes
> > Analista de Suporte
> > Tel: +55(41)3331-8293
> > Fax: +55(41)3331-8256
> >
> > Onda Empresas
> > www.ondaempresas.com.br
> > Hospedagem, E-mail, Banda Larga, Telefonia IP, Data Center.
> >
> >
> > "Este endereço de e-mail se destina exclusivamente ao uso
profissional.
> > Todo o conteúdo nele inserido é de responsabilidade exclusiva de seu
> > remetente e não reflete, necessariamente, a opinião ou o ponto de
vista
> > oficial do Onda Provedor de Serviços S/A.
> >
> > A mensagem, incluindo seus anexos, pode conter informações legais
> > privilegiadas e/ou confidenciais, não podendo ser retransmitida,
> > arquivada, divulgada ou copiada sem autorização expressa do
remetente.
> > Caso tenha recebido esta mensagem por engano, por favor, informe o
> > remetente e em seguida apague-a do seu computador."

-- 
www.linuxwall.info
Received on 2008/12/16 09:49

This archive was generated by hypermail 2.2.0 : 2008/12/16 09:45 CET