Re: http and https

From: Willy Tarreau <w#1wt.eu>
Date: Thu, 9 Jul 2009 07:12:47 +0200


On Fri, Jul 03, 2009 at 03:59:32PM +0200, Carlo Granisso wrote:
> Hello, I've another problem...
>
> I've few pages that do login to reserved area via https: sometimes haproxy
> maintains the same server (in http mode it redirect me to server1, during
> login it make ssl connection also to server1).
>
> Many times when I connected i http mode it give me web pages from server1
> but when I do login (in https) it go to server2.
>
> Have you got solution to lock client to the same server once connected? I've
> tried "balance source" or "appsession" without success.

haproxy does not support HTTPS, so it will not see nor set any cookie in it. Normally what is done is to forward HTTPS traffic to a local stunnel (or apache or nginx) which will decrypt it and pass it as HTTP to haproxy. Then the cookie-based persistence will be able to work.

The "balance source" option is another alternative, but you must use it in both instances with the same servers, same weights and same checks (ideally you should use "track XXX" from one server to the same in the other backend). But there are always situations where it will not work for a few clients, as about 5% of the clients on the net use floating IP addresses due to enterprise proxies.

With your config, it should have worked, but maybe you were among the ones with a dynamic IP address. For these reasons, it's quite better to set up an stunnel to decipher HTTPS and process everything in HTTP !

Regards,
Willy Received on 2009/07/09 07:12

This archive was generated by hypermail 2.2.0 : 2009/07/09 07:15 CEST