Hey guys,
Thanks for the input. I ended up settling on the following configuration
type:
in haproxy:
listen something.com
bind 172.168.1.1:80
acl acl_port_80 dst_port eq 80
acl acl_secure hdr(amISecure) YES
cookie SERVERID insert indirect nocache
redirect location https://something.com/sslRedirect.htm code 301 if
acl_port_80 !acl_secure
server www100 172.168.1.100 cookie www100 weight 1 check inter 1s
fall 3 rise 2
option httpchk GET /ping.htm HTTP/1.1\r\nHost:something.com
capture request header X-Forwarded-For len 15
and in nginx:
location / {
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header amISecure YES;
proxy_pass http://something.com;
}
I also wanted to thank you guys for the feedback, I appreciated it.
John T. Skarbek
B.S.Computer Science Networking
Radford University
jskarbek#radford.edu
434.770.3089
Radford, VA 24142
On Sat, Jul 3, 2010 at 12:59 PM, Willy Tarreau <w#1wt.eu> wrote:
> On Sat, Jul 03, 2010 at 11:23:16AM -0400, John T Skarbek wrote:
> > Chris,
> >
> > Thanks for responding. I had thought of the option you mention. However
> I
> > discontinued it quickly. The reason I'm not a big fan, is that those
> header
> > values can be hacked quite easily. Granted the end user (hacker) may not
> > know the specific value that must hold. There are even plugins to
> browsers
> > that help end users view headers and modify them any which way they
> choose.
>
> hey, just remove the header from the HTTP proxy ;-)
> Having a front reverse-proxy set the information about SSL is quite common
> anyway. With stunnel, what is common is to forward the deciphered SSL
> traffic to 127.0.0.1, so that haproxy knows for sure it was SSL. There
> is nothing wrong with proceeding that way with nginx.
>
> Regards,
> Willy
>
>
Received on 2010/07/08 22:10
This archive was generated by hypermail 2.2.0 : 2010/07/08 22:15 CEST