I'm trying to use haproxy to load balance and content switch for 3
separate farms. The servers in the farms themselves have SSL certs on
them. I'm using haproxy and stunnel to decrypt the https requests so
haproxy knows where to forward the traffic. E.g https://site/test1
forwards to test1farm https://site/test2 forwards to test2farm etc.etc.
I'm running into a problem because the backend servers have certificate and are using https also. If I set them to run on port 80 it works fine but I cannot do that based on the way the application is written.
Is it possible to use haproxy and stunnel with content switching using end-to-end SSL?
Here is my haproxy config:
global
log 127.0.0.1 local0
maxconn 4096
uid 99
gid 99
daemon
defaults
mode http
log global
option tcplog
option httpclose
retries 3
maxconn 2000
contimeout 50000
clitimeout 500000
srvtimeout 500000
frontend LB1 *:80
option forwardfor except 10.0.5.161
acl XSM-acl url_sub -i XeroxServicesManager
acl XSP-acl url_sub -i XSP
use_backend XSM if XSM-acl
use_backend XSP if XSP-acl
default_backend MPSAPI
backend XSM
stats enable
stats auth admin:password10
balance roundrobin
server ROCPRDXSM1 10.0.5.155:443 check
server ROCPRDXSM2 10.0.5.156:443 check
backend XSP
stats enable
stats auth admin:password10
balance roundrobin
server ROCPRDXSP1 10.0.5.19:443 check
server ROCPRDXSP2 10.0.5.91:443 check
backend MPSAPI
stats enable
stats auth admin:password10
balance roundrobin
server ROCPRDXDMC 10.0.5.158:443 check
server ROCPRDCMPS 10.0.5.185:443 check
Here is my stunnel config
cert=/etc/certs/OFFICEB2.pem
;setuid = nobody
;setgid = nogroup
pid = /etc/stunnel/stunnel.pid
debug = 3
output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
[https]
accept=10.0.5.161:443
connect=10.0.5.161:80
TIMEOUTclose=0
xforwardedfor=yes Received on 2010/10/20 19:45
This archive was generated by hypermail 2.2.0 : 2010/10/20 20:00 CEST