RE: HAProxy Stunnel end-to-end SSL

From: Clark, Ryan <Ryan.Clark#xerox.com>
Date: Wed, 20 Oct 2010 15:02:04 -0400


I actually got it to work by using TCP mode. This might help other users to look at this config using stunnel and haproxy. Not sure how this is working at all, but it does.  

HAPROXY CONFIG:   global

   log 127.0.0.1 local0

   maxconn 4096

   uid 99

   gid 99

   daemon  

defaults

   mode tcp

   log global

   option tcplog

   option httpclose

   retries 3

  maxconn 2000

   contimeout 50000

   clitimeout 500000

   srvtimeout 500000    

frontend LB1 *:443

   acl XSM-acl url_sub -i XeroxServicesManager

   acl XSP-acl url_sub -i XSP

   acl FMP-acl url_sub -i FMP

   use_backend XSM if XSM-acl

   use_backend XSP if XSP-acl

   use_backend XSP if FMP-acl

   default_backend MPSAPI  

backend XSM

   option ssl-hello-chk

   balance roundrobin

   server ROCPRDXSM1 10.0.5.155:443 check

   server ROCPRDXSM2 10.0.5.156:443 check  

backend XSP

   option ssl-hello-chk

   balance roundrobin

   server ROCPRDXSP1 10.0.5.19:443 check

   server ROCPRDXSP2 10.0.5.91:443 check  

backend MPSAPI

   option ssl-hello-chk

   balance roundrobin

   server ROCPRDXDMC 10.0.5.158:443 check

   server ROCPRDCMPS 10.0.5.185:443 check  

STUNNEL:   cert=/etc/certs/OFFICEB2.pem

;setuid = nobody

;setgid = nogroup
 

pid = /etc/stunnel/stunnel.pid

debug = 3

output = /etc/stunnel/stunnel.log  

socket=l:TCP_NODELAY=1

socket=r:TCP_NODELAY=1  

[https]

accept=10.0.5.161:443

connect=10.0.5.161:8080

TIMEOUTclose=0

xforwardedfor=yes      

From: Mike Hoffs [mailto:m.hoffs#mijn-sleutel.com] Sent: Wednesday, October 20, 2010 2:11 PM To: Clark, Ryan
Subject: RE: HAProxy Stunnel end-to-end SSL  

Hi Ryan,  

Note offside mailinglist, last days there was someone with simular situation;    

http://www.formilux.org/archives/haproxy/1010/3922.html

http://www.formilux.org/archives/haproxy/1010/date.html  

Met een vriendelijke groet,  

Mike Hoffs  

Mijn-Sleutel

Peperstraat 33

6678 AL Oosterhout

Tel: +31 (0)24 8200208 tijdens kantoor uren (09:00 - 17:00)

Mail: m.hoffs#mijn-sleutel.com

Website: http://www.mijn-sleutel.com <http://www.mijn-sleutel.com/>  

Van: Clark, Ryan [mailto:Ryan.Clark#xerox.com] Verzonden: woensdag 20 oktober 2010 20:00 Aan: Mike Hoffs; haproxy#formilux.org
Onderwerp: RE: HAProxy Stunnel end-to-end SSL  

Yes I have, even with the option ssl-hello-chk enabled.  

From: Mike Hoffs [mailto:m.hoffs#mijn-sleutel.com] Sent: Wednesday, October 20, 2010 1:56 PM To: Clark, Ryan; haproxy#formilux.org
Subject: RE: HAProxy Stunnel end-to-end SSL  

Have u tried mode tcp ?    

Met een vriendelijke groet,  

Mike Hoffs   Received on 2010/10/20 21:02

This archive was generated by hypermail 2.2.0 : 2010/10/20 21:15 CEST