Re: [Linux-HA] Do I need more than HAProxy for SSL webserver

Wed, 10 Jun 2009 05:10:41 -0700 

Hi,

You'll probably get better support from the HAProxy specific
mailing list (I guess that there is one).

Thanks,

Dejan

On Wed, Jun 10, 2009 at 07:59:21AM -0400, Tom Potwin wrote:
> After going through these archives, I'm still not clear on if I need
> something more than HAProxy to add SSL to my backend servers. Right now I
> have HAProxy running on a virtual node (LB1) in front of another virtual
> node with the web server (WEB1). This is all behind a firewall/router that's
> routing one of my public IP's to the shared local address. I need to add at
> least three SSL certificates to three sites on my web server. Here is my
> current cfg setup:
> global
>         log 127.0.0.1   local0
>         log 127.0.0.1   local1 notice
>         maxconn 4096
>         user haproxy
>         group haproxy
> defaults
>         log     global
>         mode    http
>         option  httplog
>         option  dontlognull
>         retries 3
>         redispatch
>         maxconn 2000
>         contimeout      5000
>         clitimeout      50000
>         srvtimeout      50000
> listen webfarm 192.168.31.100:80, 192.168.31.100:443
>        mode http
>        stats enable
>        stats auth netadmin:5bgr+bdd1WbA
>        balance roundrobin
>        cookie JSESSIONID prefix
>        option forceclose
>        option httpclose
>        option forwardfor
>        option httpchk HEAD /check.txt HTTP/1.0     
>        server web1 192.168.31.202:80 cookie w01 check inter 2000 rise 2 fall
> 2
>        server web2 192.168.31.212:80 cookie w02 check inter 2000 rise 2 fall
> 2
>        option persist
>        redispatch
>        contimeout 5000
>        rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal
> IP address
>  
> I've read that all I need is to change mode http to mode tcp, balance
> roundrobin to balance source, and option httpchk to option ssl-hello-chk,
> and all should work. Then I also read that HAProxy can't do SSL so you have
> to install something like stunnel to get it to work. I'm trying to keep
> things as simple as I can, so what is the correct way for me to handle this?
> 
> 
> 
> _______________________________________________
> Linux-HA mailing list
> [email protected]
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Reply via email to