[CentOS] haproxy ssl

Tue Oct 18 11:13:14 UTC 2011
Craig White <craigwhite at azapple.com>

On Tue, 2011-10-18 at 02:52 +0000, Tim Dunphy wrote:
> hello list,
> 
>  I am attempting to load balance SSL web servers using haproxy on centos 5.7.
> 
>  I am using HA-Proxy version 1.4.18 
> 
> 
>   Here is the stanza in the config regarding SSL:
> 
>    listen https 192.168.1.200:443
>         mode tcp
>         balance roundrobin
>         option forwardfor except 192.168.1.200
>         option redispatch
>         maxconn 10000
>         reqadd X-Forwarded-Proto:\ https
>         server web1 web1.summitnjhome.com:443  maxconn 5000
>         server web2 web2.summitnjhome.com:443  maxconn 5000
> 
> I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.

> 
>  I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page
<<<< snip >>>>
> And the port 443 is being listened to..
> 
>   [root at VIRTCENT02:~] #lsof -i :443
> COMMAND  PID    USER   FD   TYPE DEVICE SIZE NODE NAME
> haproxy 1763 haproxy    6u  IPv4   7586       TCP VIRTUAL.example.com:https (LISTEN)
> 
> [root at VIRTCENT01:~] #netstat -tulpn | grep 443
> tcp        0      0 192.168.1.200:443           0.0.0.0:*                   LISTEN      1752/haproxy
> 
> 
>  But a page will not render in a web page. 
> 
>   Unable to connect
>       
>    Firefox can't establish a connection to the server at virtual.example.com.   
> 
>  And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.
> 
>  [root at VIRTCENT01:~] #host virtual.example.com
> virtual.example.com has address 192.168.1.200
> 
> Thanks in advance!
----
I think your setup seems mostly ok but I ended up giving up on haproxy
for SSL connections for a few reasons including limitations for
handling/forwarding headers & source IP addresses. I also found it
easier to use nginx (or apache I suppose) to handle the first connection
(terminate the SSL connection for the browser as a proxy) and to use
normal http for haproxy load balancing (which then can use http mode
instead of tcp mode and forward added headers) to the actual web
servers.

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.