[CentOS] haproxy ssl
Craig White
craigwhite at azapple.com
Tue Oct 18 11:13:14 UTC 2011
On Tue, 2011-10-18 at 02:52 +0000, Tim Dunphy wrote:
> hello list,
>
> I am attempting to load balance SSL web servers using haproxy on centos 5.7.
>
> I am using HA-Proxy version 1.4.18
>
>
> Here is the stanza in the config regarding SSL:
>
> listen https 192.168.1.200:443
> mode tcp
> balance roundrobin
> option forwardfor except 192.168.1.200
> option redispatch
> maxconn 10000
> reqadd X-Forwarded-Proto:\ https
> server web1 web1.summitnjhome.com:443 maxconn 5000
> server web2 web2.summitnjhome.com:443 maxconn 5000
>
> I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.
>
> I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page
<<<< snip >>>>
> And the port 443 is being listened to..
>
> [root at VIRTCENT02:~] #lsof -i :443
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> haproxy 1763 haproxy 6u IPv4 7586 TCP VIRTUAL.example.com:https (LISTEN)
>
> [root at VIRTCENT01:~] #netstat -tulpn | grep 443
> tcp 0 0 192.168.1.200:443 0.0.0.0:* LISTEN 1752/haproxy
>
>
> But a page will not render in a web page.
>
> Unable to connect
>
> Firefox can't establish a connection to the server at virtual.example.com.
>
> And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.
>
> [root at VIRTCENT01:~] #host virtual.example.com
> virtual.example.com has address 192.168.1.200
>
> Thanks in advance!
----
I think your setup seems mostly ok but I ended up giving up on haproxy
for SSL connections for a few reasons including limitations for
handling/forwarding headers & source IP addresses. I also found it
easier to use nginx (or apache I suppose) to handle the first connection
(terminate the SSL connection for the browser as a proxy) and to use
normal http for haproxy load balancing (which then can use http mode
instead of tcp mode and forward added headers) to the actual web
servers.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list