On Tue, 2011-10-18 at 02:52 +0000, Tim Dunphy wrote: > hello list, > > I am attempting to load balance SSL web servers using haproxy on centos 5.7. > > I am using HA-Proxy version 1.4.18 > > > Here is the stanza in the config regarding SSL: > > listen https 192.168.1.200:443 > mode tcp > balance roundrobin > option forwardfor except 192.168.1.200 > option redispatch > maxconn 10000 > reqadd X-Forwarded-Proto:\ https > server web1 web1.summitnjhome.com:443 maxconn 5000 > server web2 web2.summitnjhome.com:443 maxconn 5000 > > I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers. > > I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page <<<< snip >>>> > And the port 443 is being listened to.. > > [root at VIRTCENT02:~] #lsof -i :443 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > haproxy 1763 haproxy 6u IPv4 7586 TCP VIRTUAL.example.com:https (LISTEN) > > [root at VIRTCENT01:~] #netstat -tulpn | grep 443 > tcp 0 0 192.168.1.200:443 0.0.0.0:* LISTEN 1752/haproxy > > > But a page will not render in a web page. > > Unable to connect > > Firefox can't establish a connection to the server at virtual.example.com. > > And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip. > > [root at VIRTCENT01:~] #host virtual.example.com > virtual.example.com has address 192.168.1.200 > > Thanks in advance! ---- I think your setup seems mostly ok but I ended up giving up on haproxy for SSL connections for a few reasons including limitations for handling/forwarding headers & source IP addresses. I also found it easier to use nginx (or apache I suppose) to handle the first connection (terminate the SSL connection for the browser as a proxy) and to use normal http for haproxy load balancing (which then can use http mode instead of tcp mode and forward added headers) to the actual web servers. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.