[CentOS] haproxy ssl

Tue Oct 18 11:13:14 UTC 2011
Craig White <craigwhite at azapple.com>

On Tue, 2011-10-18 at 02:52 +0000, Tim Dunphy wrote:
> hello list,
>  I am attempting to load balance SSL web servers using haproxy on centos 5.7.
>  I am using HA-Proxy version 1.4.18 
>   Here is the stanza in the config regarding SSL:
>    listen https
>         mode tcp
>         balance roundrobin
>         option forwardfor except
>         option redispatch
>         maxconn 10000
>         reqadd X-Forwarded-Proto:\ https
>         server web1 web1.summitnjhome.com:443  maxconn 5000
>         server web2 web2.summitnjhome.com:443  maxconn 5000
> I can connect to https on each web server and have it serve content. the IP is a virtual IP created with keepalived and floating between two load balancers.

>  I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page
<<<< snip >>>>
> And the port 443 is being listened to..
>   [root at VIRTCENT02:~] #lsof -i :443
> haproxy 1763 haproxy    6u  IPv4   7586       TCP VIRTUAL.example.com:https (LISTEN)
> [root at VIRTCENT01:~] #netstat -tulpn | grep 443
> tcp        0      0 *                   LISTEN      1752/haproxy
>  But a page will not render in a web page. 
>   Unable to connect
>    Firefox can't establish a connection to the server at virtual.example.com.   
>  And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.
>  [root at VIRTCENT01:~] #host virtual.example.com
> virtual.example.com has address
> Thanks in advance!
I think your setup seems mostly ok but I ended up giving up on haproxy
for SSL connections for a few reasons including limitations for
handling/forwarding headers & source IP addresses. I also found it
easier to use nginx (or apache I suppose) to handle the first connection
(terminate the SSL connection for the browser as a proxy) and to use
normal http for haproxy load balancing (which then can use http mode
instead of tcp mode and forward added headers) to the actual web


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.