[chef] Re: Re: Re: Re: haproxy Cookbook


Chronological Thread 
  • From: Nathan Williams < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: haproxy Cookbook
  • Date: Thu, 13 Mar 2014 15:07:44 -0700

HAProxy already injects X-Forwarded-For, IIRC, so I'm not sure why Nginx would be required. stunnel does a fine job of handling the SSL offloading, or you can put your HAProxy port 443 frontend into TCP mode so it just balances tcp sessions, though you lose the ability to acl on layer-7 attributes like HTTP headers doing so, so I prefer to avoid it. in TCP mode your backend members would handle the SSL cert.

Regards,

Nathan Williams


On Thu, Mar 13, 2014 at 2:56 PM, Daniel Condomitti < " target="_blank"> > wrote:
I normally use nginx to terminate SSL which means we can inject a header containing the source IP address. Combining this with the HttpRealIp[0] module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL.  Unfortunately, it's still under development/beta.  In the haproxy community cookbook, looks like there is a recipe to make and install from source and enable SSL:


This might not be the 'fastest' way to go to enable SSL, but it's one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka


On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang < " target="_blank"> > wrote:
Actually... stunnel might not be such a good solution as I believe I will lose the source IP address, and I dont want to lose that...


On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang < " target="_blank"> > wrote:
Thanks Eric.

I had forgotten that haproxy doesn't support SSL yet. I think 1.5 does (which is what an apt-get install gets me), but even though, the haproxy cookbook apparently does not. I'll check out the stunnel cookbook.

Good to know it's not just me that finds the haproxy cookbook documentation confusing. The examples don't work as is either.

Douglas.


On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot < " target="_blank"> > wrote:
I would strongly suggest pairing the haproxy cookbook with the stunnel cookbook in order to get this working.  Otherwise haproxy has no native support for SSL.  The SSL options in that cookbook just create another listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the last time I looked at it was a while ago), we also maintain one which is pretty functional (although the docs may be slightly out of date at this point):

-- 
Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang ( " target="_blank"> ) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl? The most likely candidate, at https://github.com/hw-cookbooks/haproxy, has knobs for enabling ssl, but as far as I can see, no way to pass the pem file location. (the setting is 'crt' i think).

Alternatively, if there's a way a wrapper cookbook could easily add that functionality...

Douglas




--
Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: " target="_blank">
Cell: +1-805-340-5627



--
Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: " target="_blank">
Cell: +1-805-340-5627



--





Archive powered by MHonArc 2.6.16.

§