Not sure if you’re doing this on EC2 but if you are there is also the option of terminating SSL on ELB, which will insert a header (X-Forwarded-For I believe) containing the source IP.
There are actually patches to add that header with Stunnel but I will admit that that option does kind of suck. :-)
On March 13, 2014 at 6:23:35 PM, Robert Tsai (
">
) wrote:
I agree with Daniel. Ngnix and HAproxy is a great combo for
ssl termination. Definitely use HttpRealIp and you can
balance based on source ip if needed.
As for the recipe, we decided to do a wrapper recipe to tie the two
together.
On Mar 13, 2014, at 2:56 PM, Daniel Condomitti <
">
>
wrote:
I normally use nginx to terminate SSL which means we can
inject a header containing the source IP address. Combining this
with the HttpRealIp[0] module means you get the real client IP in
your backend logs.
This doesn’t help if you’re not proxying HTTP though.
On Thursday, March 13, 2014 at 2:53 PM,
Lopaka Delp wrote:
Hello,
HAProxy 1.5 has SSL. Unfortunately, it's still
under development/beta. In the haproxy community cookbook,
looks like there is a recipe to make and install from source and
enable SSL:
This might not be the 'fastest' way to go to enable SSL,
but it's one way.
Another way would be to have a frontend which does SSL
ie apache.
Hope this helps.
Lopaka
On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang
<
" target="_blank">
>
wrote:
Actually... stunnel might not be such a good
solution as I believe I will lose the source IP address, and I dont
want to lose that...
On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
" target="_blank">
> wrote:
Thanks Eric.
I had forgotten that haproxy doesn't support SSL yet. I think
1.5 does (which is what an apt-get install gets me), but even
though, the haproxy cookbook apparently does not. I'll check out
the stunnel cookbook.
Good to know it's not just me that finds the haproxy cookbook
documentation confusing. The examples don't work as is
either.
Douglas.
On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot <
" target="_blank">
> wrote:
I would strongly suggest pairing the haproxy cookbook with the
stunnel cookbook in order to get this working. Otherwise
haproxy has no native support for SSL. The SSL options in
that cookbook just create another listener for you to then connect
to (with, for example, stunnel).
Does that answer your question?
BTW if you find that cookbook confusing or insufficient (we did,
but the last time I looked at it was a while ago), we also maintain
one which is pretty functional (although the docs may be slightly
out of date at this point):
On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
" target="_blank">
) wrote:
Can anyone recommend a functional haproxy
cookbook that support sssl? The most likely candidate,
at https://github.com/hw-cookbooks/haproxy, has knobs for
enabling ssl, but as far as I can see, no way to pass the pem file
location. (the setting is 'crt' i think).
Alternatively, if there's a way a wrapper cookbook could
easily add that functionality...
Douglas
--
Regards,
Douglas Garstang
http://www.linkedin.com/in/garstang
Email:
" target="_blank">
Cell: +1-805-340-5627
--
Regards,
Douglas Garstang
http://www.linkedin.com/in/garstang
Email:
" target="_blank">
Cell: +1-805-340-5627
--
Lopaka Delp
RightScale - Linux Systems
Engineer
805-243-0998
|