[chef] Re: Re: Re: Re: Re: Re: Re: Re: haproxy Cookbook

[Sean Escriva < >]

Douglas Garstang 
<
 >
 writes:

> Given that haproy 1.5 already supports SSL, wouldn't the approach with the
> least effort here, be to enhance the community haproxy cookbook to also
> support it?
>

What enhancements to support SSL would you really like to see?

The cookbook alread provides a fully data drive lwrp to configure
haproxy to your hearts content:

https://github.com/hw-cookbooks/haproxy#haproxy

If you need haproxy to support things that aren't availailable out of
the box with the system packages there the source install recipe:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

I'm interested to hear how specifically the current haproxy cookbook
falls short of what you need. How could it best be enhanced to support
what you need for SSL support?

>
>
> On Fri, Mar 14, 2014 at 8:23 AM, Nathan Williams 
> <
 >wrote:
>
>> Ah! That's right, I forget the regular stunnel package doesn't do
>> X-Forwarded-For.
>> On Mar 13, 2014 3:43 PM, "Eric Herot" 
>> <
 >
>>  wrote:
>>
>>> Not sure if you're doing this on EC2 but if you are there is also the
>>> option of terminating SSL on ELB, which will insert a header
>>> (X-Forwarded-For I believe) containing the source IP.
>>>
>>> There are actually patches to add that header with Stunnel but I will
>>> admit that that option does kind of suck. :-)
>>> --
>>> Eric
>>>
>>> On March 13, 2014 at 6:23:35 PM, Robert Tsai 
>>> (
 )
>>> wrote:
>>>
>>> I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
>>> termination.  Definitely use HttpRealIp and you can balance based on 
>>> source
>>> ip if needed.
>>>
>>> As for the recipe, we decided to do a wrapper recipe to tie the two
>>> together.
>>>
>>> On Mar 13, 2014, at 2:56 PM, Daniel Condomitti 
>>> <
 >
>>> wrote:
>>>
>>>  I normally use nginx to terminate SSL which means we can inject a
>>> header containing the source IP address. Combining this with the
>>> HttpRealIp[0] module means you get the real client IP in your backend 
>>> logs.
>>>
>>> This doesn't help if you're not proxying HTTP though.
>>>
>>> [0] http://wiki.nginx.org/HttpRealipModule
>>>
>>> On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:
>>>
>>>  Hello,
>>>
>>> HAProxy 1.5 has SSL.  Unfortunately, it's still under development/beta.
>>>  In the haproxy community cookbook, looks like there is a recipe to make
>>> and install from source and enable SSL:
>>>
>>>
>>> https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb
>>>
>>>
>>> This might not be the 'fastest' way to go to enable SSL, but it's one way.
>>>
>>> Another way would be to have a frontend which does SSL ie apache.
>>>
>>> Hope this helps.
>>>
>>> Lopaka
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <
>>> 
 >
>>>  wrote:
>>>
>>>  Actually... stunnel might not be such a good solution as I believe I
>>> will lose the source IP address, and I dont want to lose that...
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
>>> 
 >
>>>  wrote:
>>>
>>>  Thanks Eric.
>>>
>>> I had forgotten that haproxy doesn't support SSL yet. I think 1.5 does
>>> (which is what an apt-get install gets me), but even though, the haproxy
>>> cookbook apparently does not. I'll check out the stunnel cookbook.
>>>
>>> Good to know it's not just me that finds the haproxy cookbook
>>> documentation confusing. The examples don't work as is either.
>>>
>>> Douglas.
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot 
>>> <
 >wrote:
>>>
>>>  I would strongly suggest pairing the haproxy cookbook with the stunnel
>>> cookbook in order to get this working.  Otherwise haproxy has no native
>>> support for SSL.  The SSL options in that cookbook just create another
>>> listener for you to then connect to (with, for example, stunnel).
>>>
>>>  Does that answer your question?
>>>
>>>  BTW if you find that cookbook confusing or insufficient (we did, but the
>>> last time I looked at it was a while ago), we also maintain one which is
>>> pretty functional (although the docs may be slightly out of date at this
>>> point):
>>>
>>>  https://github.com/evertrue/et_haproxy-cookbook
>>>  --
>>> Eric
>>>
>>> On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
>>> 
 )
>>>  wrote:
>>>
>>>   Can anyone recommend a functional haproxy cookbook that support sssl?
>>> The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
>>> has knobs for enabling ssl, but as far as I can see, no way to pass the 
>>> pem
>>> file location. (the setting is 'crt' i think).
>>>
>>> Alternatively, if there's a way a wrapper cookbook could easily add that
>>> functionality...
>>>
>>> Douglas
>>>
>>>
>>>
>>>
>>>  --
>>> Regards,
>>>
>>> Douglas Garstang
>>> http://www.linkedin.com/in/garstang
>>> Email: 
>>> 
 
>>> Cell: +1-805-340-5627
>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Douglas Garstang
>>> http://www.linkedin.com/in/garstang
>>> Email: 
>>> 
 
>>> Cell: +1-805-340-5627
>>>
>>>
>>>
>>>
>>> --
>>>  Lopaka Delp
>>> RightScale - Linux Systems Engineer
>>> 
 
>>> 805-243-0998
>>>
>>>
>>>
>
>
> -- 
> Regards,
>
> Douglas Garstang
> http://www.linkedin.com/in/garstang
> Email: 
> 
 
> Cell: +1-805-340-5627

-- 
-sean