[chef] Re: Re: Re: Re: Re: Re: Re: Re: Re: haproxy Cookbook


Chronological Thread 
  • From: Douglas Garstang < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: Re: Re: Re: Re: Re: haproxy Cookbook
  • Date: Fri, 14 Mar 2014 16:33:39 -0700

Sean,

As far as I know there's no way to pass the pem certificate. It's the 'crt' setting I believe in the haproxy config. Am I missing that somewhere?

Douglas.


On Fri, Mar 14, 2014 at 4:17 PM, Sean Escriva < " target="_blank"> > wrote:
Douglas Garstang < "> > writes:

> Given that haproy 1.5 already supports SSL, wouldn't the approach with the
> least effort here, be to enhance the community haproxy cookbook to also
> support it?
>

What enhancements to support SSL would you really like to see?

The cookbook alread provides a fully data drive lwrp to configure
haproxy to your hearts content:

https://github.com/hw-cookbooks/haproxy#haproxy

If you need haproxy to support things that aren't availailable out of
the box with the system packages there the source install recipe:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

I'm interested to hear how specifically the current haproxy cookbook
falls short of what you need. How could it best be enhanced to support
what you need for SSL support?

>
>
> On Fri, Mar 14, 2014 at 8:23 AM, Nathan Williams < "> >wrote:
>
>> Ah! That's right, I forget the regular stunnel package doesn't do
>> X-Forwarded-For.
>> On Mar 13, 2014 3:43 PM, "Eric Herot" < "> > wrote:
>>
>>> Not sure if you're doing this on EC2 but if you are there is also the
>>> option of terminating SSL on ELB, which will insert a header
>>> (X-Forwarded-For I believe) containing the source IP.
>>>
>>> There are actually patches to add that header with Stunnel but I will
>>> admit that that option does kind of suck. :-)
>>> --
>>> Eric
>>>
>>> On March 13, 2014 at 6:23:35 PM, Robert Tsai ( "> )
>>> wrote:
>>>
>>> I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
>>> termination.  Definitely use HttpRealIp and you can balance based on source
>>> ip if needed.
>>>
>>> As for the recipe, we decided to do a wrapper recipe to tie the two
>>> together.
>>>
>>> On Mar 13, 2014, at 2:56 PM, Daniel Condomitti < "> >
>>> wrote:
>>>
>>>  I normally use nginx to terminate SSL which means we can inject a
>>> header containing the source IP address. Combining this with the
>>> HttpRealIp[0] module means you get the real client IP in your backend logs.
>>>
>>> This doesn't help if you're not proxying HTTP though.
>>>
>>> [0] http://wiki.nginx.org/HttpRealipModule
>>>
>>> On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:
>>>
>>>  Hello,
>>>
>>> HAProxy 1.5 has SSL.  Unfortunately, it's still under development/beta.
>>>  In the haproxy community cookbook, looks like there is a recipe to make
>>> and install from source and enable SSL:
>>>
>>>
>>> https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb
>>>
>>>
>>> This might not be the 'fastest' way to go to enable SSL, but it's one way.
>>>
>>> Another way would be to have a frontend which does SSL ie apache.
>>>
>>> Hope this helps.
>>>
>>> Lopaka
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <
>>> "> > wrote:
>>>
>>>  Actually... stunnel might not be such a good solution as I believe I
>>> will lose the source IP address, and I dont want to lose that...
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
>>> "> > wrote:
>>>
>>>  Thanks Eric.
>>>
>>> I had forgotten that haproxy doesn't support SSL yet. I think 1.5 does
>>> (which is what an apt-get install gets me), but even though, the haproxy
>>> cookbook apparently does not. I'll check out the stunnel cookbook.
>>>
>>> Good to know it's not just me that finds the haproxy cookbook
>>> documentation confusing. The examples don't work as is either.
>>>
>>> Douglas.
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot < "> >wrote:
>>>
>>>  I would strongly suggest pairing the haproxy cookbook with the stunnel
>>> cookbook in order to get this working.  Otherwise haproxy has no native
>>> support for SSL.  The SSL options in that cookbook just create another
>>> listener for you to then connect to (with, for example, stunnel).
>>>
>>>  Does that answer your question?
>>>
>>>  BTW if you find that cookbook confusing or insufficient (we did, but the
>>> last time I looked at it was a while ago), we also maintain one which is
>>> pretty functional (although the docs may be slightly out of date at this
>>> point):
>>>
>>>  https://github.com/evertrue/et_haproxy-cookbook
>>>  --
>>> Eric
>>>
>>> On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
>>> "> ) wrote:
>>>
>>>   Can anyone recommend a functional haproxy cookbook that support sssl?
>>> The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
>>> has knobs for enabling ssl, but as far as I can see, no way to pass the pem
>>> file location. (the setting is 'crt' i think).
>>>
>>> Alternatively, if there's a way a wrapper cookbook could easily add that
>>> functionality...
>>>
>>> Douglas
>>>
>>>
>>>
>>>
>>>  --
>>> Regards,
>>>
>>> Douglas Garstang
>>> http://www.linkedin.com/in/garstang
>>> Email: ">
>>> Cell: +1-805-340-5627
>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Douglas Garstang
>>> http://www.linkedin.com/in/garstang
>>> Email: ">
>>> Cell: +1-805-340-5627
>>>
>>>
>>>
>>>
>>> --
>>>  Lopaka Delp
>>> RightScale - Linux Systems Engineer
>>> ">
>>> 805-243-0998
>>>
>>>
>>>
>
>
> --
> Regards,
>
> Douglas Garstang
> http://www.linkedin.com/in/garstang
> Email: ">
> Cell: +1-805-340-5627

--
-sean



--
Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: ">
Cell: +1-805-340-5627



Archive powered by MHonArc 2.6.16.

§