Douglas Garstang < "> > writes:What enhancements to support SSL would you really like to see?
> Given that haproy 1.5 already supports SSL, wouldn't the approach with the
> least effort here, be to enhance the community haproxy cookbook to also
> support it?
>
The cookbook alread provides a fully data drive lwrp to configure
haproxy to your hearts content:
https://github.com/hw-cookbooks/haproxy#haproxy
If you need haproxy to support things that aren't availailable out of
the box with the system packages there the source install recipe:
https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb
I'm interested to hear how specifically the current haproxy cookbook
falls short of what you need. How could it best be enhanced to support
what you need for SSL support?
--
>
>
> On Fri, Mar 14, 2014 at 8:23 AM, Nathan Williams < "> >wrote:
>
>> Ah! That's right, I forget the regular stunnel package doesn't do
>> X-Forwarded-For.
>> On Mar 13, 2014 3:43 PM, "Eric Herot" < "> > wrote:
>>
>>> Not sure if you're doing this on EC2 but if you are there is also the
>>> option of terminating SSL on ELB, which will insert a header
>>> (X-Forwarded-For I believe) containing the source IP.
>>>
>>> There are actually patches to add that header with Stunnel but I will
>>> admit that that option does kind of suck. :-)
>>> --
>>> Eric
>>>
>>> On March 13, 2014 at 6:23:35 PM, Robert Tsai ( "> )
>>> wrote:
>>>
>>> I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
>>> termination. Definitely use HttpRealIp and you can balance based on source
>>> ip if needed.
>>>
>>> As for the recipe, we decided to do a wrapper recipe to tie the two
>>> together.
>>>
>>> On Mar 13, 2014, at 2:56 PM, Daniel Condomitti < "> >
>>> wrote:
>>>
>>> I normally use nginx to terminate SSL which means we can inject a
>>> header containing the source IP address. Combining this with the
>>> HttpRealIp[0] module means you get the real client IP in your backend logs.
>>>
>>> This doesn't help if you're not proxying HTTP though.
>>>
>>> [0] http://wiki.nginx.org/HttpRealipModule
>>>
>>> On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:
>>>
>>> Hello,
>>>
>>> HAProxy 1.5 has SSL. Unfortunately, it's still under development/beta.
>>> In the haproxy community cookbook, looks like there is a recipe to make
>>> and install from source and enable SSL:
>>>
>>>
>>> https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb
>>>
>>>
>>> This might not be the 'fastest' way to go to enable SSL, but it's one way.
>>>
>>> Another way would be to have a frontend which does SSL ie apache.
>>>
>>> Hope this helps.
>>>
>>> Lopaka
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <
>>> "> > wrote:
>>>
>>> Actually... stunnel might not be such a good solution as I believe I
>>> will lose the source IP address, and I dont want to lose that...
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
>>> "> > wrote:
>>>
>>> Thanks Eric.
>>>
>>> I had forgotten that haproxy doesn't support SSL yet. I think 1.5 does
>>> (which is what an apt-get install gets me), but even though, the haproxy
>>> cookbook apparently does not. I'll check out the stunnel cookbook.
>>>
>>> Good to know it's not just me that finds the haproxy cookbook
>>> documentation confusing. The examples don't work as is either.
>>>
>>> Douglas.
>>>
>>>
>>> On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot < "> >wrote:
>>>
>>> I would strongly suggest pairing the haproxy cookbook with the stunnel
>>> cookbook in order to get this working. Otherwise haproxy has no native
>>> support for SSL. The SSL options in that cookbook just create another
>>> listener for you to then connect to (with, for example, stunnel).
>>>
>>> Does that answer your question?
>>>
>>> BTW if you find that cookbook confusing or insufficient (we did, but the
>>> last time I looked at it was a while ago), we also maintain one which is
>>> pretty functional (although the docs may be slightly out of date at this
>>> point):
>>>
>>> https://github.com/evertrue/et_haproxy-cookbook
>>> --
>>> Eric
>>>
>>> On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
>>> "> ) wrote:
>>>
>>> Can anyone recommend a functional haproxy cookbook that support sssl?
>>> The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
>>> has knobs for enabling ssl, but as far as I can see, no way to pass the pem
>>> file location. (the setting is 'crt' i think).
>>>
>>> Alternatively, if there's a way a wrapper cookbook could easily add that
>>> functionality...
>>>
>>> Douglas
>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Douglas Garstang
>>> http://www.linkedin.com/in/garstang
>>> Email: ">
>>> Cell: +1-805-340-5627
>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Douglas Garstang
>>> http://www.linkedin.com/in/garstang
>>> Email: ">
>>> Cell: +1-805-340-5627
>>>
>>>
>>>
>>>
>>> --
>>> Lopaka Delp
>>> RightScale - Linux Systems Engineer
>>> ">
>>> 805-243-0998
>>>
>>>
>>>
>
>
> --
> Regards,
>
> Douglas Garstang
> http://www.linkedin.com/in/garstang
> Email: ">
> Cell: +1-805-340-5627
-sean
Archive powered by MHonArc 2.6.16.