[stunnel-users] Using stunnel + haproxy for SSL support

Tom Shaw tshaw at oitc.com
Fri Apr 4 18:21:07 CEST 2008


At 5:57 PM +0200 4/4/08, Alberto Giménez wrote:
>  Hi,
>
>I'm having trouble using stunnel and haproxy to load balance https and
>http traffic. To be honest, I really don't know wether it is stunnel
>or haproxy related so I am going to contact both lists :)
>
>I have set up a haproxy load balancer as http proxy for two backend
>Apache2 webservers. It works fine.
>I also have stunnel on the same LB to add SSL suport (with
>xforwardedfor patch installed). It works fine (mostly).
>
>The issue is related to Apache trailing slash thingie. If I query
>https://haproxy.domain.loc/hatest/ it works perfectly, but if I omit
>the trailing slash: https://haproxy.domain.loc/hatest then following
>things happen:
>
>- Browser makes SSL connection with stunnel on port 443.
>- stunnel deciphers and forwards the request on the haproxy attached
>to LB's port 80.
>- haproxy (now using plain http) forwards to one of the backends.
>- Apache2 located on the backend replies with "301 moved permanently"
>to force the browser to add the trailing slash. As Apache was queried
>by *haproxy in plain http*, the 301 includes http:// on the Location
>header. HTTPS is over from now!
>- The client browser then rewrites the address to
>http://haproxy.domain.loc/hatest/ and SSL is lost forever.
>
>I've been googling and searching the lists but nothing found, just
>this old message:
>
>http://mirt.net/pipermail/stunnel-users/2007-January/001437.html
>
>Has anyone found a workaround for that issue?

Alberto,

Why not process the existence or not of 
X-Forwarded-For in your index file? Something like

index.php
<?php
$hdr = http_get_request_headers();
if (!isset($hdr['X-Forwarded-For'])) {
	$host = $_SERVER['HTTP_HOST'];
	$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
	header("Location: https://$host$uri/index.php");
}
?>

Tom



More information about the stunnel-users mailing list