<div>
I actually got it to work, mostly. I did not use the TProxy flag or apply firewall rules for the transparent proxy. I am doing this in AWS EC2 and wanted to avoid that. My latest haproxy.cfg is at the bottom…
</div><div><br></div><div>It basically came down to pouring over all of the logs, including apache2. What I found was that even though I am connecting to port 81 to haproxy from stunnel, haproxy is connecting to my apache2 server on 443. And since I had SSL loaded on 443, it gave the bad gateway. So I just removed mod_ssl and allow the connection on port 443, and it works fine. I am having a strange issue, though, where apache2 is reporting the port as 80, even though it is 443. I even force to use other ports, like 10443, and apache2 is reporting 80.</div><div><br></div><div>I have added "setenv HTTPS on" to the vhost 443 setup so that my apps that need to detect https will still work. I am going to need to resolve the apache port problem though. I am trying to make this transparent to any code (php) I may have on my servers. So they may check for $_SERVER['HTTPS'] or port to detect SSL, and i want that to all still work, without having to change code. I have solved the HTTPS detection, but need to resolve this port issue, then I am good.</div><div><br></div><div><div>global</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>log 127.0.0.1<span class="Apple-tab-span" style="white-space:pre"> </span>local0 debug</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#log loghost<span class="Apple-tab-span" style="white-space:pre"> </span>local0 info</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>maxconn 50000</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#chroot /usr/share/haproxy</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>user haproxy</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>group haproxy</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>daemon</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#debug</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#quiet</div><div><br></div><div>defaults</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>log<span class="Apple-tab-span" style="white-space:pre"> </span>global</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>log-format Client:%Ci:%Cp\ BackendSrc:%Bi:%Bp\ Frontend:%Fi:%Fp\ Server:%Si:%Sp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>mode<span class="Apple-tab-span" style="white-space:pre"> </span>http</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#option<span class="Apple-tab-span" style="white-space:pre"> </span>httplog</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#option<span class="Apple-tab-span" style="white-space:pre"> </span>dontlognull</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>option forwardfor</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>retries<span class="Apple-tab-span" style="white-space:pre"> </span>3</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>option redispatch</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>maxconn<span class="Apple-tab-span" style="white-space:pre"> </span>50000</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>contimeout<span class="Apple-tab-span" style="white-space:pre"> </span>5000</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>clitimeout<span class="Apple-tab-span" style="white-space:pre"> </span>60000</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>srvtimeout<span class="Apple-tab-span" style="white-space:pre"> </span>300000</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>stats uri /haproxy_stats</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>stats realm Global\ statistics</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>stats auth admin:pajama^fire</div><div><br></div><div>frontend dev-stg</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>bind *:80</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>bind *:81 accept-proxy</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>mode http</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>timeout client 5m</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>option httpclose</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>default_backend dev-www</div><div> </div><div>backend dev-www</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>mode http</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>timeout connect 10s</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>timeout server 600s</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>balance roundrobin</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#begin_web_config</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>server ws1 10.168.75.147 maxconn 1000 check port 80</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#end_web_config</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>stats uri /haproxy_stats</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>stats realm Global\ statistics</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>stats auth admin:pajama^fire</div></div>
<div><div><br></div><div><div style="font-size: 13px; ">-- </div><div style="font-size: 13px; ">Robert Garcia</div><div style="font-size: 13px; ">BigHead Technology</div><div style="font-size: 13px; ">15520 Coutolenc Rd</div><div style="font-size: 13px; ">Magalia, Ca 95954</div><div style="font-size: 13px; ">ph: 530.645.4040 x222 fax: 530.645.4040</div><div style="font-size: 13px; "><a href="mailto:rgarcia@bighead.net" style="color: rgb(0, 106, 227); ">rgarcia@bighead.net</a> - <a href="http://bighead.net/" style="color: rgb(0, 106, 227); ">http://bighead.net/</a></div></div></div>
<p style="color: #A0A0A8;">On Thursday, June 7, 2012 at 3:30 AM, Scott McKeown wrote:</p>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div>Hi Robert,<br><br>I've been doing some work on both HAProxy and STunnel myself over the last month or so.<br><br>Your actual configuration files both look fine but one thing that you possibly missed is that you will have needed to have build HAProxy with the TProxy flag enabled, and I'm going to guess that you have also written and applied the Firewall rules for the transparent proxy.<br>
<br>I've attached a DRAFT pdf of the work that I have been doing, its a very basic how-to on setting up both STunnel and HAProxy in Transparent mode on a Centos 6.2 system.<br><br><br clear="all"><br>-- <br>With Kind Regards.<br>
<br>Scott McKeown<br><a href="http://Loadbalancer.org">Loadbalancer.org</a><br><a href="http://www.loadbalancer.org" target="_blank">http://www.loadbalancer.org</a><br><br>
</div></div></span>
<div style="border-bottom: 1px solid #f0f0f0; height: 10px;">
</div>
<br>
<div style="font-weight: bold; font-size: 14px; margin-bottom: 5px;">Attachments:</div>
<div>
<div style="">- STunnel-HAProxy transparent on Centos 6.2.pdf</div>
</div>
</blockquote>
<div>
<br>
</div>