[stunnel-users] Transparent STunnel & HAProxy on Centos6.2

Michal Trojnara Michal.Trojnara at mirt.net
Sat Apr 7 12:43:31 CEST 2012

Scott McKeown wrote:
> Both seem to work perfectly as-long as I don't want to know who is  
> accessing my site which make it next to useless. However, I can get  
> HAProxy to report the IP Address of the visitor as long as you visit  
> the HTTP page on port 80 as per my configuration file. I can also  
> get STunnel to work with HAProxy but as soon as I enable 'protocol =  
> proxy' the HTTPS side breaks and all I get in my browser is '400 Bad  
> Request Your browser sent an invalid request'. I've played with  
> everything I can thing of and I still cant get a Transparent  
> STunnel>HAProxy solution working correctly.
> haproxy.cfg
> ======================================
> global
>         daemon
>         log /dev/log local4
>         maxconn 40000
>         ulimit-n 81000
> defaults
>         log global
>         mode    http
>         contimeout      4000
>         clitimeout      42000
>         srvtimeout      43000
> listen http1
>         bind
>         mode http
>         option http-server-close
>         option  forwardfor
>         source usesrc clientip
>         balance roundrobin
>         server http1_1 cookie http1_1 check  inter 2000  
> rise 2 fall 3
>         server http1_1 cookie http1_1 check  inter 2000  
> rise 2 fall 3

I'm not a haproxy expert, but it looks like you forgot to specify  
"accept-proxy" setting in the "bind" option.


3. Implementations

Haproxy 1.5 implements the PROXY protocol on both sides :
   - the listening sockets accept the protocol when the "accept-proxy"  
     is passed to the "bind" keyword. Connections accepted on such  
     will behave just as if the source really was the one advertised  
in the
     protocol. This is true for logging, ACLs, content filtering,  
     proxying, etc...

   - the protocol may be used to connect to servers if the "send- 
proxy" setting
     is present on the "server" line. It is enabled on a per-server  
basis, so it
     is possible to have it enabled for remote servers only and still  
have local
     ones behave differently. If the incoming connection was accepted  
with the
     "accept-proxy", then the relayed information is the one  
advertised in this
     connection's PROXY line.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120407/1bddc3c0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120407/1bddc3c0/attachment.sig>

More information about the stunnel-users mailing list