[stunnel-users] stunnel - haproxy setup with protocol = proxy

Scott McKeown scott at loadbalancer.org
Thu Jun 7 14:31:08 CEST 2012


Hi Robert,

Thats great news. I'll also have to try and remember that one as I'm sure
that will possible pop up again some time.


~Scott

On 7 June 2012 12:25, Robert Garcia <rgarcia at bighead.net> wrote:

>  I got it. The reason the port was wrong, was that even though the port
> was on 443, the Host: header was coming over with a url and no port
> specified.
>
> Host: www.somesite.com
>
> When apache2 receives no port specified it assumes 80. So I changed my
> backend stanza in the haproxy config to rewrite the Host: header, adding
> the :443 which solves the issue.
>
> backend dev-www
> mode http
> timeout connect 10s
> timeout server 600s
> balance roundrobin
> #begin_web_config
> server ws1 10.168.75.147 maxconn 1000 check port 80
> #end_web_config
> stats uri /haproxy_stats
> stats realm Global\ statistics
> stats auth admin:pajama^fire
> acl is-ssl dst_port 443
> reqirep ^(Host:\ .+):*.*$ \1:443 if is-ssl
> reqadd X-Proto:\ SSL if is-ssl
>
> --
> Robert Garcia
> BigHead Technology
> 15520 Coutolenc Rd
> Magalia, Ca 95954
> ph: 530.645.4040 x222 fax: 530.645.4040
> rgarcia at bighead.net - http://bighead.net/
>
> On Thursday, June 7, 2012 at 3:48 AM, Robert Garcia wrote:
>
>  Maybe I am wrong, but I thought, in my research, that using the new
> proxy protocol would eliminate the need for both the stunnel x-forward
> patch and the transparent mode. Since I did get it to work that way,
> without transparent, I hope it stays that way. ;-)
>
> --
> Robert Garcia
> BigHead Technology
> 15520 Coutolenc Rd
> Magalia, Ca 95954
> ph: 530.645.4040 x222 fax: 530.645.4040
> rgarcia at bighead.net - http://bighead.net/
>
> On Thursday, June 7, 2012 at 3:30 AM, Scott McKeown wrote:
>
> Hi Robert,
>
> I've been doing some work on both HAProxy and STunnel myself over the last
> month or so.
>
> Your actual configuration files both look fine but one thing that you
> possibly missed is that you will have needed to have build HAProxy with the
> TProxy flag enabled, and I'm going to guess that you have also written and
> applied the Firewall rules for the transparent proxy.
>
> I've attached a DRAFT pdf of the work that I have been doing, its a very
> basic how-to on setting up both STunnel and HAProxy in Transparent mode on
> a Centos 6.2 system.
>
>
>
> --
> With Kind Regards.
>
> Scott McKeown
> Loadbalancer.org
> http://www.loadbalancer.org
>
>
> Attachments:
>  - STunnel-HAProxy transparent on Centos 6.2.pdf
>
>
>
>


-- 
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120607/058e6213/attachment.html>


More information about the stunnel-users mailing list