We get enough TLS traffic on HAProxy now that a single process isn't able to cope with the number of new TLS connections.
After seeing how StackOverflow uses a TLS proxy on processes 2-N that sends traffic back to process 1, I started experimenting with that, as the default behavior (each process acting independently) is less than ideal.
I've now effectively got a configuration like this:
global
nbproc 3
cpu-map 1 0
cpu-map 2 1
cpu-map 3 2
stats bind-process all
stats socket /haproxy/proc1.sock mode 666 level admin process 1
stats socket /haproxy/proc2.sock mode 666 level admin process 2
stats socket /haproxy/proc2.sock mode 666 level admin process 3
defaults
log global
mode http
option dontlognull
listen tlsproxy
bind-process 2 3
bind 0.0.0.0:443 ssl crt /haproxy/example.com.pem
mode tcp
option tcplog
server fe_www abns@fe_www.sock send-proxy
frontend fe_www
bind-process 1
bind 0.0.0.0:80
bind abns@fe_www.sock accept-proxy
default_backend be_www
backend be_www
bind-process 1
server www01 10.1.1.1:80
This works.
However, information about the TLS connection is not available to fe_www
This causes two problems:
ACLs that use TLS connection information (eg to redirect HTTP traffic to HTTPS) are now broken, as everything is now a non-secure connection.
HTTP Logging of information like the TLS Version, TLS Ciphers, etc is broken – that information is not carried across.
I've tried swapping the use of abstract named sockets for loopback IP bindings, but this doesn't help.
Is there a way to bring the TLS information across in the proxied connection?
Best Answer
You can use send-proxy-v2-ssl to send SSL related information but as discussed in this ML thread HAProxy does not implement yet the parsing of those information in the receiving part (accept-proxy).
The only solution here is as suggested by "gf_", you need to use mode http in the tlsproxy part and do all the ssl related actions (ACLs, redirects, logging) there.