I am trying to figure out how to set up an SSL farm with haproxy and SSL reverse proxies and I am looking for some general advice:
Is it possible to meet all of the following:
- Load balance requests against the SSL farm and have failover so more than one SSL box will be possible (perhaps the sslcheck in haproxy will help with this).
- Get an HTTP log that has the actual client IP addresses in it.
- No TProxy Requirement
If all 3 of these are not possible I am wondering what the tradeoffs might be. Right now I am considering something like the following but this could change:
Haproxy 443 TCP Proxy Frontend -> SSL Proxies (Maybe Nginx) on High Ports -> Haproxy HTTP Front-End -> Webservers
I realize I could probably skip the second hop back to haproxy but the single perspective of everything in HAproxy might be nice. Also if I have to use TProxy, maybe going back to haproxy from the SSL farm will make the routing simpler?
References:
http://haproxy.1wt.eu/download/1.5/doc/configuration.txt
http://1wt.eu/articles/2006_lb/index_05.html
Best Answer
Kyle,
if you only need fail-over for the SSL part and not load balancing, here's what I suggest. You install haproxy + keepalived + stunnel (patched) on two nodes. Keepalived owns the service address and checks for the presence of the stunnel and haproxy processes to compute its weight so that the node in best shape is the master. Stunnel receives the traffic on port 443 and locally forwards it to haproxy on any port you like. In order for haproxy to log the client's IP address, you need the x-forwarded-for patch for stunnel (you can find it on my site). You'll then tell haproxy to log the x-forwarded-for header.
There is a limitation however. If you support HTTP keep-alive, then stunnel will only add the x-forwarded-for header once, which is a bit problematic. At Exceliance, we've started working on a patch to forward the connection parameters from stunnel to haproxy instead of playing with the x-forwarded-for. That way, haproxy believes it gets its connection from the real client. If you're interested, tell me, we can send it to you once it's complete.