<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Scott McKeown wrote:</div><blockquote type="cite">Both seem to work perfectly as-long as I don't want to know who is accessing my site which make it next to useless. However, I can get HAProxy to report the IP Address of the visitor as long as you visit the HTTP page on port 80 as per my configuration file. I can also get STunnel to work with HAProxy but as soon as I enable 'protocol = proxy' the HTTPS side breaks and all I get in my browser is '400 Bad Request Your browser sent an invalid request'. I've played with everything I can thing of and I still cant get a Transparent STunnel>HAProxy solution working correctly.<br></blockquote>[cut]<br><blockquote type="cite">haproxy.cfg<br>======================================<br>global<br> daemon<br> log /dev/log local4<br> maxconn 40000<br> ulimit-n 81000<br>defaults<br> log global<br> mode http<br> contimeout 4000<br> clitimeout 42000<br> srvtimeout 43000<br><br>listen http1<br> bind <a href="http://192.168.82.10:80">192.168.82.10:80</a><br> mode http<br> option http-server-close<br> option forwardfor<br> source 0.0.0.0 usesrc clientip<br> balance roundrobin<br> server http1_1 <a href="http://10.0.0.10:80">10.0.0.10:80</a> cookie http1_1 check inter 2000 rise 2 fall 3<br> server http1_1 <a href="http://10.0.0.20:80">10.0.0.20:80</a> cookie http1_1 check inter 2000 rise 2 fall 3<br></blockquote><br></div><div>I'm not a haproxy expert, but it looks like you forgot to specify "accept-proxy" setting in the "bind" option.</div><div><br></div><div><a href="http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt">http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt</a></div><div><br></div><div><pre>3. Implementations
Haproxy 1.5 implements the PROXY protocol on both sides :
- the listening sockets accept the protocol when the "accept-proxy" setting
is passed to the "bind" keyword. Connections accepted on such listeners
will behave just as if the source really was the one advertised in the
protocol. This is true for logging, ACLs, content filtering, transparent
proxying, etc...
- the protocol may be used to connect to servers if the "send-proxy" setting
is present on the "server" line. It is enabled on a per-server basis, so it
is possible to have it enabled for remote servers only and still have local
ones behave differently. If the incoming connection was accepted with the
"accept-proxy", then the relayed information is the one advertised in this
connection's PROXY line.
</pre></div><div><br></div><div>Mike</div></body></html>