Scott McKeown wrote:
Both seem to work perfectly as-long as I don't want to know who is accessing my site which make it next to useless. However, I can get HAProxy to report the IP Address of the visitor as long as you visit the HTTP page on port 80 as per my configuration file. I can also get STunnel to work with HAProxy but as soon as I enable 'protocol = proxy' the HTTPS side breaks and all I get in my browser is '400 Bad Request Your browser sent an invalid request'. I've played with everything I can thing of and I still cant get a Transparent STunnel>HAProxy solution working correctly.
[cut]
haproxy.cfg
global daemon log /dev/log local4 maxconn 40000 ulimit-n 81000 defaults log global mode http contimeout 4000 clitimeout 42000 srvtimeout 43000
listen http1 bind 192.168.82.10:80 mode http option http-server-close option forwardfor source 0.0.0.0 usesrc clientip balance roundrobin server http1_1 10.0.0.10:80 cookie http1_1 check inter 2000 rise 2 fall 3 server http1_1 10.0.0.20:80 cookie http1_1 check inter 2000 rise 2 fall 3
I'm not a haproxy expert, but it looks like you forgot to specify "accept-proxy" setting in the "bind" option.
http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
3. Implementations
Haproxy 1.5 implements the PROXY protocol on both sides : - the listening sockets accept the protocol when the "accept-proxy" setting is passed to the "bind" keyword. Connections accepted on such listeners will behave just as if the source really was the one advertised in the protocol. This is true for logging, ACLs, content filtering, transparent proxying, etc...
- the protocol may be used to connect to servers if the "send- proxy" setting is present on the "server" line. It is enabled on a per-server basis, so it is possible to have it enabled for remote servers only and still have local ones behave differently. If the incoming connection was accepted with the "accept-proxy", then the relayed information is the one advertised in this connection's PROXY line.
Mike