Hi,
I'm willing to use this kind of configuration :
https client -->stunnel --> haproxy --> 2 web servers in http (or more)
I've understand that haproxy can't handle the ssl part, that's why stunnel is needed.
I've read that a Patch is required for stunnel to work with haproxy in this kind of confirmation
"I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ on port 443 and forward it to port 81 on the same machine which is bound to haproxy."
Can anyone tell me if this patch is now included in stunnel, in particular, does Ubuntu 11.10 include it ?
I really would rather stay with package provided by ubuntu in order to have easy upgrade/security fix. I've experiences the work overload of manually compiling everything in Apache for instance ;)
Any advices on this kind of setup ? documentation pointers? best practices ?
Regards, Thomas.
here is the current package version on ubuntu 11.10
thomas@daisybox:~/Documents$ aptitude show stunnel4 Package: stunnel4 New: yes State: not installed Version: 3:4.35-2build1 Priority: optional Section: universe/net Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com Uncompressed Size: 541 k Depends: libc6 (>= 2.11), libssl1.0.0 (>= 1.0.0), libwrap0 (>= 7.6-4~), openssl, netbase, perl-modules PreDepends: adduser Suggests: logcheck-database Conflicts: stunnel4 Breaks: stunnel (< 3:4.20-3), stunnel (< 3:4.20-3) Replaces: stunnel, stunnel Provides: stunnel Description: Universal SSL tunnel for network daemons The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel.
stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code.
This package contains a wrapper script for compatibility with stunnel 3.x Homepage: http://www.stunnel.org/
thomas@daisybox:~/Documents$ aptitude show stunnel No current or candidate version found for stunnel Package: stunnel State: not a real package Provided by: stunnel4
There is no patch "required" to use Stunnel with HAProxy, regardless of the OS (i myself use the stunel and haproxy packages on several ubuntu servers).
The "patch" most people talk about in relation to stunnel and haproxy was to fix the issue where stunnel does not pass the originating IP address of the client (X-forwarded-for header) but that has been mostly take care of in recent versions by using the "PROXY" protocol, and really is only necessary if you need to track the originating https client IP address.
Hope this helps, Mit
On Wed, Nov 23, 2011 at 4:07 PM, Thomas Manson thomas@123monsite.comwrote:
Hi,
I'm willing to use this kind of configuration :
https client -->stunnel --> haproxy --> 2 web servers in http (or more)
I've understand that haproxy can't handle the ssl part, that's why stunnel is needed.
I've read that a Patch is required for stunnel to work with haproxy in this kind of confirmation
"I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ on port 443 and forward it to port 81 on the same machine which is bound to haproxy."
Can anyone tell me if this patch is now included in stunnel, in particular, does Ubuntu 11.10 include it ?
I really would rather stay with package provided by ubuntu in order to have easy upgrade/security fix. I've experiences the work overload of manually compiling everything in Apache for instance ;)
Any advices on this kind of setup ? documentation pointers? best practices ?
Regards, Thomas.
here is the current package version on ubuntu 11.10
thomas@daisybox:~/Documents$ aptitude show stunnel4 Package: stunnel4 New: yes State: not installed Version: 3:4.35-2build1 Priority: optional Section: universe/net Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com Uncompressed Size: 541 k Depends: libc6 (>= 2.11), libssl1.0.0 (>= 1.0.0), libwrap0 (>= 7.6-4~), openssl, netbase, perl-modules PreDepends: adduser Suggests: logcheck-database Conflicts: stunnel4 Breaks: stunnel (< 3:4.20-3), stunnel (< 3:4.20-3) Replaces: stunnel, stunnel Provides: stunnel Description: Universal SSL tunnel for network daemons The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel.
stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code.
This package contains a wrapper script for compatibility with stunnel 3.x Homepage: http://www.stunnel.org/
thomas@daisybox:~/Documents$ aptitude show stunnel No current or candidate version found for stunnel Package: stunnel State: not a real package Provided by: stunnel4
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Mit Rowe -
Thomas Manson