Hi Robert,
I've been doing some work on both HAProxy and STunnel myself over the last month or so.
Your actual configuration files both look fine but one thing that you possibly missed is that you will have needed to have build HAProxy with the TProxy flag enabled, and I'm going to guess that you have also written and applied the Firewall rules for the transparent proxy.
I've attached a DRAFT pdf of the work that I have been doing, its a very basic how-to on setting up both STunnel and HAProxy in Transparent mode on a Centos 6.2 system.
I actually got it to work, mostly. I did not use the TProxy flag or apply firewall rules for the transparent proxy. I am doing this in AWS EC2 and wanted to avoid that. My latest haproxy.cfg is at the bottom…
It basically came down to pouring over all of the logs, including apache2. What I found was that even though I am connecting to port 81 to haproxy from stunnel, haproxy is connecting to my apache2 server on 443. And since I had SSL loaded on 443, it gave the bad gateway. So I just removed mod_ssl and allow the connection on port 443, and it works fine. I am having a strange issue, though, where apache2 is reporting the port as 80, even though it is 443. I even force to use other ports, like 10443, and apache2 is reporting 80.
I have added "setenv HTTPS on" to the vhost 443 setup so that my apps that need to detect https will still work. I am going to need to resolve the apache port problem though. I am trying to make this transparent to any code (php) I may have on my servers. So they may check for $_SERVER['HTTPS'] or port to detect SSL, and i want that to all still work, without having to change code. I have solved the HTTPS detection, but need to resolve this port issue, then I am good.
global log 127.0.0.1 local0 debug #log loghost local0 info maxconn 50000 #chroot /usr/share/haproxy user haproxy group haproxy daemon #debug #quiet
defaults log global log-format Client:%Ci:%Cp\ BackendSrc:%Bi:%Bp\ Frontend:%Fi:%Fp\ Server:%Si:%Sp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r mode http #option httplog #option dontlognull option forwardfor retries 3 option redispatch maxconn 50000 contimeout 5000 clitimeout 60000 srvtimeout 300000 stats uri /haproxy_stats stats realm Global\ statistics stats auth admin:pajama^fire
frontend dev-stg bind *:80 bind *:81 accept-proxy mode http timeout client 5m option httpclose default_backend dev-www
backend dev-www mode http timeout connect 10s timeout server 600s balance roundrobin #begin_web_config server ws1 10.168.75.147 maxconn 1000 check port 80 #end_web_config stats uri /haproxy_stats stats realm Global\ statistics stats auth admin:pajama^fire
-- Robert Garcia BigHead Technology 15520 Coutolenc Rd Magalia, Ca 95954 ph: 530.645.4040 x222 fax: 530.645.4040 rgarcia@bighead.net (mailto:rgarcia@bighead.net) - http://bighead.net/
On Thursday, June 7, 2012 at 3:30 AM, Scott McKeown wrote:
Hi Robert,
I've been doing some work on both HAProxy and STunnel myself over the last month or so.
Your actual configuration files both look fine but one thing that you possibly missed is that you will have needed to have build HAProxy with the TProxy flag enabled, and I'm going to guess that you have also written and applied the Firewall rules for the transparent proxy.
I've attached a DRAFT pdf of the work that I have been doing, its a very basic how-to on setting up both STunnel and HAProxy in Transparent mode on a Centos 6.2 system.
-- With Kind Regards.
Scott McKeown Loadbalancer.org (http://Loadbalancer.org) http://www.loadbalancer.org
Attachments:
- STunnel-HAProxy transparent on Centos 6.2.pdf
Maybe I am wrong, but I thought, in my research, that using the new proxy protocol would eliminate the need for both the stunnel x-forward patch and the transparent mode. Since I did get it to work that way, without transparent, I hope it stays that way. ;-)
I got it. The reason the port was wrong, was that even though the port was on 443, the Host: header was coming over with a url and no port specified.
Host: www.somesite.com
When apache2 receives no port specified it assumes 80. So I changed my backend stanza in the haproxy config to rewrite the Host: header, adding the :443 which solves the issue.
backend dev-www mode http timeout connect 10s timeout server 600s balance roundrobin #begin_web_config server ws1 10.168.75.147 maxconn 1000 check port 80 #end_web_config stats uri /haproxy_stats stats realm Global\ statistics stats auth admin:pajama^fire acl is-ssl dst_port 443 reqirep ^(Host:\ .+):*.*$ \1:443 if is-ssl reqadd X-Proto:\ SSL if is-ssl
Hi Robert,
Thats great news. I'll also have to try and remember that one as I'm sure that will possible pop up again some time.
~Scott
On 7 June 2012 12:25, Robert Garcia rgarcia@bighead.net wrote:
I got it. The reason the port was wrong, was that even though the port was on 443, the Host: header was coming over with a url and no port specified.
Host: www.somesite.com
When apache2 receives no port specified it assumes 80. So I changed my backend stanza in the haproxy config to rewrite the Host: header, adding the :443 which solves the issue.
backend dev-www mode http timeout connect 10s timeout server 600s balance roundrobin #begin_web_config server ws1 10.168.75.147 maxconn 1000 check port 80 #end_web_config stats uri /haproxy_stats stats realm Global\ statistics stats auth admin:pajama^fire acl is-ssl dst_port 443 reqirep ^(Host:\ .+):*.*$ \1:443 if is-ssl reqadd X-Proto:\ SSL if is-ssl
-- Robert Garcia BigHead Technology 15520 Coutolenc Rd Magalia, Ca 95954 ph: 530.645.4040 x222 fax: 530.645.4040 rgarcia@bighead.net - http://bighead.net/
On Thursday, June 7, 2012 at 3:48 AM, Robert Garcia wrote:
Maybe I am wrong, but I thought, in my research, that using the new proxy protocol would eliminate the need for both the stunnel x-forward patch and the transparent mode. Since I did get it to work that way, without transparent, I hope it stays that way. ;-)
-- Robert Garcia BigHead Technology 15520 Coutolenc Rd Magalia, Ca 95954 ph: 530.645.4040 x222 fax: 530.645.4040 rgarcia@bighead.net - http://bighead.net/
On Thursday, June 7, 2012 at 3:30 AM, Scott McKeown wrote:
Hi Robert,
I've been doing some work on both HAProxy and STunnel myself over the last month or so.
Your actual configuration files both look fine but one thing that you possibly missed is that you will have needed to have build HAProxy with the TProxy flag enabled, and I'm going to guess that you have also written and applied the Firewall rules for the transparent proxy.
I've attached a DRAFT pdf of the work that I have been doing, its a very basic how-to on setting up both STunnel and HAProxy in Transparent mode on a Centos 6.2 system.
-- With Kind Regards.
Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Attachments:
- STunnel-HAProxy transparent on Centos 6.2.pdf
-
Robert Garcia -
Scott McKeown