Not sure if you’re doing this on EC2 but if you are there is also the option of terminating SSL on ELB, which will insert a header (X-Forwarded-For I believe) containing the source IP.
There are actually patches to add that header with Stunnel but I will admit that that option does kind of suck.
On March 13, 2014 at 6:23:35 PM, Robert Tsai (email@example.com) wrote:
I agree with Daniel. Ngnix and HAproxy is a great combo for ssl termination. Definitely use HttpRealIp and you can balance based on source ip if needed.
As for the recipe, we decided to do a wrapper recipe to tie the two together.
On Mar 13, 2014, at 2:56 PM, Daniel Condomitti firstname.lastname@example.org wrote:
I normally use nginx to terminate SSL which means we can inject a header containing the source IP address. Combining this with the HttpRealIp module means you get the real client IP in your backend logs.
This doesn’t help if you’re not proxying HTTP though.
On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:
HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta. In the haproxy community cookbook, looks like there is a recipe to make and install from source and enable SSL:
This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.
Another way would be to have a frontend which does SSL ie apache.
Hope this helps.
On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang email@example.com wrote:
Actually… stunnel might not be such a good solution as I believe I will lose the source IP address, and I dont want to lose that…
On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang firstname.lastname@example.org wrote:
I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does (which is what an apt-get install gets me), but even though, the haproxy cookbook apparently does not. I’ll check out the stunnel cookbook.
Good to know it’s not just me that finds the haproxy cookbook documentation confusing. The examples don’t work as is either.
On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot email@example.com wrote:
I would strongly suggest pairing the haproxy cookbook with the stunnel cookbook in order to get this working. Otherwise haproxy has no native support for SSL. The SSL options in that cookbook just create another listener for you to then connect to (with, for example, stunnel).
Does that answer your question?
BTW if you find that cookbook confusing or insufficient (we did, but the last time I looked at it was a while ago), we also maintain one which is pretty functional (although the docs may be slightly out of date at this point):
On March 13, 2014 at 5:15:52 PM, Douglas Garstang (firstname.lastname@example.org) wrote:
Can anyone recommend a functional haproxy cookbook that support sssl? The most likely candidate, at https://github.com/hw-cookbooks/haproxy, has knobs for enabling ssl, but as far as I can see, no way to pass the pem file location. (the setting is ‘crt’ i think).
Alternatively, if there’s a way a wrapper cookbook could easily add that functionality…
RightScale - Linux Systems Engineer