Haproxy Cookbook


#1

Can anyone recommend a functional haproxy cookbook that support sssl? The
most likely candidate, at https://github.com/hw-cookbooks/haproxy, has
knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


#2

I would strongly suggest pairing the haproxy cookbook with the stunnel cookbook in order to get this working. Otherwise haproxy has no native support for SSL. The SSL options in that cookbook just create another listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the last time I looked at it was a while ago), we also maintain one which is pretty functional (although the docs may be slightly out of date at this point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl? The most likely candidate, at https://github.com/hw-cookbooks/haproxy, has knobs for enabling ssl, but as far as I can see, no way to pass the pem file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that functionality…

Douglas


#3

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook documentation
confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot puck.pbl1mx@herot.com wrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the
last time I looked at it was a while ago), we also maintain one which is
pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (doug.garstang@gmail.com)
wrote:

Can anyone recommend a functional haproxy cookbook that support sssl? The
most likely candidate, at https://github.com/hw-cookbooks/haproxy, has
knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#4

Actually… stunnel might not be such a good solution as I believe I will
lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang
doug.garstang@gmail.comwrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot puck.pbl1mx@herot.com wrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the
last time I looked at it was a while ago), we also maintain one which is
pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#5

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta. In
the haproxy community cookbook, looks like there is a recipe to make and
install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang
doug.garstang@gmail.comwrote:

Actually… stunnel might not be such a good solution as I believe I will
lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot puck.pbl1mx@herot.comwrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the
last time I looked at it was a while ago), we also maintain one which is
pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


#6

You beat me to the post :slight_smile:

That said, 1.5 has been out for some time now, if I recall.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Thu, Mar 13, 2014 at 2:53 PM, Lopaka Delp lopaka@rightscale.com wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta.
In the haproxy community cookbook, looks like there is a recipe to make
and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Actually… stunnel might not be such a good solution as I believe I will
lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot puck.pbl1mx@herot.comwrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but
the last time I looked at it was a while ago), we also maintain one which
is pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add
that functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


#7

I normally use nginx to terminate SSL which means we can inject a header containing the source IP address. Combining this with the HttpRealIp[0] module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta. In the haproxy community cookbook, looks like there is a recipe to make and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <doug.garstang@gmail.com (mailto:doug.garstang@gmail.com)> wrote:

Actually… stunnel might not be such a good solution as I believe I will lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <doug.garstang@gmail.com (mailto:doug.garstang@gmail.com)> wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does (which is what an apt-get install gets me), but even though, the haproxy cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot <puck.pbl1mx@herot.com (mailto:puck.pbl1mx@herot.com)> wrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel cookbook in order to get this working. Otherwise haproxy has no native support for SSL. The SSL options in that cookbook just create another listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the last time I looked at it was a while ago), we also maintain one which is pretty functional (although the docs may be slightly out of date at this point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (doug.garstang@gmail.com (mailto:doug.garstang@gmail.com)) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl? The most likely candidate, at https://github.com/hw-cookbooks/haproxy, has knobs for enabling ssl, but as far as I can see, no way to pass the pem file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com (mailto:doug.garstang@gmail.com)
Cell: +1-805-340-5627 (tel:%2B1-805-340-5627)


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com (mailto:doug.garstang@gmail.com)
Cell: +1-805-340-5627 (tel:%2B1-805-340-5627)


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com (mailto:lopaka@rightscale.com)
805-243-0998


#8

HAProxy already injects X-Forwarded-For, IIRC, so I’m not sure why Nginx
would be required. stunnel does a fine job of handling the SSL offloading,
or you can put your HAProxy port 443 frontend into TCP mode so it just
balances tcp sessions, though you lose the ability to acl on layer-7
attributes like HTTP headers doing so, so I prefer to avoid it. in TCP mode
your backend members would handle the SSL cert.

Regards,

Nathan Williams

On Thu, Mar 13, 2014 at 2:56 PM, Daniel Condomitti daniel@condomitti.comwrote:

I normally use nginx to terminate SSL which means we can inject a header
containing the source IP address. Combining this with the HttpRealIp[0]
module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta.
In the haproxy community cookbook, looks like there is a recipe to make
and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Actually… stunnel might not be such a good solution as I believe I will
lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot puck.pbl1mx@herot.com wrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the
last time I looked at it was a while ago), we also maintain one which is
pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (doug.garstang@gmail.com)
wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


#9

haproxy 1.5 SSL works well. Even though it’s a dev version I’ve found it to
be stable. If you’re on Ubuntu there’s a PPA package at
https://launchpad.net/~vbernat/+archive/haproxy-1.5. You could front
haproxy with stunnel or stud but since 1.5 there’s really no reason to
terminate the SSL outside of haproxy.

On Thu, Mar 13, 2014 at 2:56 PM, Daniel Condomitti daniel@condomitti.comwrote:

I normally use nginx to terminate SSL which means we can inject a header
containing the source IP address. Combining this with the HttpRealIp[0]
module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta.
In the haproxy community cookbook, looks like there is a recipe to make
and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Actually… stunnel might not be such a good solution as I believe I will
lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot puck.pbl1mx@herot.com wrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the
last time I looked at it was a while ago), we also maintain one which is
pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (doug.garstang@gmail.com)
wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


#10

I agree with Daniel. Ngnix and HAproxy is a great combo for ssl termination. Definitely use HttpRealIp and you can balance based on source ip if needed.

As for the recipe, we decided to do a wrapper recipe to tie the two together.

On Mar 13, 2014, at 2:56 PM, Daniel Condomitti daniel@condomitti.com wrote:

I normally use nginx to terminate SSL which means we can inject a header containing the source IP address. Combining this with the HttpRealIp[0] module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta. In the haproxy community cookbook, looks like there is a recipe to make and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang doug.garstang@gmail.com wrote:
Actually… stunnel might not be such a good solution as I believe I will lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang doug.garstang@gmail.com wrote:
Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does (which is what an apt-get install gets me), but even though, the haproxy cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot puck.pbl1mx@herot.com wrote:
I would strongly suggest pairing the haproxy cookbook with the stunnel cookbook in order to get this working. Otherwise haproxy has no native support for SSL. The SSL options in that cookbook just create another listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the last time I looked at it was a while ago), we also maintain one which is pretty functional (although the docs may be slightly out of date at this point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl? The most likely candidate, at https://github.com/hw-cookbooks/haproxy, has knobs for enabling ssl, but as far as I can see, no way to pass the pem file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


#11

Not sure if you’re doing this on EC2 but if you are there is also the option of terminating SSL on ELB, which will insert a header (X-Forwarded-For I believe) containing the source IP.

There are actually patches to add that header with Stunnel but I will admit that that option does kind of suck. :slight_smile:

Eric

On March 13, 2014 at 6:23:35 PM, Robert Tsai (rtsai.mobile@gmail.com) wrote:

I agree with Daniel. Ngnix and HAproxy is a great combo for ssl termination. Definitely use HttpRealIp and you can balance based on source ip if needed.

As for the recipe, we decided to do a wrapper recipe to tie the two together.

On Mar 13, 2014, at 2:56 PM, Daniel Condomitti daniel@condomitti.com wrote:

I normally use nginx to terminate SSL which means we can inject a header containing the source IP address. Combining this with the HttpRealIp[0] module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule
On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta. In the haproxy community cookbook, looks like there is a recipe to make and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang doug.garstang@gmail.com wrote:
Actually… stunnel might not be such a good solution as I believe I will lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang doug.garstang@gmail.com wrote:
Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does (which is what an apt-get install gets me), but even though, the haproxy cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot eric.opscode@herot.com wrote:
I would strongly suggest pairing the haproxy cookbook with the stunnel cookbook in order to get this working. Otherwise haproxy has no native support for SSL. The SSL options in that cookbook just create another listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the last time I looked at it was a while ago), we also maintain one which is pretty functional (although the docs may be slightly out of date at this point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl? The most likely candidate, at https://github.com/hw-cookbooks/haproxy, has knobs for enabling ssl, but as far as I can see, no way to pass the pem file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


#12

Ah! That’s right, I forget the regular stunnel package doesn’t do
X-Forwarded-For.
On Mar 13, 2014 3:43 PM, “Eric Herot” eric.opscode@herot.com wrote:

Not sure if you’re doing this on EC2 but if you are there is also the
option of terminating SSL on ELB, which will insert a header
(X-Forwarded-For I believe) containing the source IP.

There are actually patches to add that header with Stunnel but I will
admit that that option does kind of suck. :slight_smile:

Eric

On March 13, 2014 at 6:23:35 PM, Robert Tsai (rtsai.mobile@gmail.com)
wrote:

I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
termination. Definitely use HttpRealIp and you can balance based on source
ip if needed.

As for the recipe, we decided to do a wrapper recipe to tie the two
together.

On Mar 13, 2014, at 2:56 PM, Daniel Condomitti daniel@condomitti.com
wrote:

I normally use nginx to terminate SSL which means we can inject a header
containing the source IP address. Combining this with the HttpRealIp[0]
module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta.
In the haproxy community cookbook, looks like there is a recipe to make
and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Actually… stunnel might not be such a good solution as I believe I
will lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot eric.opscode@herot.comwrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the
last time I looked at it was a while ago), we also maintain one which is
pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (doug.garstang@gmail.com)
wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


#13

Given that haproy 1.5 already supports SSL, wouldn’t the approach with the
least effort here, be to enhance the community haproxy cookbook to also
support it?

On Fri, Mar 14, 2014 at 8:23 AM, Nathan Williams nath.e.will@gmail.comwrote:

Ah! That’s right, I forget the regular stunnel package doesn’t do
X-Forwarded-For.
On Mar 13, 2014 3:43 PM, “Eric Herot” eric.opscode@herot.com wrote:

Not sure if you’re doing this on EC2 but if you are there is also the
option of terminating SSL on ELB, which will insert a header
(X-Forwarded-For I believe) containing the source IP.

There are actually patches to add that header with Stunnel but I will
admit that that option does kind of suck. :slight_smile:

Eric

On March 13, 2014 at 6:23:35 PM, Robert Tsai (rtsai.mobile@gmail.com)
wrote:

I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
termination. Definitely use HttpRealIp and you can balance based on source
ip if needed.

As for the recipe, we decided to do a wrapper recipe to tie the two
together.

On Mar 13, 2014, at 2:56 PM, Daniel Condomitti daniel@condomitti.com
wrote:

I normally use nginx to terminate SSL which means we can inject a
header containing the source IP address. Combining this with the
HttpRealIp[0] module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta.
In the haproxy community cookbook, looks like there is a recipe to make
and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Actually… stunnel might not be such a good solution as I believe I
will lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot eric.opscode@herot.comwrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the
last time I looked at it was a while ago), we also maintain one which is
pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#14

Douglas Garstang doug.garstang@gmail.com writes:

Given that haproy 1.5 already supports SSL, wouldn’t the approach with the
least effort here, be to enhance the community haproxy cookbook to also
support it?

What enhancements to support SSL would you really like to see?

The cookbook alread provides a fully data drive lwrp to configure
haproxy to your hearts content:

If you need haproxy to support things that aren’t availailable out of
the box with the system packages there the source install recipe:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

I’m interested to hear how specifically the current haproxy cookbook
falls short of what you need. How could it best be enhanced to support
what you need for SSL support?

On Fri, Mar 14, 2014 at 8:23 AM, Nathan Williams nath.e.will@gmail.comwrote:

Ah! That’s right, I forget the regular stunnel package doesn’t do
X-Forwarded-For.
On Mar 13, 2014 3:43 PM, “Eric Herot” eric.opscode@herot.com wrote:

Not sure if you’re doing this on EC2 but if you are there is also the
option of terminating SSL on ELB, which will insert a header
(X-Forwarded-For I believe) containing the source IP.

There are actually patches to add that header with Stunnel but I will
admit that that option does kind of suck. :slight_smile:

Eric

On March 13, 2014 at 6:23:35 PM, Robert Tsai (rtsai.mobile@gmail.com)
wrote:

I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
termination. Definitely use HttpRealIp and you can balance based on source
ip if needed.

As for the recipe, we decided to do a wrapper recipe to tie the two
together.

On Mar 13, 2014, at 2:56 PM, Daniel Condomitti daniel@condomitti.com
wrote:

I normally use nginx to terminate SSL which means we can inject a
header containing the source IP address. Combining this with the
HttpRealIp[0] module means you get the real client IP in your backend logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta.
In the haproxy community cookbook, looks like there is a recipe to make
and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Actually… stunnel might not be such a good solution as I believe I
will lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the haproxy
cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot eric.opscode@herot.comwrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but the
last time I looked at it was a while ago), we also maintain one which is
pretty functional (although the docs may be slightly out of date at this
point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass the pem
file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add that
functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


-sean


#15

Sean,

As far as I know there’s no way to pass the pem certificate. It’s the 'crt’
setting I believe in the haproxy config. Am I missing that somewhere?

Douglas.

On Fri, Mar 14, 2014 at 4:17 PM, Sean Escriva sean.escriva@gmail.comwrote:

Douglas Garstang doug.garstang@gmail.com writes:

Given that haproy 1.5 already supports SSL, wouldn’t the approach with
the
least effort here, be to enhance the community haproxy cookbook to also
support it?

What enhancements to support SSL would you really like to see?

The cookbook alread provides a fully data drive lwrp to configure
haproxy to your hearts content:

https://github.com/hw-cookbooks/haproxy#haproxy

If you need haproxy to support things that aren’t availailable out of
the box with the system packages there the source install recipe:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

I’m interested to hear how specifically the current haproxy cookbook
falls short of what you need. How could it best be enhanced to support
what you need for SSL support?

On Fri, Mar 14, 2014 at 8:23 AM, Nathan Williams <nath.e.will@gmail.com
wrote:

Ah! That’s right, I forget the regular stunnel package doesn’t do
X-Forwarded-For.
On Mar 13, 2014 3:43 PM, “Eric Herot” eric.opscode@herot.com wrote:

Not sure if you’re doing this on EC2 but if you are there is also the
option of terminating SSL on ELB, which will insert a header
(X-Forwarded-For I believe) containing the source IP.

There are actually patches to add that header with Stunnel but I will
admit that that option does kind of suck. :slight_smile:

Eric

On March 13, 2014 at 6:23:35 PM, Robert Tsai (rtsai.mobile@gmail.com)
wrote:

I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
termination. Definitely use HttpRealIp and you can balance based on
source

ip if needed.

As for the recipe, we decided to do a wrapper recipe to tie the two
together.

On Mar 13, 2014, at 2:56 PM, Daniel Condomitti daniel@condomitti.com
wrote:

I normally use nginx to terminate SSL which means we can inject a
header containing the source IP address. Combining this with the
HttpRealIp[0] module means you get the real client IP in your backend
logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta.
In the haproxy community cookbook, looks like there is a recipe to
make

and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one
way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Actually… stunnel might not be such a good solution as I believe I
will lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the
haproxy

cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot <eric.opscode@herot.com
wrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but
the

last time I looked at it was a while ago), we also maintain one which
is

pretty functional (although the docs may be slightly out of date at
this

point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass
the pem

file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add
that

functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


-sean


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#16

Douglas Garstang doug.garstang@gmail.com writes:

Sean,

As far as I know there’s no way to pass the pem certificate. It’s the 'crt’
setting I believe in the haproxy config. Am I missing that somewhere?

Actually this is possible. The cookbook in master provides a 'haproxy’
resource that is data driven so you could use:

haproxy “sslproxy” do
config Mash.new(
:global => {
… your global settings
},
:defaults => {
… your default settings
}
:frontend => {
:ssl => {
:bind => “*:443 ssl crt /etc/ssl/your ssl key
…your other settings for frontend named ‘ssl’
}
}
)
end

this will then get serialized to the correctly formatted haproxy.cfg and
should work as expected provided your build of haproxy supports those options.

The data handed to the ‘config’ parameter can come from anything you
like, inline using Mash.new as in this example or via attributes of your
choosing nested under node[‘haproxy’][‘config’]

If you see areas for improvement, definitely let us know!

-sean

On Fri, Mar 14, 2014 at 4:17 PM, Sean Escriva sean.escriva@gmail.comwrote:

Douglas Garstang doug.garstang@gmail.com writes:

Given that haproy 1.5 already supports SSL, wouldn’t the approach with
the
least effort here, be to enhance the community haproxy cookbook to also
support it?

What enhancements to support SSL would you really like to see?

The cookbook alread provides a fully data drive lwrp to configure
haproxy to your hearts content:

https://github.com/hw-cookbooks/haproxy#haproxy

If you need haproxy to support things that aren’t availailable out of
the box with the system packages there the source install recipe:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

I’m interested to hear how specifically the current haproxy cookbook
falls short of what you need. How could it best be enhanced to support
what you need for SSL support?

On Fri, Mar 14, 2014 at 8:23 AM, Nathan Williams <nath.e.will@gmail.com
wrote:

Ah! That’s right, I forget the regular stunnel package doesn’t do
X-Forwarded-For.
On Mar 13, 2014 3:43 PM, “Eric Herot” eric.opscode@herot.com wrote:

Not sure if you’re doing this on EC2 but if you are there is also the
option of terminating SSL on ELB, which will insert a header
(X-Forwarded-For I believe) containing the source IP.

There are actually patches to add that header with Stunnel but I will
admit that that option does kind of suck. :slight_smile:

Eric

On March 13, 2014 at 6:23:35 PM, Robert Tsai (rtsai.mobile@gmail.com)
wrote:

I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
termination. Definitely use HttpRealIp and you can balance based on
source

ip if needed.

As for the recipe, we decided to do a wrapper recipe to tie the two
together.

On Mar 13, 2014, at 2:56 PM, Daniel Condomitti daniel@condomitti.com
wrote:

I normally use nginx to terminate SSL which means we can inject a
header containing the source IP address. Combining this with the
HttpRealIp[0] module means you get the real client IP in your backend
logs.

This doesn’t help if you’re not proxying HTTP though.

[0] http://wiki.nginx.org/HttpRealipModule

On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:

Hello,

HAProxy 1.5 has SSL. Unfortunately, it’s still under development/beta.
In the haproxy community cookbook, looks like there is a recipe to
make

and install from source and enable SSL:

https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb

This might not be the ‘fastest’ way to go to enable SSL, but it’s one
way.

Another way would be to have a frontend which does SSL ie apache.

Hope this helps.

Lopaka

On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Actually… stunnel might not be such a good solution as I believe I
will lose the source IP address, and I dont want to lose that…

On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Thanks Eric.

I had forgotten that haproxy doesn’t support SSL yet. I think 1.5 does
(which is what an apt-get install gets me), but even though, the
haproxy

cookbook apparently does not. I’ll check out the stunnel cookbook.

Good to know it’s not just me that finds the haproxy cookbook
documentation confusing. The examples don’t work as is either.

Douglas.

On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot <eric.opscode@herot.com
wrote:

I would strongly suggest pairing the haproxy cookbook with the stunnel
cookbook in order to get this working. Otherwise haproxy has no native
support for SSL. The SSL options in that cookbook just create another
listener for you to then connect to (with, for example, stunnel).

Does that answer your question?

BTW if you find that cookbook confusing or insufficient (we did, but
the

last time I looked at it was a while ago), we also maintain one which
is

pretty functional (although the docs may be slightly out of date at
this

point):

https://github.com/evertrue/et_haproxy-cookbook

Eric

On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Can anyone recommend a functional haproxy cookbook that support sssl?
The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
has knobs for enabling ssl, but as far as I can see, no way to pass
the pem

file location. (the setting is ‘crt’ i think).

Alternatively, if there’s a way a wrapper cookbook could easily add
that

functionality…

Douglas


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Lopaka Delp
RightScale - Linux Systems Engineer
lopaka@rightscale.com
805-243-0998


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


-sean


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


-sean