Welcome! Log In Create A New Profile

Advanced

Haproxy support for HTTPS (SSL) backend servers

Posted by Pasi Kärkkäinen 
Pasi Kärkkäinen
Haproxy support for HTTPS (SSL) backend servers
October 16, 2010 12:40PM
Hello,

I'd like to use haproxy to loadbalance a service
that uses (only) https in the backend.. service in question
cannot be changed to provide http, it's https only.
(I know, it's stupid, but I cannot change that unfortunately..)

I know I could use the haproxy 'raw' mode, but I need some of the
ACL features of haproxy, so I need to use the http mode instead.

Does someone have a patch that allows using https on the backend?

If there's no such patch, how big changes it would require?
I might work on it if there's nothing ready yet..

Thanks!

-- Pasi
Nicholas Hadaway
Re: Haproxy support for HTTPS (SSL) backend servers
October 16, 2010 01:30PM
ACL features work just fine in TCP mode as well as HTTP mode.

-nick

On 10/16/2010 3:34 AM, Pasi Kärkkäinen wrote:
> Hello,
>
> I'd like to use haproxy to loadbalance a service
> that uses (only) https in the backend.. service in question
> cannot be changed to provide http, it's https only.
> (I know, it's stupid, but I cannot change that unfortunately..)
>
> I know I could use the haproxy 'raw' mode, but I need some of the
> ACL features of haproxy, so I need to use the http mode instead.
>
> Does someone have a patch that allows using https on the backend?
>
> If there's no such patch, how big changes it would require?
> I might work on it if there's nothing ready yet..
>
> Thanks!
>
> -- Pasi
>
>
Pasi Kärkkäinen
Re: Haproxy support for HTTPS (SSL) backend servers
October 16, 2010 08:20PM
On Sat, Oct 16, 2010 at 06:29:19AM -0700, Nicholas Hadaway wrote:
> ACL features work just fine in TCP mode as well as HTTP mode.
>

I meant the features that need to parse the HTTP request and do things
based on it..

So tcp/raw mode won't work..

Thanks for the reply though!

-- Pasi

> -nick
>
> On 10/16/2010 3:34 AM, Pasi Kärkkäinen wrote:
>> Hello,
>>
>> I'd like to use haproxy to loadbalance a service
>> that uses (only) https in the backend.. service in question
>> cannot be changed to provide http, it's https only.
>> (I know, it's stupid, but I cannot change that unfortunately..)
>>
>> I know I could use the haproxy 'raw' mode, but I need some of the
>> ACL features of haproxy, so I need to use the http mode instead.
>>
>> Does someone have a patch that allows using https on the backend?
>>
>> If there's no such patch, how big changes it would require?
>> I might work on it if there's nothing ready yet..
>>
>> Thanks!
>>
>> -- Pasi
>>
>>
>
>
Soren Hansen
Re: Haproxy support for HTTPS (SSL) backend servers
October 18, 2010 06:00PM
Terminate the ssl using apache+mod_ssl as a proxy to your HAproxy
Do your ACL stuff in HAproxy
Then have HAproxy send the request to a local stunnel client.
stunnel will then forward the request as ssl to a backend server.

You will need to define one stunnel client per backend server.
In HAproxy, you will have the local stunnels defined as servers.
Reinis Rozitis
Re: Haproxy support for HTTPS (SSL) backend servers
October 18, 2010 06:10PM
> I meant the features that need to parse the HTTP request and do things
> based on it..
>
> So tcp/raw mode won't work..
>
> Thanks for the reply though!
>
> -- Pasi

I think you are better in this case using 'nginx' for example -
http://wiki.nginx.org/HttpProxyModule (can do ACL / rewrites / header change
and balancing on its own).

rr
Hervé COMMOWICK
Re: Haproxy support for HTTPS (SSL) backend servers
October 18, 2010 06:30PM
Hello,

You can use stunnel for decrypt/recrypt the ssl stuff :

stunnel's config :
http://vr.pastebin.com/Ay4e9wFk
haproxy's config
http://vr.pastebin.com/1uDMeavk

Regards,

Hervé.

On Sat, 16 Oct 2010 13:34:04 +0300
Pasi Kärkkäinen <[email protected]> wrote:

> Hello,
>
> I'd like to use haproxy to loadbalance a service
> that uses (only) https in the backend.. service in question
> cannot be changed to provide http, it's https only.
> (I know, it's stupid, but I cannot change that unfortunately..)
>
> I know I could use the haproxy 'raw' mode, but I need some of the
> ACL features of haproxy, so I need to use the http mode instead.
>
> Does someone have a patch that allows using https on the backend?
>
> If there's no such patch, how big changes it would require?
> I might work on it if there's nothing ready yet..
>
> Thanks!
>
> -- Pasi
>
>



--
Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/)
ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS
Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70
mailto:[email protected]
Pasi Kärkkäinen
Re: Haproxy support for HTTPS (SSL) backend servers
October 19, 2010 01:40PM
On Mon, Oct 18, 2010 at 07:00:37PM +0300, Reinis Rozitis wrote:
>> I meant the features that need to parse the HTTP request and do things
>> based on it..
>>
>> So tcp/raw mode won't work..
>>
>> Thanks for the reply though!
>>
>> -- Pasi
>
> I think you are better in this case using 'nginx' for example -
> http://wiki.nginx.org/HttpProxyModule (can do ACL / rewrites / header
> change and balancing on its own).
>

Yeah, I've tried nginx aswell. It supports SSL on both the frontend
and backend, which is good, but the problem with nginx is that
it doesn't support http/1.1 on the backend side..

I have some application that also requires http/1.1 and refuses
to serve http/1.0 requests.. this is not easy :)

-- Pasi
Pasi Kärkkäinen
Re: Haproxy support for HTTPS (SSL) backend servers
October 19, 2010 01:40PM
On Mon, Oct 18, 2010 at 03:02:26PM +0000, Soren Hansen wrote:
> Terminate the ssl using apache+mod_ssl as a proxy to your HAproxy
> Do your ACL stuff in HAproxy
> Then have HAproxy send the request to a local stunnel client.
> stunnel will then forward the request as ssl to a backend server.
>
> You will need to define one stunnel client per backend server.
> In HAproxy, you will have the local stunnels defined as servers.
>

I tried this earlier.. and I got some problems with sessions
timing out, and I could figure out what was causing it.

It's kind of difficult when you have separate frontend (stunnel/pound),
"middleware" (haproxy), and then also separate backend (stunnel).

Replacing all that with nginx worked much better (no timeout problems),
but then I have the problem where nginx doesn't support http/1.1 on the backend..

-- Pasi
Pasi Kärkkäinen
Re: Haproxy support for HTTPS (SSL) backend servers
October 19, 2010 01:40PM
On Tue, Oct 19, 2010 at 02:35:01PM +0300, Pasi Kärkkäinen wrote:
> On Mon, Oct 18, 2010 at 03:02:26PM +0000, Soren Hansen wrote:
> > Terminate the ssl using apache+mod_ssl as a proxy to your HAproxy
> > Do your ACL stuff in HAproxy
> > Then have HAproxy send the request to a local stunnel client.
> > stunnel will then forward the request as ssl to a backend server.
> >
> > You will need to define one stunnel client per backend server.
> > In HAproxy, you will have the local stunnels defined as servers.
> >
>
> I tried this earlier.. and I got some problems with sessions
> timing out, and I could figure out what was causing it.
>

I was supposed to write "couldn't" ..

-- Pasi


> It's kind of difficult when you have separate frontend (stunnel/pound),
> "middleware" (haproxy), and then also separate backend (stunnel).
>
> Replacing all that with nginx worked much better (no timeout problems),
> but then I have the problem where nginx doesn't support http/1.1 on the backend..
>
> -- Pasi
>
>
Simon Green - Centric IT Ltd
RE: Haproxy support for HTTPS (SSL) backend servers
October 19, 2010 01:50PM
Have you tried Varnish?
http://www.varnish-cache.org/
It's intended as a caching proxy but can do what you're after perfectly well.

Also if there's anything it can't do, you can in-line drop in to C in the config files and make it do it!

-----Original Message-----
From: Pasi Kärkkäinen [mailto:[email protected]]
Sent: 19 October 2010 12:33
To: Reinis Rozitis
Cc: haproxy@formilux.org
Subject: Re: Haproxy support for HTTPS (SSL) backend servers

On Mon, Oct 18, 2010 at 07:00:37PM +0300, Reinis Rozitis wrote:
>> I meant the features that need to parse the HTTP request and do
>> things based on it..
>>
>> So tcp/raw mode won't work..
>>
>> Thanks for the reply though!
>>
>> -- Pasi
>
> I think you are better in this case using 'nginx' for example -
> http://wiki.nginx.org/HttpProxyModule (can do ACL / rewrites / header
> change and balancing on its own).
>

Yeah, I've tried nginx aswell. It supports SSL on both the frontend
and backend, which is good, but the problem with nginx is that
it doesn't support http/1.1 on the backend side..

I have some application that also requires http/1.1 and refuses
to serve http/1.0 requests.. this is not easy :)

-- Pasi
Pasi Kärkkäinen
Re: Haproxy support for HTTPS (SSL) backend servers
October 19, 2010 02:30PM
On Tue, Oct 19, 2010 at 11:46:23AM +0000, Simon Green - Centric IT Ltd wrote:
> Have you tried Varnish?
> http://www.varnish-cache.org/
> It's intended as a caching proxy but can do what you're after perfectly well.
>
> Also if there's anything it can't do, you can in-line drop in to C in the config files and make it do it!
>

Thanks for the tip. I'll take a look at it.

-- Pasi

> -----Original Message-----
> From: Pasi Kärkkäinen [mailto:[email protected]]
> Sent: 19 October 2010 12:33
> To: Reinis Rozitis
> Cc: haproxy@formilux.org
> Subject: Re: Haproxy support for HTTPS (SSL) backend servers
>
> On Mon, Oct 18, 2010 at 07:00:37PM +0300, Reinis Rozitis wrote:
> >> I meant the features that need to parse the HTTP request and do
> >> things based on it..
> >>
> >> So tcp/raw mode won't work..
> >>
> >> Thanks for the reply though!
> >>
> >> -- Pasi
> >
> > I think you are better in this case using 'nginx' for example -
> > http://wiki.nginx.org/HttpProxyModule (can do ACL / rewrites / header
> > change and balancing on its own).
> >
>
> Yeah, I've tried nginx aswell. It supports SSL on both the frontend
> and backend, which is good, but the problem with nginx is that
> it doesn't support http/1.1 on the backend side..
>
> I have some application that also requires http/1.1 and refuses
> to serve http/1.0 requests.. this is not easy :)
>
> -- Pasi
>
>
Reinis Rozitis
Re: Haproxy support for HTTPS (SSL) backend servers
October 19, 2010 04:50PM
> Have you tried Varnish?
> http://www.varnish-cache.org/
> It's intended as a caching proxy but can do what you're after perfectly
> well.
>
> Also if there's anything it can't do, you can in-line drop in to C in the
> config files and make it do it!

As far as I know varnish doesnt support SSL (neither as frontend nor in
backends)?
So you would have to implement some extra layers anyways.

While I havent tried myself (the URL thing (with providing the key/cert to
the balancer)) you could try Pound ( http://www.apsis.ch/pound/ )
which supports the client <-- ssl --> balancer (url parsing) <-- ssl -->
backend scheme..

rr
Pasi Kärkkäinen
Re: Haproxy support for HTTPS (SSL) backend servers
October 19, 2010 05:40PM
On Tue, Oct 19, 2010 at 05:42:51PM +0300, Reinis Rozitis wrote:
>> Have you tried Varnish?
>> http://www.varnish-cache.org/
>> It's intended as a caching proxy but can do what you're after perfectly
>> well.
>>
>> Also if there's anything it can't do, you can in-line drop in to C in
>> the config files and make it do it!
>
> As far as I know varnish doesnt support SSL (neither as frontend nor in
> backends)?
> So you would have to implement some extra layers anyways.
>
> While I havent tried myself (the URL thing (with providing the key/cert
> to the balancer)) you could try Pound ( http://www.apsis.ch/pound/ )
> which supports the client <-- ssl --> balancer (url parsing) <-- ssl
> --> backend scheme..
>

Yep, I noticed Pound supports ssl to the backend in the latest version (2.5).

Another question: Do you guys know if some balancer allows 'http connect' passthrough?

I'd like to pass 'http connect' requests 'as is' to the backend server.
For example Pound seems to drop that request..

-- Pasi
Sorry, only registered users may post in this forum.

Click here to login