Comments on: Transparent proxy of SSL traffic using Pound to HAProxy backend patch and howto http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/ When a single point of failure is not an option Fri, 30 Jul 2010 12:18:37 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: DEAN http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/comment-page-1/#comment-1181 DEAN Tue, 06 Jul 2010 20:04:10 +0000 http://blog.loadbalancer.org/?p=239#comment-1181 <strong><blockquote><a href="http://pillspot.org/" rel="nofollow">Pillspot.org. Canadian Health&Care.No prescription online pharmacy.Special Internet Prices.Best quality drugs. Online Pharmacy. Order drugs online</a>...</strong> Buy:Mega Hoodia.Actos.Synthroid.Prevacid.Nexium.100% Pure Okinawan Coral Calcium.Arimidex.Prednisolone.Accutane.Zovirax.Zyban.Lumigan.Petcam (Metacam) Oral Suspension.Human Growth Hormone.Retin-A.Valtrex....
Pillspot.org. Canadian Health&Care.No prescription online pharmacy.Special Internet Prices.Best quality drugs. Online Pharmacy. Order drugs online

Buy:Mega Hoodia.Actos.Synthroid.Prevacid.Nexium.100% Pure Okinawan Coral Calcium.Arimidex.Prednisolone.Accutane.Zovirax.Zyban.Lumigan.Petcam (Metacam) Oral Suspension.Human Growth Hormone.Retin-A.Valtrex….

]]> By: Malcolm http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/comment-page-1/#comment-875 Malcolm Sat, 14 Nov 2009 01:48:14 +0000 http://blog.loadbalancer.org/?p=239#comment-875 Alberto, Ooops forgot to actually reply to this, hence the delay. The port collision occurs on the TPROXIED return packets.. How does the subsystem know whether to send the replies to Pound or to HAProxy? I'm not totally sure on the specifics but I just know you can't do it - at least not with the current code :-). Alberto,
Ooops forgot to actually reply to this, hence the delay. The port collision occurs on the TPROXIED return packets.. How does the subsystem know whether to send the replies to Pound or to HAProxy? I’m not totally sure on the specifics but I just know you can’t do it - at least not with the current code :-).

]]> By: Alberto Giménez http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/comment-page-1/#comment-871 Alberto Giménez Fri, 30 Oct 2009 15:22:32 +0000 http://blog.loadbalancer.org/?p=239#comment-871 Hi Malcolm, thanks for your great article. We are running Haproxy with full transparent mode enabled, and we are using Pound to terminate SSL requests. But, for multiple times that I've reread this article, I can't see why do you need a separate instance (not as in process instance, but as "bind" instanace, I assume) for Pound-incoming traffic. Couldn't you just redirect traffic from Pound to the haproxy bound on port 80? Why another instance in port 81? As you say, its not possible to use the same IP:port combination in Pound and Haproxy, but Pound is binding to port 443 and Haproxy to port 80. I can't see an IP:port collision. Thanks and congratulations!! Alberto Giménez Hi Malcolm, thanks for your great article. We are running Haproxy with full transparent mode enabled, and we are using Pound to terminate SSL requests.

But, for multiple times that I’ve reread this article, I can’t see why do you need a separate instance (not as in process instance, but as “bind” instanace, I assume) for Pound-incoming traffic.

Couldn’t you just redirect traffic from Pound to the haproxy bound on port 80? Why another instance in port 81? As you say, its not possible to use the same IP:port combination in Pound and Haproxy, but Pound is binding to port 443 and Haproxy to port 80. I can’t see an IP:port collision.

Thanks and congratulations!!

Alberto Giménez

]]> By: Gael http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/comment-page-1/#comment-862 Gael Mon, 05 Oct 2009 12:11:43 +0000 http://blog.loadbalancer.org/?p=239#comment-862 Hi Malcolm and thanks for your reply and update of your post, much appreciate! The other thing, I would like to highlight is that I had problems with the logged IP on my httpd backend server. They were logging the SLB IP (even with mod_rpaf doing some cleaning of the X-Forwarded-For headers...). So after some investigation, scratching my head and doing some diagrams of the network flow of my installation, it appears that the problem was in haproxy configuration. In the post, you are using mode http, and that was causing the web server to log the wrong IP. Using mode tcp fixed the problem. Which makes sense if you think about how TProxy is working with HAProxy, as, AFAIK , it is used on Layer 4 and not Layer 7... Well anyway, here is my conf of haproxy (hugely inspired from yours obviously!): listen SSL_Backend VIP_OF_SLB:81 mode tcp balance roundrobin option forwardfor source 0.0.0.0 usesrc clientip server gr-web04 RIP_OF_BACKEND_WEBSERVER port 80 weight 10 check Now, the IP is correctly logged! So now, having accomplished that, we are able to do the following: SLB: with HAProxy + Pound for SSL termination that load balances: HTTP, HTTPS and FTP active / passive And on the backend, we have Squid as reverse proxy then Apache and we are logging the originating client IP! I hope this helps! Gael Hi Malcolm and thanks for your reply and update of your post, much appreciate!

The other thing, I would like to highlight is that I had problems with the logged IP on my httpd backend server. They were logging the SLB IP (even with mod_rpaf doing some cleaning of the X-Forwarded-For headers…).

So after some investigation, scratching my head and doing some diagrams of the network flow of my installation, it appears that the problem was in haproxy configuration.

In the post, you are using mode http, and that was causing the web server to log the wrong IP. Using mode tcp fixed the problem.
Which makes sense if you think about how TProxy is working with HAProxy, as, AFAIK , it is used on Layer 4 and not Layer 7…

Well anyway, here is my conf of haproxy (hugely inspired from yours obviously!):

listen SSL_Backend VIP_OF_SLB:81

mode tcp
balance roundrobin
option forwardfor
source 0.0.0.0 usesrc clientip
server gr-web04 RIP_OF_BACKEND_WEBSERVER port 80 weight 10 check

Now, the IP is correctly logged!

So now, having accomplished that, we are able to do the following:

SLB: with HAProxy + Pound for SSL termination that load balances: HTTP, HTTPS and FTP active / passive

And on the backend, we have Squid as reverse proxy then Apache and we are logging the originating client IP!

I hope this helps!

Gael

]]> By: Malcolm Turnbull http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/comment-page-1/#comment-861 Malcolm Turnbull Sat, 03 Oct 2009 11:07:46 +0000 http://blog.loadbalancer.org/?p=239#comment-861 Gael, Sorry I had not updated the tar file with the latest diff package. I have now changed the blog and uploaded the current patch correctly. wget http://www.loadbalancer.org/download/PoundSSL-Tproxy/poundtp-2.4.5.diff Gael,
Sorry I had not updated the tar file with the latest diff package. I have now changed the blog and uploaded the current patch correctly. wget http://www.loadbalancer.org/download/PoundSSL-Tproxy/poundtp-2.4.5.diff

]]> By: Gael http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/comment-page-1/#comment-860 Gael Fri, 02 Oct 2009 15:36:32 +0000 http://blog.loadbalancer.org/?p=239#comment-860 Me again but I do not understand the following: cp ./poundtp-2.4.5.diff ../Pound-2.4.5 cd ../ cd ../Pound-2.4.5 patch -p1 < poundtp-2.4.5-rndport-cap.diff You are copying poundtp-2.4.5.diff to Pound-2.4.5, then applying this patch: poundtp-2.4.5-rndport-cap.diff from Pound-2.4.5. The only problem is that this patch does not exist in the Pound-2.4.5 folder... Can you please shed some light? TIA G. Me again but I do not understand the following:

cp ./poundtp-2.4.5.diff ../Pound-2.4.5
cd ../
cd ../Pound-2.4.5

patch -p1 < poundtp-2.4.5-rndport-cap.diff

You are copying poundtp-2.4.5.diff to Pound-2.4.5, then applying this patch: poundtp-2.4.5-rndport-cap.diff from Pound-2.4.5.
The only problem is that this patch does not exist in the Pound-2.4.5 folder…

Can you please shed some light?

TIA
G.

]]> By: Gael http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/comment-page-1/#comment-859 Gael Fri, 02 Oct 2009 15:26:28 +0000 http://blog.loadbalancer.org/?p=239#comment-859 I have just downloaded the file: poundtp-2.4.5.tgz and it does not contain the poundtp-2.4.5.diff file. I found it here: http://pound.percek.hu/poundtp-2.4.5.diff from this site: http://pound.percek.hu/ HTH G. I have just downloaded the file: poundtp-2.4.5.tgz and it does not contain the poundtp-2.4.5.diff file.

I found it here: http://pound.percek.hu/poundtp-2.4.5.diff from this site: http://pound.percek.hu/

HTH

G.

]]> By: Gael http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/comment-page-1/#comment-858 Gael Fri, 02 Oct 2009 14:56:25 +0000 http://blog.loadbalancer.org/?p=239#comment-858 Hi Malcolm and a big thanks for this article. I am going through it as of now as we now need to terminate SSL on the SLB. I was just wondering if it could be possible for you guys to put the checksum of the files (pound and patch) available so we can make sure the data we are downloading is properly downloaded and not compromised in any way. Thanks a lot in advance! G. Hi Malcolm and a big thanks for this article.
I am going through it as of now as we now need to terminate SSL on the SLB.

I was just wondering if it could be possible for you guys to put the checksum of the files (pound and patch) available so we can make sure the data we are downloading is properly downloaded and not compromised in any way.

Thanks a lot in advance!

G.

]]>