Comments on: Installing HAProxy and Stunnel (load balance http and https)

By: Jerod

Jerod — Wed, 01 Sep 2010 18:02:34 +0000

Also, important to note is that if you are using a shared ip for redundant load balancers using this method you will need to alter your confiuration from explicitly trying to bind to [SERVER_PUBLIC_IP_ADDRESS] in stunnel.conf and haproxy.cf. A quick way around this is to listen for traffic from any ip address on those ports by doing the following

listen load_balanced *:80 # http

for haproxy.cf and

accept=443

in stunnel.conf

By: Jerod

Jerod — Wed, 01 Sep 2010 15:29:35 +0000

Is it possible with stunnel to do encrypting end to end? How would you suggest I achieve this, because this cluster I am setting up will be handling credit cards / ecommerce.

By: DavidK

DavidK — Tue, 31 Aug 2010 18:13:13 +0000

Absolutely. The above solution isn’t a total security solution. In my case SSL traffic *exactly* the same as non-SSL. But if you are taking credit card payments or passing secret data over SSL then you should definitely be encrypting end to end or putting in place other measures to ensure that within your servers there is no risk of a man in the middle or hijack.

By: Jerod

Jerod — Tue, 31 Aug 2010 17:29:15 +0000

Is there a cause for concern that the traffic you’re sending to the website from the proxy no longer encrypted?

For example what if public ip addresses of the servers in the cluster were used rather than 192. or 10. because they are not part of the same lan.

By: ccook

ccook — Fri, 23 Jul 2010 05:17:03 +0000

I’m having a bit of a problem with a very similar setup using stunnel and haproxy. My browser is frequently returning the links I click on from my site as http:// with a blank page, but other times it will return the https://url with page displaying correctly. Ever experience anything similar?

By: DavidK

DavidK — Tue, 15 Jun 2010 19:47:09 +0000

The load balancing machine isn’t beefy at all, it’s a Linode 360, which literally is 360MB of RAM.

I should’ve clarified… the 600 concurrent are the SSL users, I’m running another 700 on plain http at the same time.

By: Ben

Ben — Tue, 15 Jun 2010 16:43:26 +0000

David,
How beefy is your machine? We are currently using haproxy with 2000 + concurrent (nonSSL), I am curious how many SSL connections I can terminate on the load balancer before I start running into problems (working on a benchmark right now )

Cheers,
Ben

By: DavidK

DavidK — Mon, 07 Jun 2010 06:30:16 +0000

@Ben, I have no idea. I’m currently doing about 600 concurrent during the peak of 4pm > 1am, and from the basic metrics (load, network, I/O, memory) I still have a lot of head room available.

I haven’t done any load testing to determine where it will start to fail though, and it might reasonably fail simply due somewhere within stunnel which isn’t really designed with this in mind (haproxy has been tested to death and will be fine, as would the horizontal scaling of the web servers… so the weak link is stunnel).

By: Ben

Ben — Fri, 04 Jun 2010 17:16:46 +0000

How many concurrent SSL connections can you handle with that setup?

-Ben

By: DavidK

DavidK — Sun, 14 Feb 2010 10:12:21 +0000

John, I could well have done that. However I’m keeping 443 on the backend to allow self-signed certificates to access each box via an A record so that I have the ability to jump onto any box remotely and view stats and manage things. So I chose to route via 8443 so that I have all of the functionality I want for the main site whilst still allowing me to interrogate each server. Basically 443 is serving up server-related stats so that I have one control panel that pulls in uptime and load info from each web slave.

So yes, what you’re saying works. It’s always like this, there isn’t a right or wrong way, there’s just personal choices and preferences. I hope what I’ve published helps people even though it reflects some of my personal choice and preference.