![stunnel ciphers stunnel ciphers](https://torguard.net/assets/images/City-images/Japan.png)
Using the WUI option: Cluster Configuration > Layer 7 - Virtual Services click next to the relevant HAProxy Virtual Service and check that the correct options have been enabled Set X-Forward-for Header(enabled by default) and Proxy Protocol as shown below:įinally, reload HAProxy and stunnel to apply the changes using the restart buttons that appear at the top of the screen as shown below: b) Check HAProxy Configuration (optional) When you select the target HAproxy VIP from the drop down list - it will automatically modify HAProxy to accept PROXY protocol AND insert the XFF header. Using the WUI option: Cluster Configuration > SSL Terminatonclick next to the relevant stunnel Virtual Service and enable the option Enable Proxy Protocol as shown below: Note: For more details on the accept-proxy option please refer to this page, for more details on the proxy protocol please refer to this page.įortunately, stunnel & HAProxy can easily be configured in this way using the built-in Web User Interface: a) Configuring stunnel Server WEB3 192.168.10.13:80 weight 100 check inter 6000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
![stunnel ciphers stunnel ciphers](https://torguard.net/assets/images/City-Device/UnitedKingdom.png)
Server WEB2 192.168.10.12:80 weight 100 check inter 6000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions Server WEB1 192.168.10.11:80 weight 100 check inter 6000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions HAProxy must also be configured to accept and use this information by inserting the accept-proxy & option forwardfor directives: listen L7-VIPīind 192.168.10.10:80 transparent accept-proxy This enables stunnel to pass the original client IP address to HAProxy. Note: For more details on the protocol option please refer to this page. To force stunnel to pass the original client IP address the protocol directive in stunnel must be added and set to proxy as shown below: Ĭert = /etc//certs/STunnel.pem This is because stunnel is not transparent by default. !( By default, in the above example the IP address in the X-Forward-For header reaching the Web Servers is the load balancers own IP address. For more details on enabling this for IIS and Apache web servers, please see IIS and X-Forwarded-For Headers and Apache and X-Forwarded-For Headers.įor more complicated scenarios where SSL termination is also required on the load balancer and the original source IP address is still required, additional steps are needed. One way around this is to enable X-Forward-For headers for HAProxy (the default for appliances) and configure the web servers to track the IP address in this header. By default, the source IP address of the packet reaching the web servers is the IP address of the load balancer and not the IP address of the client. This occurs for example when HAProxy is used in it's default configuration to load balance a number of back-end web servers. When using proxies such as stunnel and HAProxy it's easy to loose track of the client source IP address.