haproxy and https using stunnel

EDIT 07-march-2014 as per Kyler’s note (thanks Kyler):
The following should help people patch v4.44 like I did.

apt-get install gcc build-essential libssl-dev
cd /usr/local/src/
wget http://mirrors.zerg.biz/stunnel/archive/4.x/stunnel-4.44.tar.gz
tar xzf stunnel-4.44.tar.gz
cd stunnel-4.44
patch -p1 < ../stunnel-4.44-xforwarded-for.diff
./configure
make
make install

also: oops, don’t forget to download the patch direct from haproxy. Also the zerg.biz link above is a mirror posted on stunnel.org for archives. You can use any mirror. http://haproxy.1wt.eu/download/patches/
Again, Thanks Kyler
END EDIT

this article should have been called "what i learned while trying to setup https with haproxy".

after enough googling i came up to the decision to do https through stunnel then send straight http to haproxy.

clean and simple.

what i did not know is that you need to add reqadd X-Forwarded-Proto:\ https to the haproxy configs which is brought over from stunnel.

problem is that they only recently (as of time of writing) merged X-Forwarded-Proto into the latest release of stunnel (4.45).

here are my configs with some explanations below
haproxy.cfg:

global
      maxconn 4096
      pidfile /var/run/haproxy.pid
      daemon

defaults
      mode http
      retries 3
      option redispatch
      maxconn 2000
      contimeout 5000
      clitimeout 50000
      srvtimeout 50000

listen HTTP *:80
      mode http
      cookie HTTP insert nocache
      balance roundrobin
      option httpclose
      option forwardfor
      stats enable
      stats auth myuser:mypass
        reqadd X-Forwarded-Proto:\ http
      server SERVER_A xxx.xxx.xxx.xxx:8080 cookie http_01 check
      server SERVER_B xxx.xxx.xxx.xxx:8080 cookie http_02 check

listen HTTPS *:8081
      mode http
      cookie HTTP insert nocache
      balance roundrobin
      option httpclose
      option forwardfor
      stats enable
      stats auth myuser:mypass
        reqadd X-Forwarded-Proto:\ https
      server SERVER_A xxx.xxx.xxx.xxx:8080 cookie http_01 check
      server SERVER_B xxx.xxx.xxx.xxx:8080 cookie http_02 check

stunnel.cfg:

sslVersion = all
options = NO_SSLv2
cert=/etc/stunnel/stunnel.pem
setuid = root
setgid = root
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/log/stunnel.log

[https]
        accept = 443
        connect = 8081
        xforwardedfor=yes
        TIMEOUTclose = 0

as you can see by the two configs there is nothing special -- two app servers and one load balancer handling minimal amounts of traffic and only accepting traffic from 80 & 443.
the xxx.xxx.xxx.xxx's would obviously be changed to the addresses of the listening balanced servers and of course change the myuser / mypass credentials.
stunnel catches all the fun stuff on 443 and forwards it to haproxy over 8081.

only thing that had to be ensured was that the ec2 fw was open, but thats another article all together.

• I use the same setup with haproxy and stunnel. As for stunnel version 4.15 option xforwardedfor=yes was working fine. But the more recent (!) version 4.25 of stunnel complains: “file /etc/stunnel/stunnel.conf line 15: Specified option name is not valid here”. The line 15 contains exactly “xforwardedfor=yes”. Is that option was removed ot renamed in stunnel 4.25? I tried to move this line from the service section to the global section, but with no luck.

  Reply

  • let me try different versions to see what has changed

    Reply

• I’ve understood finally that strange issue with xforwardedfor=yes. The version 4.25 I was trying to use was without patch. So after applying file /usr/src/redhat/SOURCES/stunnel-4.25-xforwarded-for.patch and rpm rebuild I have got the working stunnel which option “xforwardedfor=yes” support.

  Reply

  • sweet! that is great to know. i have to go through and update some of my existing haproxy installs, knowing this will definitely help when the time comes. i just dont understand why they cant streamline these very basic changes.

    Reply

• you did not mention about having to run a diff patch into the stunnel source from haproxy. This is one important information for those who want to use stunnel with haproxy.

  Reply

• I tried same config but i removed port 80 from haproxy.cfg but and trying to pull data directly from port 443 but its not working its always giving timeout. any idea on this ?

  Reply

• This page shows up in Google for many searches. The following should help people patch v4.44 like I did.

  apt-get install gcc build-essential libssl-dev
  cd /usr/local/src/
  wget http://mirrors.zerg.biz/stunnel/archive/4.x/stunnel-4.44.tar.gz
  tar xzf stunnel-4.44.tar.gz
  cd stunnel-4.44
  patch -p1 < ../stunnel-4.44-xforwarded-for.diff
  ./configure
  make
  make install

  Reply

  • I added this to the article. Thanks Kyler

    Reply

• oops, don’t forget to download the patch direct from haproxy. Also the zerg.biz link above is a mirror posted on stunnel.org for archives. You can use any mirror. http://haproxy.1wt.eu/download/patches/

  Reply

  • I added this to the article. Thanks Kyler

    Reply

• hi kyler, thanks for your blog, i used all the steps to upgrade my stunnel to 4.44 and patched it too, to get xforwardfor, but after i make the changes i still see my internal ip of the load balancer in the apache access logs on the app servers? do you think i am missing something?
  i have haproxy in frontend and backend config mode instead of ‘listen’

  Reply