EDIT 07-march-2014 as per Kyler’s note (thanks Kyler):
The following should help people patch v4.44 like I did.
apt-get install gcc build-essential libssl-dev cd /usr/local/src/ wget http://mirrors.zerg.biz/stunnel/archive/4.x/stunnel-4.44.tar.gz tar xzf stunnel-4.44.tar.gz cd stunnel-4.44 patch -p1 < ../stunnel-4.44-xforwarded-for.diff ./configure make make install
oops, don’t forget to download the patch direct from haproxy. Also the zerg.biz link above is a mirror posted on stunnel.org for archives. You can use any mirror. http://haproxy.1wt.eu/download/patches/
Again, Thanks Kyler
this article should have been called "what i learned while trying to setup https with haproxy".
clean and simple.
what i did not know is that you need to add
reqadd X-Forwarded-Proto:\ https to the haproxy configs which is brought over from stunnel.
problem is that they only recently (as of time of writing) merged
X-Forwarded-Proto into the latest release of stunnel (4.45).
here are my configs with some explanations below
global maxconn 4096 pidfile /var/run/haproxy.pid daemon defaults mode http retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 listen HTTP *:80 mode http cookie HTTP insert nocache balance roundrobin option httpclose option forwardfor stats enable stats auth myuser:mypass reqadd X-Forwarded-Proto:\ http server SERVER_A xxx.xxx.xxx.xxx:8080 cookie http_01 check server SERVER_B xxx.xxx.xxx.xxx:8080 cookie http_02 check listen HTTPS *:8081 mode http cookie HTTP insert nocache balance roundrobin option httpclose option forwardfor stats enable stats auth myuser:mypass reqadd X-Forwarded-Proto:\ https server SERVER_A xxx.xxx.xxx.xxx:8080 cookie http_01 check server SERVER_B xxx.xxx.xxx.xxx:8080 cookie http_02 check
sslVersion = all options = NO_SSLv2 cert=/etc/stunnel/stunnel.pem setuid = root setgid = root pid = /var/run/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 output = /var/log/stunnel.log [https] accept = 443 connect = 8081 xforwardedfor=yes TIMEOUTclose = 0
as you can see by the two configs there is nothing special -- two app servers and one load balancer handling minimal amounts of traffic and only accepting traffic from 80 & 443.
the xxx.xxx.xxx.xxx's would obviously be changed to the addresses of the listening balanced servers and of course change the myuser / mypass credentials.
stunnel catches all the fun stuff on 443 and forwards it to haproxy over 8081.
only thing that had to be ensured was that the ec2 fw was open, but thats another article all together.