Haproxy as standalone ssl processor

[viniciusnz]

This commit solves the issue of not being able to see the user's IP address through SSL. The "HTTP_X_FORWARDED_FOR" was not included by HaProxy and the user's IP was lost, since previous HaProxy versions were not handling the SSL encryption / decryption process.

This changes the connection process from

---(SSL)---> HAPROXY ---(SSL)---> APACHE ---(CLEAR)---> PASSENGER / APP

to

---(SSL)---> HAPROXY ---(CLEAR)---> APACHE ---(CLEAR)---> PASSENGER / APP

For this it must use the lastest version of haproxy (dev15), hence the change in the install process.

I did a monkey patch to make the install process work. Initially it won't work because the ssl clause is not available on the 1.4, non dev version of haproxy. Once the 1.5-dev15 version has overwritten the original haproxy than it works again.

Let me know your comments about it... Best,

[nirvdrum]

I'm hesitant. I like the idea of what HAProxy can accomplish now, but the 1.5-dev16 and 1.5-dev17 release notes cause concern. Since HAProxy is such a crucial part of a production environment, we may be better off sticking with 1.4 for now.

Can you comment on the quality of 1.5 vs. 1.4?

[viniciusnz]

Its been working perfectly for me in production ever since i posted the
pull request for quite some time. I didnt read the dev 16 and dev17 notes,
should i be worried about anything in specific Kevin?

It was the only way i found to actually get the requests real ip without
installing other software, but i understand your concern about this being a
very critical piece of the software bundle, maybe you guys should wait for
when it becomes a new stable major version.

Let me know if I can help though...

On Jan 26, 2013, at 8:26 PM, Kevin Menard notifications@github.com wrote:

I'm hesitant. I like the idea of what HAProxy can accomplish now, but the
1.5-dev16 and 1.5-dev17 release notes cause concern. Since HAProxy is such
a crucial part of a production environment, we may be better off sticking
with 1.4 for now.

Can you comment on the quality of 1.5 vs. 1.4?

—
Reply to this email directly or view it on
GitHubhttps://github.com/wr0ngway/rubber/pull/243#issuecomment-12743587.

[nirvdrum]

Hi @viniciusnz. Sorry this has taken so long to get to. It's been a year an 1.5 still hasn't gone stable yet. I still have concerns about such a critical piece of architecture being beta quality. But we may be able to support both and just rename this template to "haproxy-1.5". Thoughts?

[viniciusnz]

No worries Kevin... Once again thanks a lot for having done rubber, it saved me sooo much time.

I was using dev18 until today, now I have just seen that dev21 is available and have updated to it... One major new feature for this version that I read is server-side keep-alive, but I aven't experimented with the feature yet...

I didn't expect it to be beta for so long either... Let me know if this the way you want to proceed and I can happily create a new template haproxy-1.5. It could help other people wanting to get people's real IP while using SSL... All the best