0

I'm running a load balancing server with HAproxy and implementing Https using stunnel on the same machine, on the actual webpages end i've got 2 diferent webs, A and B, with similar behaviour.

Here are the configurations for Stunnel:

sslVersion = SSLv3
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
sslVersion = SSLv3
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid
debug = 7
output = /var/log/stunnel.log
[web_A]
accept = 192.168.5.241:443
connect = 192.168.5.241:80
verify = 1
cert = /etc/stunnel/webA-cert-key.pem
CAfile = /etc/stunnel/cert.ca.pem
key = /etc/ssl/certs/webA-private.key

[web_B]
accept = 192.168.5.242:443
connect = 192.168.5.242:80
cert = /etc/stunnel/webB/webB.cert.pem
key = /etc/ssl/certs/webB/webB.key.pem
CAfile = /etc/stunnel/ca.cert.pem

and for HAproxy:

global
    log 127.0.0.1   local0
    log 127.0.0.1   local1 notice
    maxconn         100000
    user            haproxy
    group           haproxy
    daemon

defaults
    log             global
    mode            http
    option          http-server-close
    option          httplog
    retries         3
    option          redispatch
    maxconn         100000
    contimeout      5000
    clitimeout      50000
    srvtimeout      50000

listen webA-farm 192.168.5.241:80
    stats enable
    stats auth admin:admin
    stats uri /stats/
    balance roundrobin
    option  forwardfor
    cookie  JSESSIONID prefix
    server web1 192.168.1.231:80 cookie JSESSIONID_S1 weight 100 check

listen webB-farm 192.168.5.242:80
    stats enable
    stats auth admin:admin
    stats uri /stats/
    balance roundrobin
    option  forwardfor
    cookie CL insert indirect nocache 
    server web2 192.168.1.233:80 weight 100 check cookie CL2

And it works fine for web A, but is NOT WORKING for web B, and that is my problem. I tried using the same type of cookies on both webs but that didn't work. Also redid the keys and certs (I'm being my own CA) but the problem persists.

What else can I check in order to solve this?

Thanks.

Edit 1:

Here are httpd proxy configurations for both webs:

Web A Here i'm redirecting connections from the port 80 to tomcat on port 8020 where web A is, and making sure it request https instead of http:

NameVirtualHost *:80

<VirtualHost 192.168.1.231:80>

    ServerAdmin webmaster@weba.com.pe
    DocumentRoot /var/www/
    ServerName webA.com
    ServerAlias webA.com

    ProxyRequests Off
    ProxyPreserveHost On
    RewriteEngine On

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{REQUEST_URI}  ^/$
    RewriteRule ^/(.*)$     /Track [R,L]
    #RewriteRule ^(.*)$ http://127.0.0.1:8020/trackA/Track [P,L]

    RewriteCond %{REQUEST_URI}  ^/Track$
    RewriteRule ^/(.*)$ http://127.0.0.1:8020/trackA/$1 [P,L]

    RewriteCond %{REQUEST_URI}  ^/Track(.*)
    RewriteRule ^/(Track)/(.*)$ http://127.0.0.1:8020/track3/$2 [P,L]
    RewriteCond %{REQUEST_URI}  ^.*$
    RewriteRule ^/(.*)$ http://127.0.0.1:8020/trackA/$1 [P,L]

    ProxyPassReverse / /track3/
    #ProxyPassReverse / https://127.0.0.1:8020/trackA/
    ProxyPassReverseCookiePath / /
    #ProxyPassReverseCookiePath / http://192.168.5.241/track3/
    RewriteLog "/var/log/httpd/rewrite.log"
    RewriteLogLevel 5

    ErrorLog "logs/error.log"
    CustomLog "logs/access.log" common
</VirtualHost>

Same for Web B:

NameVirtualHost *:80

<VirtualHost 192.168.1.233:80>
        ServerAdmin webmaster@webb.com
        DocumentRoot /var/www/
        ServerName webB.com
        ServerAlias webB.com

        ProxyRequests Off
        ProxyPreserveHost On
        RewriteEngine On

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        RewriteCond %{HTTPS} off
        RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

        RewriteCond %{REQUEST_URI} ^/$
        RewriteRule ^/(.*)$     /Track [R,L]

        RewriteCond %{REQUEST_URI}      ^/Track$
        RewriteRule ^/(.*)$     http://127.0.0.1:8020/trackB/$1 [P,L]

        RewriteCond %{REQUEST_URI}      ^/repot/(.*)$
        RewriteRule ^/(.*)$     http://192.168.1.121/$1 [P,L]

        RewriteCond %{REQUEST_URI} ^.*$
        RewriteRule ^/(.*)$     http://127.0.0.1:8020/trackB/$1 [P,L]
        #ProxyPassReverse / http://192.168.5.242/
        ProxyPassReverse / /
        ProxyPassReverseCookiePath / /
        RewriteLog "/var/log/httpd/rewrite.log"
        RewriteLogLevel 5

        ErrorLog "logs/errror.log"
        CustomLog "logs/access.log" common

        </VirtualHost>

Edit 2:

When i go to web B i get this message:

The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

This problem can sometimes be caused by disabling or refusing to accept cookies.
rlindo
  • 1
  • 2

1 Answers1

2

Try setting up haproxy 1.5 and get rid of stunnel

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
clvx
  • 149
  • 3
  • I'm leaning towards this being the most appropriate answer; I've just set up some haproxy 1.5 instances after holding off on SSL for the load balancer for a long time because of lack of native support. – Mark Henderson Jul 02 '14 at 23:23
  • If you don't want to use haproxy 1.5, then I'd recommend switching to STUD as this supports haproxy's PROXY features https://github.com/bumptech/stud. Performance is much better than stunnel – hookenz Jul 02 '14 at 23:38