How can we implement session stickiness in HAProxy when SSL must terminate on the backend servers? We need the stickiness because backends cannot share sessions.
This is my original configuration:
# SSL passthrough
listen https_handler
bind 1.2.3.4:443
mode tcp
balance leastconn
stick match src
stick-table type ip size 200k expire 30m
server s1 1.1.1.1:443
server s2 1.1.1.2:443
# haproxy logs (not sticking)
10.x.x.2:xxxxx [17/Dec/2014:19:29:41.396] fe BACKEND_Website/s1 37/0/1/3/41 200 8364
10.x.x.2:xxxxx [17/Dec/2014:19:29:41.456] fe BACKEND_Website/s1 36/0/1/1/39 200 9082
10.x.x.2:xxxxx [17/Dec/2014:19:29:41.456] fe BACKEND_Website/s2 35/0/1/3/39 200 2529
10.x.x.2:xxxxx [17/Dec/2014:19:29:41.545] fe BACKEND_Website/s1 35/0/0/3/38 200 1460
10.x.x.2:xxxxx [17/Dec/2014:19:29:41.501] fe BACKEND_Website/s2 36/0/1/1/109 200 376
10.x.x.2:xxxxx [17/Dec/2014:19:29:41.545] fe BACKEND_Website/s1 36/0/1/1/74 200 2298
10.x.x.2:xxxxx [17/Dec/2014:19:29:41.604] fe BACKEND_Website/s1 35/0/1/2/38 200 5542
The config below is my attempt to read the src
:
This results in a 502 Bad Gateway error. I assume, it is because the traffic is already decrypted by the time it reaches the backend.
# terminate SSL at HAProxy
listen https_handler
bind 1.2.3.4:443 ssl crt /etc/ssl/certs/certs.pem
mode tcp
balance leastconn
stick match src
stick-table type ip size 200k expire 30m
server s1 1.1.1.1:443
server s2 1.1.1.2:443
Notice that I plugged the cert to the binding. This is for HAProxy to be able to read the src and setup the stick-table. (Not sure if this is correct.) And at this point, the traffic is already decrypted.
I think the problem lies when this decrypted traffic is passed to the backend servers which expects encrypted traffic...
I have seen these suggestions:
- Terminate SSL at HAProxy 1.5 - not possible in my case. SSL need to be handled by the backend servers.
- Use SSL Session ID to maintain stickiness. - I'm skeptical to try this out because I don't quite understand it yet. And it seems to be using a modified (?) version of haproxy.
- Use
send-proxy
directive &X-Forward-Proto
header. - but realized this also needs an HTTP-only backend.
Would appreciate any advice.