Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can also do this with haproxy. I ran it for a while (I think it was for git). Here is a page about how to do it:

https://dgl.cx/2010/01/haproxy-ssh-and-ssl-on-same-port

  defaults
    timeout connect 5s
    timeout client 50s
    timeout server 20s

  listen ssl :443
    tcp-request inspect-delay 2s
    acl is_ssl req_ssl_ver 2:3.1
    tcp-request content accept if is_ssl
    use_backend ssh if !is_ssl
    server www-ssl :444
    timeout client 2h

  backend ssh
    mode tcp
    server ssh :22
    timeout server 2h


haproxy is truly a swiss army knife. I recently worked on a geographically distributed 300 server deployment, and our ops team ran haproxy on every node just for ssl termination and the operational insight and flexibility it provided.


AFAIK, it's the only web server that is able to log when a client first connects. Otherwise, attacks a la slowloris go unlogged as the attack is happening.


HAProxy isn't a webserver, it's a TCP connection proxy.


Well, it can be a webserver if you're happy serving only a single file loaded into memory at startup: http://comments.gmane.org/gmane.comp.web.haproxy/17962


Pardon, an HTTP server. It talks HTTP and HTTPS, as well as raw TCP. If you define a web server as something that talks HTTP/HTTPS and also is able to serve static files off the filesystems then, not HAProxy is not that, but this is really splitting hairs.


No, it's not an HTTP server. It has that capability to serve a static is almost solely for the purpose of maintenance pages and is severely limited, even to the point of needing to restart the server if you want to update the page.

It speaks HTTP in as much as it needs to to figure out how to forward requests. It doesn't generate return headers for content; it doesn't serve content; it moves streams from A to B.


First off, from the HAProxy docs:

> In HTTP mode, it is possible to rewrite, add or delete some of the request and response headers based on regular expressions.

Second of, it speaks HTTP, and it serves content that it is able to fetch from a content producing backend. In my book it's an HTTP server.

Third off, the difference is so pedantic that I don't think it makes any difference what we call it. We both know what it is, and what it is used for in the context of hosting web applications.


We don't call Varnish a web server, and it does quite a bit more with HTTP than HAProxy does.

We don't call a car a truck, even if you can haul things around it it.

Pedanticism is never a good argument against someone. 1) It's an ad hominem. 2) It doesn't actually do anything. 3) If everyone knew what it was, they wouldn't call it a web server.


any insights on using nginx for ssl termination vs haproxy ?


Nice thing about ssl termination with haproxy is that in that case, since the backend is http, it can make active http health checks. If this check determines a backend has failed, it can be taken out of rotation.

With nginx doing ssl termination, haproxy is just tcp passthrough so it only does passive health checks (ie. it can notice when the backend doesn't respond properly), but that means the current http request has failed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: