pfSense - cookie-based load balancing using Stunnel & HAProxy |

Software : pfSense 1.2.3 + packages: haproxy-stable 0.30 & stunnel 4.30.2
Hardware : IBM xSeries Server + Intel PT Server Adapter

Network LB01 :

LAN -> bge0: 192.168.222.220 /24
WAN -> bge1: 93.aa.aa.aa /28
OPT1 -> em0: 93.bb.bb.bb /29
OPT2 -> em1: 93.cc.cc.cc /29
OPT3 -> em2: 10.10.10.1/24

Network LB02 :

LAN -> bge0: 192.168.222.221 /24
WAN -> bge1: 93.aa.aa.ab /28
OPT1 -> em0: 93.bb.bb.bb /29
OPT2 -> em1: 93.cc.cc.cc /29
OPT3 -> em2: 10.10.10.2/24

# cat /var/etc/haproxy.cfg

global
maxconn                 5000
log                     80.xx.xx.xx local0 debug
uid                     80
gid                     80
nbproc                  2
chroot                  /var/empty
daemon

defaults
stats enable
stats auth USERID:PASSW0RD
stats uri /lb?stats
stats realm Haproxy\ Statistics

listen www1                     93.bb.bb.bb:80
mode                    http
log                     global
cookie                  shopSessionID prefix
option                  dontlognull
option                  httpclose
option                  forwardfor except 93.bb.bb.bb
clitimeout              6000
contimeout              12000
srvtimeout              12000
maxconn                   2500
retries                 2
server                  ap1 192.168.222.110:80 cookie ap1-server check inter 30000 weight 1
server                  ap2 192.168.222.100:80 cookie ap2-server check inter 30000 weight 1

listen www2                     93.cc.cc.cc:80
mode                    http
log                     global
cookie                  shopSessionID prefix
option                  dontlognull
option                  forwardfor except 93.cc.cc.cc
option                  httpclose
clitimeout              6000
contimeout              12000
srvtimeout              12000
maxconn 2500
retries                 2
server                  ap1 192.168.222.110:80 cookie ap1-server check inter 30000 weight 1
server                  ap2 192.168.222.100:80 cookie ap2-server check inter 30000 weight 1

# cat /usr/local/stunnel/stunnel.conf

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[SHOP_01]
key = /usr/local/etc/stunnel/SHOP_01_SSL.key
cert = /usr/local/etc/stunnel/SHOP_01_SSL.chain
accept = 93.bb.bb.bb:443
connect = 93.bb.bb.bb:80
TIMEOUTclose = 0

[SHOP_02]
key = /usr/local/etc/stunnel/SHOP_02_SSL.key
cert = /usr/local/etc/stunnel/SHOP_02_SSL.chain
accept = 93.cc.cc.cc:443
connect = 93.cc.cc.cc:80
TIMEOUTclose = 0

Due tue new requirements a complete redisgn of the loadbalancer configuration has to be done.
I will do this in a new “page”. The documentation of the above config will follow soon.

Hint : using stunnel to forward the decrypted traffic to port xx on the WAN interface or to a carp’d virtual ip
won’t work. You will see something like : Operation not permitted (1) in you logfile.

quick solution : Insert an additional NIC to listen on and forward to the traffic.

Categories

IPv6 – RIPE to OS

Pages

Contact

Categories

IPv6 – RIPE to OS

Tags

Pages

Contact