I'm looking at introducing a loadbalancer to my existing site infrastructure to help with traffic growth and provide a level of failure protection.
The site I am running uses SSL certificates for the login section and I will need to continue with this functionality. The backend servers will need to be aware of the originating IP address so I can't use the TCP loadbalancing function and will need the SSL terminated on the loadbalancer so I can insert a
X-Forwarded-For
Header. I have seen a couple of ways of implementing the SSL decryption functionality one using stunnel and the other using Pound. I've been looking around however I am not sure what the pros/cons are of using one over the other. Does anyone have any experience in this and offer their recommendation?
Thanks
This is an old question now, but HaProxy now has native support for SSL which makes it a lot easier to setup and use with SSL/TLS.
see here http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
I'm not sure about Pound but I have managed to get Stunnel + HAProxy working including setting the originating IP address as an X-Forwarded-For header. The trick is to use Stunnel with the X-Forwarded-For patch. Here is a package which works on Ubuntu 10.04: https://launchpad.net/~szelcsanyi-gabor/+archive/stunnel4
I haven't used stunnel with HAProxy, but I'm a long time user of Pound, in a few different environments.
Pound does a good job with SSL. It's dead easy to set up, uses standard PEM certificates, and passes enough SSL data back to the web server that your applications know what they're dealing with. In addition to
X-Forwarded-For
, you getX-Forwarded-Proto
, so if you're running both http and https versions of a site, you can give your AJAX/XHR callbacks a URL that won't cause security warnings. Pound also supports client-side certs, wildcard certs and SNI. So there isn't much you can't do with it.Also, I'm a little leery of putting up production services using tools that require a third-party patch to provide critical functionality. What happens when an stunnel vulnerability is discovered, and the change breaks your patch? Will you run insecure for a while, or run without X-Forwarded-IP headers for a while?
I've never had Pound crash. Except for a weird firewall-related bug that got fixed back in 2005, it has always behaved flawlessly for me. One of the things I love about it is the external control program it comes with, that lets me disable/enable services and back-ends, or view the current list of sticky sesion mappings, etc. As far as I know, haproxy doesn't have something like Pound's poundctl.
In addition to using Pound at work to load balance a cluster of five web servers, I use it on my personal server. There, I run web servers on virtual machines that use private IP addresses (FreeBSD jails). Multiple virtual web servers load balanced behind Pound running on the physical host. I suppose you could do the same with stunnel+HAProxy, but again, I prefer to install software with full community support, without non-standard patches.
Nginx is also excellent as a SSL front end to HAProxy, especially ender head loads. I use 4 core CPUs for the SSL.