X-Forwarded-*
headers, which may include the client's IP address, port and scheme used.*.xip.io
, which is handy for demonstration purposes, and lets use one the same certificate when our server IP addresses might change while testing locally. For example, if our local server exists at 192.168.33.10, but then our Virtual Machine IP changes to 192.168.33.11, then we don't need to re-create the self-signed certificate.xip.io
service as it allows us to use a hostname rather than directly accessing the servers via an IP address, all without having to edit my computers' Host file.xip.io.csr
, xip.io.key
and xip.io.crt
file.pem
file. A pem
file is essentially just the certificate, the key and optionally certificate authorities concatenated into one file. In our example, we'll simply concatenate the certificate and key files together (in that order) to create a xip.io.pem
file. This is HAProxy's preferred way to read an SSL certificate.pem
file, but instead be a bundle
, cert
, cert
, key
file or some similar name for the same concept. This Stack Overflow answer explains that nicely.pem
file for HAproxy to use, we can adjust our configuration just a bit to handle SSL connections.http
and https
connections. In the last edition on HAProxy, we had this frontend:redirect
directive to the frontend configuration:redirect
directive, which will redirect from 'http' to 'https' if the connection was not made with an SSL connection. More information on ssl_fc
is available here.mode tcp
) instead. This also means we need to set the logging to tcp instead of the default http (option tcplog
). Read more on log formats here to see the difference between tcplog
and httplog
.mode tcp
- Both frontend and backend configurations need to be set to this mode.option forwardfor
and the http-request
options - these can't be used in TCP mode, and we couldn't inject headers into a request that's encrypted anyway.ssl-hello-chk
which checks the connection as well as its ability to handle SSL (SSLv3 specifically) connections.X-Forwarded-*
headers sent to Nginxbalance roundrobin
line specifies the load balancing algorithm, which is detailed in the Load Balancing Algorithms section.mode http
specifies that layer 7 proxying will be used, which is explained in Types of Load Balancing section.check
option at the end of the server
directives specifies that health checks should be performed on those backend servers.acl url_blog path_beg /blog
matches a request if the path of the user’s request begins with /blog.use_backend blog-backend if url_blog
uses the ACL to proxy the traffic to blog-backend.default_backend web-backend
specifies that all other traffic will be forwarded to web-backend.