HaProxy
/etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
maxconn 10000
daemon
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
defaults
log global
maxconn 10000
mode http
option dontlognull
option httpclose
option httpchk
option redispatch
retries 3
timeout check 10000
timeout client 150000
timeout connect 4000
timeout server 30000
frontend www
bind public_IP:80
option forwardfor
default_backend web
frontend www_ssl
bind pubic_IP:80 # You can replace the * with the public IP
bind public_IP:443 ssl crt /etc/haproxy/ssl/wildcard.domain.pem no-sslv3
reqadd X-Forwarded-Proto:\ https
redirect scheme https code 301 if !{ ssl_fc }
option forwardfor
default_backend web
frontend frontend666
bind public_IP:666
mode tcp
default_backend backend_666
backend web
mode http
option forwardfor
http-request add-header X-CLIENT-IP %[src]
balance roundrobin
server web1 192.168.1.100:8080
server web2 192.168.1.101:8080
backend backend_666
server web1 192.168.1.100:666
server web2 192.168.1.101:666The LB will be listen on public_IP:80 named "www" - and will send the traffic to the backend named "web".
Enable xforward on httpd.conf
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " combine
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined-forwardedSSL Offloading
SSL pem file need to be in the folowing format: (.crt - .key - ca bundle).
reqadd X-Forwarded-Proto:\ https: Adds a HTTP header to the request, indicating to the back-end
application that the original request was over TLS, even though the proxy is connecting to the servers over
plain TCP on port 80.
For SNI-enabled frontends, simply add multiple crt entries, for example:
bind PUBLIC_IP:443 ssl crt /etc/haproxy/ssl/firstdomain.pem crt /etc/haproxy/ssl/seconddomain.pem no-sslv3 --
Test config file:
haproxy -c -V -f /etc/haproxy/haproxy.cfg