ALOHA LOAD BALANCER MANAGING SSL ON THE BACKEND & FRONTEND



Similar documents
HAProxy. Ryan O'Hara Principal Software Engineer, Red Hat September 17, HAProxy

Copyright Exceliance

Web Load Balancing on a Budget

ALOHA Load-Balancer. Microsoft Exchange 2010 deployment guide. Document version: v1.4. ALOHA version concerned: v4.2 and above

Application Note. Active Directory Federation Services deployment guide

HAProxy. Free, Fast High Availability and Load Balancing. Adam Thornton 10 September 2014

Native SSL support was implemented in HAProxy 1.5.x, which was released as a stable version in June 2014.

What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College. Brandon bkish@midmich.edu

Load Balancing Oracle Application Server (Oracle HTTP Server) Quick Reference Guide

Application Note. Lync 2010 deployment guide. Document version: v1.2 Last update: 12th December 2013 Lync server: 2010 ALOHA version: 5.

Exchange 2013 deployment guide

Load Balancing VMware Horizon View. Deployment Guide

Migrating the SSL Offloading Configuration of the Alteon Application Switch 2424-SSL to AlteonOS version

HaProxy możliwości i zastosowania. Marek Oszczapiński m.oszczapiński@polskapresse.pl

Load Balancing VMware Horizon View. Deployment Guide

Configuring Nex-Gen Web Load Balancer

CumuLogic Load Balancer Overview Guide. March CumuLogic Load Balancer Overview Guide 1

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

EMC VIPR SRM 3.7: GUIDELINES FOR CONFIGURING MULTIPLE FRONTEND SERVERS

Deploying the BIG-IP LTM with. Citrix XenApp. Deployment Guide Version 1.2. What s inside: 2 Prerequisites and configuration notes

Snapt Balancer Manual

CS312 Solutions #6. March 13, 2015

Load balancing MySQL with HaProxy. Peter Boros Percona 4/23/13 Santa Clara, CA

Owner of the content within this article is Written by Marc Grote

Load Balancing Microsoft Terminal Services. Deployment Guide

Configuring HAproxy as a SwiftStack Load Balancer

Deploying the BIG-IP System with Oracle E-Business Suite 11i

Deploying F5 with Microsoft Active Directory Federation Services

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007

How to Make the Client IP Address Available to the Back-end Server

FILECLOUD HIGH AVAILABILITY

Load Balancing Microsoft Lync 2010 Load Balancing Microsoft Lync Deployment Guide

Application Note. Cacti monitoring. Document version: v1.0 Last update: 8th November 2013

Load Balancing Microsoft Sharepoint 2010 Load Balancing Microsoft Sharepoint Deployment Guide

Microsoft Internet Information Services (IIS) Deployment Guide

Chapter 1 Load Balancing 99

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Load Balancing Microsoft Lync Deployment Guide

Setting Up SSL / HTTPS for Local Primo Customers

Configuring MassTransit Server to listen on ports less than 1024 using WaterRoof on Macintosh Workstations

Prerequisites. Creating Profiles

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Microsoft Exchange Server 2007

Firewall Load Balancing

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

TESTING & INTEGRATION GROUP SOLUTION GUIDE

Load Balancing Barracuda Web Filter. Deployment Guide

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

FortiOS Handbook - Load Balancing VERSION 5.2.2

Load Balancing RSA Authentication Manager. Deployment Guide

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM System with VMware View

Deployment Guide Oracle Siebel CRM

Owner of the content within this article is Written by Marc Grote

Appliance Quick Start Guide. v7.6

Microsoft Lync Server Overview

Introducing the Microsoft IIS deployment guide

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Load Balancing Bloxx Web Filter. Deployment Guide

Deployment Guide Microsoft IIS 7.0

Load balancing Microsoft IAG

Load Balancing Trend Micro InterScan Web Gateway

Craig Carpenter MCT. MCSE, MCSA

High Availability Cluster Solutions for Ubuntu14.04 on Power

Deploying F5 for Microsoft Office Web Apps Server 2013

Deploying the BIG-IP System v10 with SAP NetWeaver and Enterprise SOA: ERP Central Component (ECC)

Deploying the BIG-IP System with Microsoft IIS

Deploying the BIG-IP System v10 with VMware Virtual Desktop Infrastructure (VDI)

vrealize Operations Manager Load Balancing

Application Delivery Controller (ADC) Implementation Load Balancing Microsoft SharePoint Servers Solution Guide

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Thunder ADC for Epic Systems

Smoothwall Web Filter Deployment Guide

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Microsoft Lync 2010 Deployment Guide

What is the Barracuda SSL VPN Server Agent?

Load Balancing Microsoft 2012 DirectAccess. Deployment Guide

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Load Balancing McAfee Web Gateway. Deployment Guide

Load Balancing Microsoft IIS. Deployment Guide

Load Balancing Sophos Web Gateway. Deployment Guide

Setting Up SSL on IIS6 for MEGA Advisor

Deploying SAP NetWeaver Infrastructure with Foundry Networks ServerIron Deployment Guide

Microsoft Office Communications Server 2007 & Coyote Point Equalizer Deployment Guide DEPLOYMENT GUIDE

HAProxy 1.5 and beyond

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Deploying the Barracuda Load Balancer with Microsoft Exchange Server 2010 Version 2.6. Introduction. Table of Contents

DEPLOYMENT GUIDE DEPLOYING F5 WITH VMWARE VIRTUAL DESKTOP INFRASTRUCTURE (VDI)

Load Balancing. FortiOS Handbook v3 for FortiOS 4.0 MR3

Load Balancing Microsoft Exchange Deployment Guide

Managing Virtual Servers

Load Balancing Microsoft Remote Desktop Services. Deployment Guide

Load Balancing Microsoft AD FS. Deployment Guide

ALOHA Load Balancer Quickstart guide

Overview. Author: Seth Scardefield Updated 11/11/2013

BASIC CLASSWEB.LINK INSTALLATION MANUAL

Thunder Series for SAP Customer Relationship Management (CRM)

ClusterLoad ESX Virtual Appliance quick start guide v6.3

DEPLOYMENT GUIDE DEPLOYING F5 WITH SAP NETWEAVER AND ENTERPRISE SOA

Deployment Guide. AX Series with Microsoft Exchange Server

Transcription:

ALOHA LOAD BALANCER MANAGING SSL ON THE BACKEND & FRONTEND APPNOTE #0023 MANAGING SSL ON THE BACKEND & FRONTEND This application note is intended to help you implement SSL management on both the backend and the frontend (to encrypt data before connecting to the HTTPS server) within the ALOHA Load Balancer solution. REQUIREMENTS Users send a secure (HTTPS) request requiring layer 7 persistence and Web servers expect encrypted SSL connections only. PURPOSE Ensure end-to-end security of requests while enabling layer 7 processing. COMPLEXITY CHANGELOG 2013-01-02: update for ALOHA 5.5 and above 2011-10-21: update for ALOHA 3.7 to 5.0 2001-03-31: initial version Copyright 2013 Exceliance AN-0023-EN-managing-SSL-backend-and-frontend.docx Page 1 of 6

ALOHA 5.5 AND ABOVE TARGET NETWORK DIAGRAM LB LAYER 7 AND SSL CONFIGURATION The traffic comes is ciphered between the client and the ALOHA and between the ALOHA and the server. In the ALOHA, HAProxy can access all the layer 7 protocol information in clear: this is useful to provide layer 7 persistence on a end to end ciphered connection. ######## The first public address as seen by the clients frontend frt bind 86.74.12.71:443 ssl crt domain.com maxconn 4000 # max conn per instance timeout client 25s # maximum client idle time (ms) default_backend bck # send everything to this backend by default ####### This backend manages the servers and the load balancing algorithm backend bck balance roundrobin # roundrobin source uri leastconn cookie SERVERID insert indirect nocache # provide persistence with cookie option httpchk HEAD / # how to check those servers option forwardfor except 127.0.0.1/8 # add X-Forwarded-For except local timeout server 25s # max server s response time (ms) server srv1 10.0.32.101:443 ssl cookie s1 weight 10 maxconn 100 check server srv2 10.0.32.102:443 ssl cookie s2 weight 10 maxconn 100 check Copyright 2013 Exceliance AN-0023-EN-managing-SSL-backend-and-frontend.docx Page 2 of 6

ALOHA 3.7 UNTIL 5.0 TARGET NETWORK DIAGRAM EXTRACT OF THE SSL CONFIGURATION You can directly access the Stunnel configuration from the SSL tab. ; Service-level configuration for frontend ; forward clear requests to haproxy on 127.1.0.x ; and add the xforwarded-for header. client = no key = /etc/ssl/frontends/sslfrontend/key.pem cert = /etc/ssl/frontends/sslfrontend/crt.pem accept = 86.74.12.71:443 connect = /ssl:ft_name xforwardedfor = yes ; Service-level configuration for backend ; receive haproxy traffic on 127.2.0.x [ssl_backend_1] accept = 127.2.0.1:1 connect = 10.0.32.101:443 [ssl_backend_2] accept = 127.2.0.2:1 connect = 10.0.32.102:443 You only need to specify a few parameters when implementing SSL in frontend mode: the operating mode: the Stunnel module have to be configured in server mode. That s why you have to set up the client = no option the paths for the key and the certificate created using the wizard (see howto-0020-implementing-ssl-0912- fr.pdf) the address and listening port linked to an SSL certificate the unix socket to forward traffic to HAProxy [ssl_backend_1] and [ssl_backend_2] the operating mode: the Stunnel module must be configured in client mode. That s why you have to set up the option. accept: the listening address and port for incoming traffic from HAProxy. connect: the address and port ofthe web server to send encrypted traffic to. Copyright 2013 Exceliance AN-0023-EN-managing-SSL-backend-and-frontend.docx Page 3 of 6

LB LEVEL7 CONFIGURATION EXTRACTION After modifying the certificate installation and the Stunnel configuration update, you need to modify the layer 7 configuration. You can access that configuration directly from the LB WUI, through the LB layer7 tab. ######## The first public address as seen by the clients frontend frt bind /ssl:ft_name accept-proxy # unix socket to listen to maxconn 4000 # max conn per instance timeout client 25s # maximum client idle time (ms) default_backend bck # send everything to this backend by default ####### This backend manages the servers and the load balancing algorithm backend bck balance roundrobin # roundrobin source uri leastconn cookie SERVERID insert indirect nocache # provide persistence with cookie option httpchk HEAD / # how to check those servers option forwardfor except 127.0.0.1/8 # add X-Forwarded-For except local fullconn 4000 # dynamic limiting below timeout server 25s # max server s response time (ms) server srv1 127.2.0.1:1 cookie s1 weight 10 maxconn 100 check inter 1000 fall 3 server srv2 127.2.0.2:1 cookie s2 weight 10 maxconn 100 check inter 1000 fall 3 You must add the unix socket HAProxy listening port and they must be identical to the connect parameters of the SSL frontend block. You also need to modify the addresses of the servers; they must be identical to the IP addresses of the Stunnel instances defined in the connect parameters of the SSL backend block. STARTING STUNNEL SERVICE IMPORTANT When you first configure SSL, a warning message indicates that the Stunnel service has not started. In the Service tab, edit the Stunnel service configuration by clicking on the stunnel options button. Just comment out the line no autostart: service stunnel ############# The SSL tunnel Daemon # no autostart Now you simply need to start the service by clicking the start button. Copyright 2013 Exceliance AN-0023-EN-managing-SSL-backend-and-frontend.docx Page 4 of 6

ALOHA 3.6 AND BELOW TARGET NETWORK DIAGRAM EXTRACT OF THE SSL CONFIGURATION ; Service-level configuration for frontend ; forward clear requests to haproxy on 127.1.0.x ; and add the xforwarded-for header. client = no key = /etc/ssl/frontends/sslfrontend/key.pem cert = /etc/ssl/frontends/sslfrontend/crt.pem accept = 86.74.12.71:443 connect = 127.1.0.1:1 xforwardedfor = yes ; Service-level configuration for backend ; receive haproxy traffic on 127.2.0.x [ssl_backend_1] accept = 127.2.0.1:1 connect = 10.0.32.101:443 [ssl_backend_2] accept = 127.2.0.2:1 connect = 10.0.32.102:443 You can directly access the Stunnel configuration from the SSL tab. You only need to specify a few parameters when implementing SSL in frontend mode: the operating mode: the Stunnel module should not be configured in client mode, but in server mode. Therefore you should choose the client = no option the paths for the key and the certificate created using the wizard (see howto-0020-implementing-ssl-0912- fr.pdf) the address and listening port linked to an SSL certificate the address and redirection port for requests to HAProxy [ssl_backend_1] and [ssl_backend_2] Copyright 2013 Exceliance AN-0023-EN-managing-SSL-backend-and-frontend.docx Page 5 of 6

the operating mode: the Stunnel module must be configured in client mode. Therefore you should choose the option. the address and redirection port for requests from HAProxy. the address and the redirection port of requests to the Web server. The address and redirection port of request for the Web server. EXTRACT OF THE LB LEVEL7 CONFIGURATION ######## The first public address as seen by the clients frontend frt bind 127.1.0.1:1 # address:port to listen to maxconn 4000 # max conn per instance timeout client 25s # maximum client idle time (ms) default_backend bck # send everything to this backend by default ####### This backend manages the servers and the load balancing algorithm backend bck balance roundrobin # roundrobin source uri leastconn cookie SERVERID insert indirect nocache # provide persistence with cookie option httpchk HEAD / # how to check those servers option forwardfor except 127.0.0.1/8 # add X-Forwarded-For except local fullconn 4000 # dynamic limiting below timeout server 25s # max server s response time (ms) server srv1 127.2.0.1:1 cookie s1 weight 10 maxconn 100 check inter 1000 fall 3 server srv2 127.2.0.2:1 cookie s2 weight 10 maxconn 100 check inter 1000 fall 3 After modifying the Stunnel configuration and the implementation of the certificate(s), all that remains is to modify the configuration of layer 7; you can access that configuration directly from the LB layer7 tab. You must add the address and the HAProxy listening port and they must be identical to the connect parameters of the frontend block. You also need to modify the addresses of the destination servers; they must be identical to the IP addresses of the Stunnel instances defined in the connect parameters of the backend block in the SSL configuration. STARTING THE STUNNEL SERVICE IMPORTANT When you first configure SSL, a warning message indicates that the Stunnel service has not started. In the Service tab, edit the configuration of the Stunnel service by clicking the stunnel options button. service stunnel ############# The SSL tunnel Daemon # config <dir> : daemon configuration file config /etc/stunnel/stunnel.conf # no autostart # commenter le no devant autostart Now you simply need to start the service by clicking the start button. Copyright 2013 Exceliance AN-0023-EN-managing-SSL-backend-and-frontend.docx Page 6 of 6