cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alessandro <alessan...@bluenag.ch>
Subject HAProxy [native virtual CS Loadbalancer] - SSL offload support - CLOUDSTACK-9499
Date Tue, 13 Sep 2016 15:56:17 GMT
Hi,

SSL offload support in Cloudstack and documented here:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/
SSL+Termination+Support is currently only available to NetScaler LB devices.

If we try to attach a certificate to a CloudStack Virtual Router LB:
assignCertToLoadBalancer&certid=3b0621cd-203f-46a9-
b3ad-97e7e70c77ab&lbruleid=2556
It returns the following error:
2016-09-05 18:32:16,244 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-111:ctx-4f7864f6 job-48170) Complete async job-48170,
jobStatus: FAILED, resultCode: 530, result: org.apache.cloudstack.api.
response.ExceptionResponse/null/
{"uuidList":[],"errorcode":431,"errortext":"Ssl termination not supported
by the loadbalancer"}

The CloudStack VR uses haproxy for LB and ssl offloading is something
haproxy can handle.

The standard type of configuration issued by cloudstack:

listen 8_8_8_8-443 8.8.8.8:443
balance roundrobin
server 8_8_8_8-443_0 192.168.1.2:443 check
server 8_8_8_8-443_1 192.168.1.3:443 check

By default CS configures it's loadbalancers in tcp mode. To enable SSL
offloading we would however need this kind of configuration:

listen 8_8_8_8-443
bind 8.8.8.8:443 ssl crt
/etc/haproxy/ssl-cert-3b0621cd-203f-46a9-b3ad-97e7e70c77ab.pem
crt /etc/haproxy/ssl-cert-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.pem
mode http
balance roundrobin
server 8_8_8_8-443_0 192.168.1.2:443 check ssl verify none
server 8_8_8_8-443_1 192.168.1.3:443 check ssl verify none

This could be implemented by modifying the API and the HAProxyConfigurator
script. Also, in my example configuration I've put two certificates,
HAProxy manages this pretty well so it would be nice to be able to assign
more than one certificate to a LB.

I've already opened a Jira issue for this case: CLOUDSTACK-9499 -
https://issues.apache.org/jira/browse/CLOUDSTACK-9499

Kind regards,
Alessandro

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message