cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: HTTPS LB and x-forwarded-for
Date Mon, 06 Nov 2017 12:10:38 GMT
Thanks Andrija,

LB outside of the VR sounds like a good idea. An appliance based on, say cloud-init + ansible
and so on could do the trick; alas it'd need to be outside ACS.
I guess as users we could maybe come up with a spec for an improvement, at least we'd have
something the devs could look at whenever it is possible.

Regards,
Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Andrija Panic" <andrija.panic@gmail.com>
> To: "dev" <dev@cloudstack.apache.org>
> Cc: "users" <users@cloudstack.apache.org>
> Sent: Thursday, 2 November, 2017 23:21:37
> Subject: Re: HTTPS LB and x-forwarded-for

> We used to make some special stuff for one of the clients, where all LB
> configuration work is done from outside of the ACS, i.e. python script to
> feed/configure VR - install latest haproxy 1.5.x for transparent proxy,
> since client insisted on SSL termination done on backend web SSL servers....
> Not good idea, that is all I can say (custom configuration thing) - but the
> LB setup is actually good - transparent mode haproxy, works on TCP level,
> so you can see "real client IP" on the backend servers (which must use VR
> as the default gtw, as per default, so the whole setup works properly).
> 
> I'm still looking forward to see some special support of LB inside VR via
> ACS - proper LB setup inside VR via GUI/API -  i.e. to enable LB
> provisioning SCRIPT (bash, or whatever),  where all needed
> install+configure can be done from client side  - otherwise covering all
> user cases, with proper HTTP checks and similar....is impossible to do
> IMHO.
> 
> Some other clients, actually have internal FW appliance (i.e. multihomed
> VM, acting as gtw for all VMs in all networks), and haproxy instaled on
> this device (with NAT configured from VR to this internal FW/VM, so remote
> IP can be seen properly) - this setup is fully under customer control, and
> can provide any kind of special haproxy config...
> 
> 
> 
> 
> 
> 
> On 31 October 2017 at 19:54, Nux! <nux@li.nux.ro> wrote:
> 
>> Hello,
>>
>> Of the people running an LB (VR) with https backends, how do you deal with
>> the lack of x-forwarded-for since for port 443 there's just simple TCP
>> balancing?
>>
>> Has anyone thought of terminating SSL in the VR instead? Ideas?
>>
>> Cheers
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro
>>
> 
> 
> 
> --
> 
> Andrija Panić

Mime
View raw message