cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: HTTPS LB and x-forwarded-for
Date Thu, 02 Nov 2017 23:21:37 GMT
We used to make some special stuff for one of the clients, where all LB
configuration work is done from outside of the ACS, i.e. python script to
feed/configure VR - install latest haproxy 1.5.x for transparent proxy,
since client insisted on SSL termination done on backend web SSL servers....
Not good idea, that is all I can say (custom configuration thing) - but the
LB setup is actually good - transparent mode haproxy, works on TCP level,
so you can see "real client IP" on the backend servers (which must use VR
as the default gtw, as per default, so the whole setup works properly).

I'm still looking forward to see some special support of LB inside VR via
ACS - proper LB setup inside VR via GUI/API -  i.e. to enable LB
provisioning SCRIPT (bash, or whatever),  where all needed
install+configure can be done from client side  - otherwise covering all
user cases, with proper HTTP checks and similar....is impossible to do
IMHO.

Some other clients, actually have internal FW appliance (i.e. multihomed
VM, acting as gtw for all VMs in all networks), and haproxy instaled on
this device (with NAT configured from VR to this internal FW/VM, so remote
IP can be seen properly) - this setup is fully under customer control, and
can provide any kind of special haproxy config...






On 31 October 2017 at 19:54, Nux! <nux@li.nux.ro> wrote:

> Hello,
>
> Of the people running an LB (VR) with https backends, how do you deal with
> the lack of x-forwarded-for since for port 443 there's just simple TCP
> balancing?
>
> Has anyone thought of terminating SSL in the VR instead? Ideas?
>
> Cheers
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>



-- 

Andrija Panić

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message