cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <>
Subject Re: HTTPS LB and x-forwarded-for
Date Mon, 06 Nov 2017 12:10:38 GMT
Thanks Andrija,

LB outside of the VR sounds like a good idea. An appliance based on, say cloud-init + ansible
and so on could do the trick; alas it'd need to be outside ACS.
I guess as users we could maybe come up with a spec for an improvement, at least we'd have
something the devs could look at whenever it is possible.


Sent from the Delta quadrant using Borg technology!


----- Original Message -----
> From: "Andrija Panic" <>
> To: "dev" <>
> Cc: "users" <>
> Sent: Thursday, 2 November, 2017 23:21:37
> Subject: Re: HTTPS LB and x-forwarded-for

> We used to make some special stuff for one of the clients, where all LB
> configuration work is done from outside of the ACS, i.e. python script to
> feed/configure VR - install latest haproxy 1.5.x for transparent proxy,
> since client insisted on SSL termination done on backend web SSL servers....
> Not good idea, that is all I can say (custom configuration thing) - but the
> LB setup is actually good - transparent mode haproxy, works on TCP level,
> so you can see "real client IP" on the backend servers (which must use VR
> as the default gtw, as per default, so the whole setup works properly).
> I'm still looking forward to see some special support of LB inside VR via
> ACS - proper LB setup inside VR via GUI/API -  i.e. to enable LB
> provisioning SCRIPT (bash, or whatever),  where all needed
> install+configure can be done from client side  - otherwise covering all
> user cases, with proper HTTP checks and impossible to do
> Some other clients, actually have internal FW appliance (i.e. multihomed
> VM, acting as gtw for all VMs in all networks), and haproxy instaled on
> this device (with NAT configured from VR to this internal FW/VM, so remote
> IP can be seen properly) - this setup is fully under customer control, and
> can provide any kind of special haproxy config...
> On 31 October 2017 at 19:54, Nux! <> wrote:
>> Hello,
>> Of the people running an LB (VR) with https backends, how do you deal with
>> the lack of x-forwarded-for since for port 443 there's just simple TCP
>> balancing?
>> Has anyone thought of terminating SSL in the VR instead? Ideas?
>> Cheers
>> --
>> Sent from the Delta quadrant using Borg technology!
>> Nux!
> --
> Andrija Panić

View raw message