Return-Path: <users-return-29166-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 06D4B200D33
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  8 Nov 2017 15:13:09 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 05842160BE0; Wed,  8 Nov 2017 14:13:09 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id F1C49160BDA
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  8 Nov 2017 15:13:07 +0100 (CET)
Received: (qmail 96933 invoked by uid 500); 8 Nov 2017 14:13:06 -0000
Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:users@cloudstack.apache.org>
List-Id: <users.cloudstack.apache.org>
Reply-To: users@cloudstack.apache.org
Delivered-To: mailing list users@cloudstack.apache.org
Received: (qmail 96911 invoked by uid 99); 8 Nov 2017 14:13:06 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Nov 2017 14:13:06 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A16501A0878;
	Wed,  8 Nov 2017 14:13:05 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.198
X-Spam-Level: *
X-Spam-Status: No, score=1.198 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
	SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=ena.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id JjNKxuLglbfw; Wed,  8 Nov 2017 14:13:01 +0000 (UTC)
Received: from smtp2n.ena.net (smtp2n.ena.net [96.4.1.10])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 6E2EA60E26;
	Wed,  8 Nov 2017 14:13:01 +0000 (UTC)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01lp0120.outbound.protection.outlook.com [207.46.163.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp2n.ena.net (Postfix) with ESMTPS id E5D9F14808CE;
	Wed,  8 Nov 2017 08:12:47 -0600 (CST)
Received: from BN6PR02MB3331.namprd02.prod.outlook.com (10.161.152.155) by
 BN6PR02MB3330.namprd02.prod.outlook.com (10.161.152.154) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.218.12; Wed, 8 Nov 2017 14:12:45 +0000
Received: from BN6PR02MB3331.namprd02.prod.outlook.com ([10.161.152.155]) by
 BN6PR02MB3331.namprd02.prod.outlook.com ([10.161.152.155]) with mapi id
 15.20.0197.022; Wed, 8 Nov 2017 14:12:45 +0000
From: Simon Weller <sweller@ena.com.INVALID>
To: "kmoossavi@cloudops.com" <kmoossavi@cloudops.com>,
	"dev@cloudstack.apache.org" <dev@cloudstack.apache.org>,
	"wstevens@cloudops.com" <wstevens@cloudops.com>
CC: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
Subject: RE: HTTPS LB and x-forwarded-for
Thread-Topic: HTTPS LB and x-forwarded-for
Thread-Index: roF4X4Cb6wvxHoaIjX55vnawYbwRL6O3o6eAgAWN2wCAA0MxAIAAA5jx
Date: Wed, 8 Nov 2017 14:12:45 +0000
Message-ID: <BN6PR02MB33316769EF8007231F48D104A9560@BN6PR02MB3331.namprd02.prod.outlook.com>
References: <1750999994.6369.1509476065042.JavaMail.zimbra@li.nux.ro>
 <CAMvtBPMCKB1KJeYw4a-tY_XHNYj+SR08v_1SEz5VsYQpzhyyuQ@mail.gmail.com>
 <270992313.1239.1509970237965.JavaMail.zimbra@li.nux.ro>,<CAD97ioeHboORsFXbdLjQZ6rCH01Esbw+3+j4Q6tLamRuSafCZA@mail.gmail.com>
In-Reply-To: <CAD97ioeHboORsFXbdLjQZ6rCH01Esbw+3+j4Q6tLamRuSafCZA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=sweller@ena.com;
x-originating-ip: [2607:fb90:1d9e:eb7d:c5d3:e302:b72e:95b5]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR02MB3330;6:yja1HJtEYEtk9e3Mu5al5czhqGKszyYdMd3B/eHyn+l+/hZMsCA57M2/MRCZDkOWgSSlfNp8gdYZVmAPkFmBPCumvEk8oUczCqi6aM2VwoNHsdD2jVi5asVpJlxKyzkzhJusjax5YGdIRREWpi95UkHzUuFRAWM6U0C3Q2mIgiqlQ4Xy8ZWAb23DfWH62+OhMAF/o41Wv+ttpkBjgqg+XwPLIs10bHREdm/VbPhrWYeByzf1w08fdshaGQr931sWkpFx+jKYwUIrNHx1Il7DCskgFZ3cV/7V50zns/5AduZ4To/eeseVb17x4Ay/6W80Ck9Fn54fMdxfF3vUBMXO7rPiyiUTAJxWa8YcZQABL8o=;5:lTwiG97SU2P5wiupXDFV7vR62kvNdSt5dcfvODGJyjaIfwWiPnDAOIbXCNveRradbiX6XxI4beTYLYgxTO6hYEqxaXIZexbL9HTapXRW/EdpLE1NvqSq1Amj3idzNwQXYyQb0noqTBukviZ/bNmYbjS3qQl0JB1zLGk4QhlUfZI=;24:zC60ey7Ha81bjC8xqgnAzXMfDVN+GBN/Xy0Ggsh1m5UuI/7O1uFytuNxsiDTBPPI3VHTbFGD1cEBzMIhHJZu1VkE0JU3Va3PA206LH6Angw=;7:B9Da6PwkFmTk/6U0+s2AaVLWYkghZlsGov8MI+nApHOjtrMl1bCYD+oky152ygkZrfP/kz44xcEWZlyM+wE09EwouHZvRUANSn+z4/tJUNALZvgWVE0lIOoRINWAs11BdlwgsYAHWIBv0XZS/C5rSNheCMFNfC6Ek7N1bJiVDzyQ3zIZxVkLUmkAEhg4/YZ4/4QQk4b2wezig1RCXLZt7ib2S7qkAArb6sIE0TGXiHEyzyjzpXpUU/W+8N5AsQS1
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: e7f4b95b-87b2-440b-ba4c-08d526b2c8ea
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199);SRVR:BN6PR02MB3330;
x-ms-traffictypediagnostic: BN6PR02MB3330:|BN6PR02MB3330:
x-exchange-antispam-report-test: UriScan:(158342451672863)(72170088055959)(265273979862326)(21532816269658)(17755550239193)(5213294742642);
x-microsoft-antispam-prvs: <BN6PR02MB33308474E3155CE69DBBDC86A9560@BN6PR02MB3330.namprd02.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231021)(100000703101)(100105400095)(93006095)(93001095)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123560025)(20161123555025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN6PR02MB3330;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN6PR02MB3330;
x-forefront-prvs: 0485417665
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(346002)(376002)(13464003)(24454002)(189002)(199003)(74316002)(2900100001)(76176999)(54356999)(2906002)(97736004)(6246003)(53936002)(14454004)(2950100002)(25786009)(55016002)(3660700001)(105586002)(106356001)(68736007)(230783001)(50986999)(101416001)(236005)(54896002)(9686003)(6306002)(3280700002)(102836003)(4326008)(6116002)(316002)(6506006)(77096006)(15974865002)(110136005)(6436002)(33656002)(478600001)(7736002)(99286004)(81156014)(606006)(7696004)(53546010)(93886005)(8936002)(81166006)(966005)(2501003)(229853002)(189998001)(2201001)(86362001)(5660300001)(8676002);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR02MB3330;H:BN6PR02MB3331.namprd02.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
received-spf: None (protection.outlook.com: ena.com does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative;
	boundary="_000_BN6PR02MB33316769EF8007231F48D104A9560BN6PR02MB3331namp_"
MIME-Version: 1.0
X-OriginatorOrg: ena.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e7f4b95b-87b2-440b-ba4c-08d526b2c8ea
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2017 14:12:45.8403
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6dc38cd4-4d4f-4826-9649-17854289d170
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR02MB3330
X-ENA-MailScanner-Information: Report abuse to abuse@ena.com and include the next header value
X-ENA-MailScanner-ID: E5D9F14808CE.A2342
X-ENA-MailScanner: No viruses found
X-ENA-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2,
	required 4, autolearn=not spam, BAYES_00 -1.90, DKIM_SIGNED 0.10,
	DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00,
	SPF_HELO_PASS -0.00)
X-ENA-MailScanner-From: sweller@ena.com
X-ENA-MailScanner-Watermark: 1510755168.52041@nE7ZIpxuC1lZbdGIOSFVVQ
archived-at: Wed, 08 Nov 2017 14:13:09 -0000

--_000_BN6PR02MB33316769EF8007231F48D104A9560BN6PR02MB3331namp_
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

I'm assuming we would have the standard openssl version with Intel TLS offl=
oad though, right? RHEL ships their FIPS compliant version that strips all =
the acceleration out. The cpu instruction sets should be passed through fro=
m the host, so hopefully that will make a massive difference to decryption =
speeds and cpu load.

Simon Weller/615-312-6068

-----Original Message-----
From: Pierre-Luc Dion [pdion@cloudops.com]
Received: Wednesday, 08 Nov 2017, 9:00AM
To: dev@cloudstack.apache.org [dev@cloudstack.apache.org]; Khosrow Moossavi=
 [kmoossavi@cloudops.com]; Will Stevens [wstevens@cloudops.com]
CC: users [users@cloudstack.apache.org]
Subject: Re: HTTPS LB and x-forwarded-for

Same challenge here too!

Let's look at improving Load-balancing offering from cloudstack, I guest we
should do a feature spec draft soon..,  from my perspective, doing SSL
offload on the VR could be problematic if the VR spec if too small, and the
default spec of the VR being 1vcpu@256MB, considering it can be the router
of a VPC, doing VPN termination, adding HTTPS  is a bit ish... What would
be your thought about this ?

I'd be curious to have a LB offering in ACS where it would deploy a
redundant traefik[1] beside the VR for doing http and https Load-balancing.
I think it would also be useful if the API of that traefik instance would
be available from within the VPC or LBnetwork so is API would be accessible
to other apps orchestration tools such as  kubernetes or rancher.

traefik or not, here is what I think is needed by cloudstack in the LB
improvement:

- support http, https (X-Forwarded-For)
- basic persistence tuning (API already exist)
- better backend monitoring, currently only a tcp connect validate if the
webserver is up.
- ssl offload
- metric collection, more stats, maybe just export the tool status page to
the private network.
- Container world support, right now if you have Rancher or kubernetes
cluster, you need to deploy your own LB solution behing mostlikely a static
nat., If cloudstack would deploy a traefik instance, Kub or Rancher could
reuse this instance and managed it to properly do LB between containers.


What would be your prefered LB tool:
haproxy, traefik or nginx?

CloudStack already have to code to handle SSL certs per projects and
accounts if not mistaking because that code was added to support NetScaler
as Load-balancer in the past. so one less thing to think about :-)


[1] https://traefik.io/


PL,



On Mon, Nov 6, 2017 at 7:10 AM, Nux! <nux@li.nux.ro> wrote:

> Thanks Andrija,
>
> LB outside of the VR sounds like a good idea. An appliance based on, say
> cloud-init + ansible and so on could do the trick; alas it'd need to be
> outside ACS.
> I guess as users we could maybe come up with a spec for an improvement, a=
t
> least we'd have something the devs could look at whenever it is possible.
>
> Regards,
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
> > From: "Andrija Panic" <andrija.panic@gmail.com>
> > To: "dev" <dev@cloudstack.apache.org>
> > Cc: "users" <users@cloudstack.apache.org>
> > Sent: Thursday, 2 November, 2017 23:21:37
> > Subject: Re: HTTPS LB and x-forwarded-for
>
> > We used to make some special stuff for one of the clients, where all LB
> > configuration work is done from outside of the ACS, i.e. python script =
to
> > feed/configure VR - install latest haproxy 1.5.x for transparent proxy,
> > since client insisted on SSL termination done on backend web SSL
> servers....
> > Not good idea, that is all I can say (custom configuration thing) - but
> the
> > LB setup is actually good - transparent mode haproxy, works on TCP leve=
l,
> > so you can see "real client IP" on the backend servers (which must use =
VR
> > as the default gtw, as per default, so the whole setup works properly).
> >
> > I'm still looking forward to see some special support of LB inside VR v=
ia
> > ACS - proper LB setup inside VR via GUI/API -  i.e. to enable LB
> > provisioning SCRIPT (bash, or whatever),  where all needed
> > install+configure can be done from client side  - otherwise covering al=
l
> > user cases, with proper HTTP checks and similar....is impossible to do
> > IMHO.
> >
> > Some other clients, actually have internal FW appliance (i.e. multihome=
d
> > VM, acting as gtw for all VMs in all networks), and haproxy instaled on
> > this device (with NAT configured from VR to this internal FW/VM, so
> remote
> > IP can be seen properly) - this setup is fully under customer control,
> and
> > can provide any kind of special haproxy config...
> >
> >
> >
> >
> >
> >
> > On 31 October 2017 at 19:54, Nux! <nux@li.nux.ro> wrote:
> >
> >> Hello,
> >>
> >> Of the people running an LB (VR) with https backends, how do you deal
> with
> >> the lack of x-forwarded-for since for port 443 there's just simple TCP
> >> balancing?
> >>
> >> Has anyone thought of terminating SSL in the VR instead? Ideas?
> >>
> >> Cheers
> >>
> >> --
> >> Sent from the Delta quadrant using Borg technology!
> >>
> >> Nux!
> >> www.nux.ro
> >>
> >
> >
> >
> > --
> >
> > Andrija Pani=E6
>

--_000_BN6PR02MB33316769EF8007231F48D104A9560BN6PR02MB3331namp_--