Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 71EEB200D3B for ; Fri, 10 Nov 2017 14:27:20 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 707D9160BF2; Fri, 10 Nov 2017 13:27:20 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 68ABD160BEE for ; Fri, 10 Nov 2017 14:27:19 +0100 (CET) Received: (qmail 53884 invoked by uid 500); 10 Nov 2017 13:27:18 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 53868 invoked by uid 99); 10 Nov 2017 13:27:18 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Nov 2017 13:27:18 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 46A09D7DD7 for ; Fri, 10 Nov 2017 13:27:17 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.879 X-Spam-Level: * X-Spam-Status: No, score=1.879 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=cloudops.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id kBzoPcPox3nK for ; Fri, 10 Nov 2017 13:27:15 +0000 (UTC) Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 3F29960D6B for ; Fri, 10 Nov 2017 13:27:15 +0000 (UTC) Received: by mail-qk0-f180.google.com with SMTP id l69so5263054qkl.11 for ; Fri, 10 Nov 2017 05:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudops.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=x8gBc5s4e1y3JE+RPiKBS/pzOjDN+ow/HcG2TGlNqR8=; b=VzZ9rOv+m5Zyj1CvtP0S6gjlYpgGawjpckDzAW8WCQhQuolcJMwxSOB+LiIYabB+49 1y6PXzZcUfkmvzaL7CER/FBJaiCyx2b4NxSzCReqkU+bDqVvvhm0XYMYxVsx111ZxSV6 B0+zEA8Na5STjQ7Vublku+z0/XuSl81FsRqfc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=x8gBc5s4e1y3JE+RPiKBS/pzOjDN+ow/HcG2TGlNqR8=; b=NXmvNHcvlAOOabozdexzjSF4WCpX7wJYbEC/cLZH9yoSzOkF0oZGDxvtxGlnwCHqpx StM5w3APRk5jHWHeETwq7KhSusLKkEDeExgvu8UbK86HSHa3mID8541UTuPUb3317/E+ qcLaLcxYrljPWUGwW4pQ2BXI0nhN2PAu7ia2ibn9+dOXitwm2c125t+4VKZy3DUV778w vvvOVYLKTTSUGPlWZDdwrCztFe3pSAV4nzk4DS6rzNrKyS9jEUlkt/4Otu6gQLniZrga ifBemENPBqI9Y+Abjyv5/mtpGsJVxgbzI2yA0dXH3/DskmgimcvbxkSwZmkI/tqDB8Iq bC8w== X-Gm-Message-State: AJaThX6DKRO+ZlxOAynFHgK203AMWGUjtil+LgbM+pq+LOs9UJd2FFiB bhhQX8qyYdrod7HGFW7/Tubm+yhuJU/yUEkDVt035pBz X-Google-Smtp-Source: AGs4zMZff4QKt6Fou8uhUugbIHzunsO+cuThWTRsMe5+ZmRq36hFuZ2PvhymEgl4vurisWWD1AFg5KQ6B6lF96ZKWUY= X-Received: by 10.55.151.4 with SMTP id z4mr515821qkd.173.1510320428715; Fri, 10 Nov 2017 05:27:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.54.167 with HTTP; Fri, 10 Nov 2017 05:27:07 -0800 (PST) Received: by 10.237.54.167 with HTTP; Fri, 10 Nov 2017 05:27:07 -0800 (PST) In-Reply-To: <940185856.4522.1510296264699@ox.pcextreme.nl> References: <1750999994.6369.1509476065042.JavaMail.zimbra@li.nux.ro> <270992313.1239.1509970237965.JavaMail.zimbra@li.nux.ro> <1778806379.4501.1510211582337@ox.pcextreme.nl> <1657929870.1138.1510253995466.JavaMail.zimbra@li.nux.ro> <940185856.4522.1510296264699@ox.pcextreme.nl> From: Pierre-Luc Dion Date: Fri, 10 Nov 2017 08:27:07 -0500 Message-ID: Subject: Re: HTTPS LB and x-forwarded-for To: Wido den Hollander Cc: "Nux!" , dev@cloudstack.apache.org, users , Khosrow Moossavi , Will Stevens Content-Type: multipart/alternative; boundary="94eb2c07d580a6a73e055da0e0a4" archived-at: Fri, 10 Nov 2017 13:27:20 -0000 --94eb2c07d580a6a73e055da0e0a4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I kind of like the proxy backend type, ill check on our end if that would work but definitely a simple and efficient approach! Le 10 nov. 2017 01 h 44, "Wido den Hollander" a =C3=A9crit= : > > > Op 9 november 2017 om 19:59 schreef Nux! : > > > > > > Wido, > > > > Excellent suggestion with the "transparent proxy", I was not aware of > that. > > I think that would be a great idea and wouldn't require too many > modifications, especially as Haproxy comes already with the VR. > > > > It's indeed just a matter of a HAProxy config setting. We could make it > configurable per backend in HAProxy. Regular HTTP, TCP or PROXY for examp= le. > > That way your problem would be solved. > > Wido > > > To Paul: > > - imho the LB solution ACS ships now is a bit handicaped since you do > not know the remote host ip. You're flying blind unless you use google > analytics (and these things have gotten more and more aggressively filter= ed > by adblocks). > > Enhancing Haproxy as Wido suggested would go a long way, it wouldn't > break existing functionality and would also keep SSL processing off the V= R. > > > > -- > > Sent from the Delta quadrant using Borg technology! > > > > Nux! > > www.nux.ro > > > > ----- Original Message ----- > > > From: "Andrija Panic" > > > To: "users" > > > Cc: "Khosrow Moossavi" , "Will Stevens" < > wstevens@cloudops.com>, "dev" > > > , "Pierre-Luc Dion" > > > Sent: Thursday, 9 November, 2017 13:10:58 > > > Subject: Re: HTTPS LB and x-forwarded-for > > > > > Wido, > > > > > > backend servers are not Linux only, for example we have a ton of > Windows > > > customers, some WEB solutions / IIS etc... > > > > > > @all - If we try to please/solve everyone's proxying > solution/requirement - > > > this is impossible IMHO - I'm thinking more about some "do it as you > like" > > > solution, to let customer write his own haproxy config and upoad it > (for > > > example, or something better?). > > > > > > We can support newer version of haproxy (1.5+) which also implement > > > "transarent proxy" (integrate with kernel so to speak) to allow > TCP-level > > > connections to backend (TCP mode, not HTTP mode) but to still > "preserve" > > > remote IP by faking it (fake soruce IP =3D transarent proxy). > > > > > > For the rest of configuration options, I would leave it to the > customer > > > how he/she wants to configure rest of haproxy configuration, inlcudin= g > > > custom checks, etc. Haproxy configuration is never-ending story, and = we > > > probably should allow custom sripts/configuration instead of trying t= o > > > provide GUI/API way to configure everything (which is impossible...) > > > > > > Just my 2 cents... > > > > > > On 9 November 2017 at 08:13, Wido den Hollander > wrote: > > > > > >> > > >> > Op 8 november 2017 om 14:59 schreef Pierre-Luc Dion < > pdion@cloudops.com > > >> >: > > >> > > > >> > > > >> > Same challenge here too! > > >> > > > >> > Let's look at improving Load-balancing offering from cloudstack, I > guest > > >> we > > >> > should do a feature spec draft soon.., from my perspective, doing > SSL > > >> > offload on the VR could be problematic if the VR spec if too small= , > and > > >> the > > >> > default spec of the VR being 1vcpu@256MB, considering it can be th= e > > >> router > > >> > of a VPC, doing VPN termination, adding HTTPS is a bit ish... Wha= t > would > > >> > be your thought about this ? > > >> > > > >> > I'd be curious to have a LB offering in ACS where it would deploy = a > > >> > redundant traefik[1] beside the VR for doing http and https > > >> Load-balancing. > > >> > I think it would also be useful if the API of that traefik instanc= e > would > > >> > be available from within the VPC or LBnetwork so is API would be > > >> accessible > > >> > to other apps orchestration tools such as kubernetes or rancher. > > >> > > > >> > traefik or not, here is what I think is needed by cloudstack in th= e > LB > > >> > improvement: > > >> > > > >> > - support http, https (X-Forwarded-For) > > >> > > >> HAProxy also supports the PROXY protocol towards the backends. Apach= e > > >> 2.4.22 supports this natively and Varnish for example can also talk > PROXY. > > >> > > >> It adds a littlebit of metadata to the connection so that the backen= d > > >> knows the original IP the connection came from for example: > > >> https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt > > >> > > >> Wido > > >> > > >> > - basic persistence tuning (API already exist) > > >> > - better backend monitoring, currently only a tcp connect validate > if the > > >> > webserver is up. > > >> > - ssl offload > > >> > - metric collection, more stats, maybe just export the tool status > page > > >> to > > >> > the private network. > > >> > - Container world support, right now if you have Rancher or > kubernetes > > >> > cluster, you need to deploy your own LB solution behing mostlikely= a > > >> static > > >> > nat., If cloudstack would deploy a traefik instance, Kub or Ranche= r > could > > >> > reuse this instance and managed it to properly do LB between > containers. > > >> > > > >> > > > >> > What would be your prefered LB tool: > > >> > haproxy, traefik or nginx? > > >> > > > >> > CloudStack already have to code to handle SSL certs per projects a= nd > > >> > accounts if not mistaking because that code was added to support > > >> NetScaler > > >> > as Load-balancer in the past. so one less thing to think about :-) > > >> > > > >> > > > >> > [1] https://traefik.io/ > > >> > > > >> > > > >> > PL, > > >> > > > >> > > > >> > > > >> > On Mon, Nov 6, 2017 at 7:10 AM, Nux! wrote: > > >> > > > >> > > Thanks Andrija, > > >> > > > > >> > > LB outside of the VR sounds like a good idea. An appliance based > on, > > >> say > > >> > > cloud-init + ansible and so on could do the trick; alas it'd nee= d > to be > > >> > > outside ACS. > > >> > > I guess as users we could maybe come up with a spec for an > > >> improvement, at > > >> > > least we'd have something the devs could look at whenever it is > > >> possible. > > >> > > > > >> > > Regards, > > >> > > Lucian > > >> > > > > >> > > -- > > >> > > Sent from the Delta quadrant using Borg technology! > > >> > > > > >> > > Nux! > > >> > > www.nux.ro > > >> > > > > >> > > ----- Original Message ----- > > >> > > > From: "Andrija Panic" > > >> > > > To: "dev" > > >> > > > Cc: "users" > > >> > > > Sent: Thursday, 2 November, 2017 23:21:37 > > >> > > > Subject: Re: HTTPS LB and x-forwarded-for > > >> > > > > >> > > > We used to make some special stuff for one of the clients, > where all > > >> LB > > >> > > > configuration work is done from outside of the ACS, i.e. pytho= n > > >> script to > > >> > > > feed/configure VR - install latest haproxy 1.5.x for transpare= nt > > >> proxy, > > >> > > > since client insisted on SSL termination done on backend web S= SL > > >> > > servers.... > > >> > > > Not good idea, that is all I can say (custom configuration > thing) - > > >> but > > >> > > the > > >> > > > LB setup is actually good - transparent mode haproxy, works on > TCP > > >> level, > > >> > > > so you can see "real client IP" on the backend servers (which > must > > >> use VR > > >> > > > as the default gtw, as per default, so the whole setup works > > >> properly). > > >> > > > > > >> > > > I'm still looking forward to see some special support of LB > inside > > >> VR via > > >> > > > ACS - proper LB setup inside VR via GUI/API - i.e. to enable = LB > > >> > > > provisioning SCRIPT (bash, or whatever), where all needed > > >> > > > install+configure can be done from client side - otherwise > covering > > >> all > > >> > > > user cases, with proper HTTP checks and similar....is > impossible to > > >> do > > >> > > > IMHO. > > >> > > > > > >> > > > Some other clients, actually have internal FW appliance (i.e. > > >> multihomed > > >> > > > VM, acting as gtw for all VMs in all networks), and haproxy > instaled > > >> on > > >> > > > this device (with NAT configured from VR to this internal > FW/VM, so > > >> > > remote > > >> > > > IP can be seen properly) - this setup is fully under customer > > >> control, > > >> > > and > > >> > > > can provide any kind of special haproxy config... > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > On 31 October 2017 at 19:54, Nux! wrote: > > >> > > > > > >> > > >> Hello, > > >> > > >> > > >> > > >> Of the people running an LB (VR) with https backends, how do > you > > >> deal > > >> > > with > > >> > > >> the lack of x-forwarded-for since for port 443 there's just > simple > > >> TCP > > >> > > >> balancing? > > >> > > >> > > >> > > >> Has anyone thought of terminating SSL in the VR instead? Idea= s? > > >> > > >> > > >> > > >> Cheers > > >> > > >> > > >> > > >> -- > > >> > > >> Sent from the Delta quadrant using Borg technology! > > >> > > >> > > >> > > >> Nux! > > >> > > >> www.nux.ro > > >> > > >> > > >> > > > > > >> > > > > > >> > > > > > >> > > > -- > > >> > > > > > >> > > > Andrija Pani=C4=87 > > >> > > > > >> > > > > > > > > > > > > -- > > > > > > Andrija Pani=C4=87 > --94eb2c07d580a6a73e055da0e0a4--