Repository: stratos Updated Branches: refs/heads/stratos-4.1.x 27ba632f2 -> 3a2acec71
handling HTTPS loadbalancing in AWS LB extension Project: http://git-wip-us.apache.org/repos/asf/stratos/repo Commit: http://git-wip-us.apache.org/repos/asf/stratos/commit/3a2acec7 Tree: http://git-wip-us.apache.org/repos/asf/stratos/tree/3a2acec7 Diff: http://git-wip-us.apache.org/repos/asf/stratos/diff/3a2acec7 Branch: refs/heads/stratos-4.1.x Commit: 3a2acec7158c9491bd7d54f1f6f093473ff3985b Parents: 27ba632 Author: Isuru Haththotuwa <[email protected]> Authored: Fri Oct 23 14:53:59 2015 +0530 Committer: Isuru Haththotuwa <[email protected]> Committed: Fri Oct 23 14:53:59 2015 +0530 ---------------------------------------------------------------------- .../modules/aws-extension/INSTALL.md | 8 +++++- .../aws-extension/src/main/conf/aws.properties | 6 +++++ .../apache/stratos/aws/extension/AWSHelper.java | 28 +++++++++++++++++--- .../apache/stratos/aws/extension/Constants.java | 1 + 4 files changed, 39 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/stratos/blob/3a2acec7/extensions/load-balancer/modules/aws-extension/INSTALL.md ---------------------------------------------------------------------- diff --git a/extensions/load-balancer/modules/aws-extension/INSTALL.md b/extensions/load-balancer/modules/aws-extension/INSTALL.md index 0ab671f..4f8a090 100644 --- a/extensions/load-balancer/modules/aws-extension/INSTALL.md +++ b/extensions/load-balancer/modules/aws-extension/INSTALL.md @@ -24,7 +24,9 @@ below steps to proceed with the installation: 1. Extract org.apache.stratos.aws.extension-<version>.zip to a desired location: <aws-extension-home>. -2. Open <aws-extension-home>/conf/aws-credentials.conf file in text editor and update AWS access key and secret key information. +2. Open <aws-extension-home>/conf/aws-credentials.conf file in text editor and update AWS access key and secret key information. + If you are using HTTPS as the FE protocol for the AWS LBs, upload a certificate [1] for the LBs and update + load-balancer-ssl-certificate-id with the ARN [2]. 3. Open <aws-extension-home>/bin/aws-extension.sh file in a text editor and update following system properties: ``` @@ -43,3 +45,7 @@ below steps to proceed with the installation: ``` 5. Run <aws-extension-home>/bin/aws-extension.sh as the root user. + +[1]. http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html + +[2]. http://docs.aws.amazon.com/cli/latest/reference/iam/get-server-certificate.html http://git-wip-us.apache.org/repos/asf/stratos/blob/3a2acec7/extensions/load-balancer/modules/aws-extension/src/main/conf/aws.properties ---------------------------------------------------------------------- diff --git a/extensions/load-balancer/modules/aws-extension/src/main/conf/aws.properties b/extensions/load-balancer/modules/aws-extension/src/main/conf/aws.properties index e0302e6..ebdf614 100644 --- a/extensions/load-balancer/modules/aws-extension/src/main/conf/aws.properties +++ b/extensions/load-balancer/modules/aws-extension/src/main/conf/aws.properties @@ -32,3 +32,9 @@ allowed-protocols=tcp # statistics-interval denotes the interval in seconds for which statistics are gathered to calculate request in flight count. # This must be multiple of 60. statistics-interval=60 +# Upload a private key and public certificate to use in the HTTPS Listner of the load balancer +# After the server certificate is uploaded, you can verify that the information is stored in IAM. +# Each certificate object has a unique Amazon Resource Name (ARN) and ID. +# You can request these details for a specific certificate object by referencing the name of the certificate object: +# aws iam get-server-certificate --server-certificate-name your-certificate-name +load-balancer-ssl-certificate-id= http://git-wip-us.apache.org/repos/asf/stratos/blob/3a2acec7/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/AWSHelper.java ---------------------------------------------------------------------- diff --git a/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/AWSHelper.java b/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/AWSHelper.java index a8164e7..4bdd3e5 100644 --- a/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/AWSHelper.java +++ b/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/AWSHelper.java @@ -66,6 +66,7 @@ public class AWSHelper { private String lbSecurityGroupDescription; private String allowedCidrIpForLBSecurityGroup; private int statisticsInterval; + private String sslCertificateId; private AtomicInteger lbSequence; @@ -126,6 +127,11 @@ public class AWSHelper { "Invalid load balancer security group name."); } + // Read the SSL certificate Id. This is mandatory if only we are using HTTPS as the front end protocol. + // http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/using-elb-listenerconfig-quickref.html + this.sslCertificateId = properties + .getProperty(Constants.LOAD_BALANCER_SSL_CERTIFICATE_ID); + this.allowedCidrIpForLBSecurityGroup = properties .getProperty(Constants.ALLOWED_CIDR_IP_KEY); @@ -338,8 +344,7 @@ public class AWSHelper { * @param region * of the load balancer */ - public void deregisterInstancesFromLoadBalancer(String loadBalancerName, - List<Instance> instances, String region) { + public void deregisterInstancesFromLoadBalancer(String loadBalancerName, List<Instance> instances, String region) { log.info("De-registering following instance(s) from load balancer " + loadBalancerName); @@ -841,7 +846,7 @@ public class AWSHelper { * @param service * @return list of listeners required for the service */ - public List<Listener> getRequiredListeners(Member member) { + public List<Listener> getRequiredListeners(Member member) throws LoadBalancerExtensionException { List<Listener> listeners = new ArrayList<Listener>(); Collection<Port> ports = member.getPorts(); @@ -854,6 +859,19 @@ public class AWSHelper { Listener listener = new Listener(protocol, proxyPort, instancePort); listener.setInstanceProtocol(instanceProtocol); + if ("HTTPS".equalsIgnoreCase(protocol) || "SSL".equalsIgnoreCase(protocol)) { + // if the SSL certificate is not configured in the aws.properties file, can't continue + if (getSslCertificateId() == null || getSslCertificateId().isEmpty()) { + String errorMsg = "Required property " + Constants.LOAD_BALANCER_SSL_CERTIFICATE_ID + " not provided in configuration"; + log.error(errorMsg); + throw new LoadBalancerExtensionException(errorMsg); + } + // TODO: make debug? + if (log.isInfoEnabled()) { + log.info("Listener protocol = " + protocol + ", hence setting the SSL Certificate Id: " + getSslCertificateId()); + } + listener.setSSLCertificateId(getSslCertificateId()); + } listeners.add(listener); } @@ -923,4 +941,8 @@ public class AWSHelper { } else return null; } + + public String getSslCertificateId() { + return sslCertificateId; + } } http://git-wip-us.apache.org/repos/asf/stratos/blob/3a2acec7/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/Constants.java ---------------------------------------------------------------------- diff --git a/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/Constants.java b/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/Constants.java index 30ada5c..626f1ce 100644 --- a/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/Constants.java +++ b/extensions/load-balancer/modules/aws-extension/src/main/java/org/apache/stratos/aws/extension/Constants.java @@ -53,4 +53,5 @@ public class Constants { public static final String HTTP_RESPONSE_5XX = "HTTPCode_Backend_5XX"; public static final String STATISTICS_INTERVAL = "statistics-interval"; public static final int STATISTICS_INTERVAL_MULTIPLE_OF = 60; + public static final String LOAD_BALANCER_SSL_CERTIFICATE_ID = "load-balancer-ssl-certificate-id"; }
