Some clarification question

Aleksandar Lazic Fri, 28 Oct 2016 08:58:00 -0700

Hi.

@openshift there is a discussion about stickiness.


Let's say you have such a config.

###
backend be_edge_http_1-caddy-teplate_caddy-template-usage

  mode http
  option redispatch
  option forwardfor
  balance leastconn
  timeout check 5000ms
  http-request set-header X-Forwarded-Host %[req.hdr(host)]
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }

cookie 4106ca6931bf4a3e0db2474573f01a3f insert indirect nocachehttponly secure

http-request set-header Forwardedfor=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]

server ed869f92f458c2810361c096e64c6729 10.1.3.34:2015 check inter5000ms cookie ed869f92f458c2810361c096e64c6729

server 8032c03a054e0b5a670bcab37f8510c6 10.1.4.62:2015 check inter5000ms cookie 8032c03a054e0b5a670bcab37f8510c6

server 868d4f965e5d8c8ff73379a299facedf 10.1.5.2:2015 check inter5000ms cookie 868d4f965e5d8c8ff73379a299facedf

server 5e855f052852749bed7013707a57de94 10.1.5.3:2015 check inter5000ms cookie 5e855f052852749bed7013707a57de94

###

I have seen that when I use a browser, which accepts cookies, I alwaysreach the same endpoint.

https://caddy-template-usage-1-caddy-teplate.playground.itandtel.at/templates/print-hostname.tmpl

I'm quite sure this works as designed ;-)

It is useless which of the algo I use the cookie stickiness is alwaysthe winner right?


https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L339-L345
http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-balance

Are my observation right?
Can I overrule the cookie stickiness in the config above?

Haproxy: 1.5.14 (RedHat version)

Full haproxy part

------------------------------------------
global
  # maxconn 4096
  daemon
  ca-base /etc/ssl
  crt-base /etc/ssl
  stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin
  stats timeout 2m

  # Prevent vulnerability to POODLE attacks
  # TODO: use when 1.5.14 is available
  # ssl-default-bind-options no-sslv3

# Modern cipher suite (no legacy browser support) fromhttps://wiki.mozilla.org/Security/Server_Side_TLS

  # tune.ssl.default-dh-param 2048

# ssl-default-bind-ciphersECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

# Intermediate cipher suite (default) fromhttps://wiki.mozilla.org/Security/Server_Side_TLS

  tune.ssl.default-dh-param 2048

ssl-default-bind-ciphersECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# Old cipher suite (maximum compatibility but insecure) fromhttps://wiki.mozilla.org/Security/Server_Side_TLS

  # tune.ssl.default-dh-param 1024


defaults
  # maxconn 4096
  # Add x-forwarded-for header.
  timeout connect 5s
  timeout client 30s
  timeout server 30s
  # Long timeout for WebSocket connections.
  timeout tunnel 1h


listen stats :1936

    mode http
    # Health check monitoring uri.
    monitor-uri /healthz


    # Add your custom health check monitoring failure condition here.
    # monitor fail if <condition>
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth admin:WELL_WHAT_A_PASS;-)


frontend public
  bind :80
  mode http
  tcp-request inspect-delay 5s
  tcp-request content accept if HTTP

  # check if we need to redirect/force using https.

acl secure_redirectbase,map_beg(/var/lib/haproxy/conf/os_edge_http_redirect.map) -m found

  redirect scheme https if secure_redirect

  # Check if it is an edge route exposed insecurely.

acl edge_http_exposebase,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map) -m founduse_backendbe_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map)]if edge_http_expose


  # map to http backend
  # Search from most specific to general path (host case).
  # Note: If no match, haproxy uses the default_backend, no other
  #       use_backend directives below this will be processed.

use_backendbe_http_%[base,map_beg(/var/lib/haproxy/conf/os_http_be.map)]


  default_backend openshift_default

# public ssl accepts all connections and isn't checking certificates yetcertificates to use will be# determined by the next backend in the chain which may be an appbackend (passthrough termination) or a backend

# that terminates encryption in this router (edge)
frontend public_ssl
  bind :443
  tcp-request  inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

# if the connection is SNI and the route is a passthrough don't usethe termination backend, just use the tcp backend

  acl sni req.ssl_sni -m found

acl sni_passthroughreq.ssl_sni,map(/var/lib/haproxy/conf/os_sni_passthrough.map) -m founduse_backendbe_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/os_tcp_be.map)] if snisni_passthrough


  # if the route is SNI and NOT passthrough enter the termination flow
  use_backend be_sni if sni

# non SNI requests should enter a default termination backend ratherthan the custom cert SNI backend since it

  # will not be able to match a cert to an SNI host
  default_backend be_no_sni

##########################################################################
# TLS SNI
#
# When using SNI we can terminate encryption with custom certificates.

# Certs will be stored in a directory and will be matched with the SNIhost header# which must exist in the CN of the certificate. Certificates must beconcatenated# as a single file (handled by the plugin writer) per the haproxydocumentation.

# Finally, check re-encryption settings and re-encrypt or just passalong the unencrypted

# traffic
##########################################################################
backend be_sni
  server fe_sni 127.0.0.1:10444 weight 1 send-proxy

frontend fe_sni
  # terminate ssl on edge

bind 127.0.0.1:10444 ssl no-sslv3 crt/var/lib/containers/router/certs/default.pem crt/var/lib/containers/router/certs accept-proxy

  mode http

# check re-encrypt backends first - from most specific to generalpath.acl reencrypt base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map) -mfound


  # Search from most specific to general path (host case).

use_backendbe_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] ifreencrypt


  # map to http backend
  # Search from most specific to general path (host case).
  # Note: If no match, haproxy uses the default_backend, no other
  #       use_backend directives below this will be processed.

use_backendbe_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)]


  default_backend openshift_default

##########################################################################
# END TLS SNI
##########################################################################

##########################################################################
# TLS NO SNI
#

# When we don't have SNI the only thing we can try to do is terminatethe encryption# using our wild card certificate. Once that is complete we can eitherre-encrypt

# the traffic or pass it on to the backends
##########################################################################

# backend for when sni does not exist, or ssl term needs to happen onthe edge

backend be_no_sni
  server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy

frontend fe_no_sni
  # terminate ssl on edge

bind 127.0.0.1:10443 ssl no-sslv3 crt/var/lib/containers/router/certs/default.pem accept-proxy

  mode http

  # check re-encrypt backends first - path or host based.

acl reencrypt base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map) -mfound


  # Search from most specific to general path (host case).

use_backendbe_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] ifreencrypt


  # map to http backend
  # Search from most specific to general path (host case).
  # Note: If no match, haproxy uses the default_backend, no other
  #       use_backend directives below this will be processed.

use_backendbe_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)]


  default_backend openshift_default

##########################################################################
# END TLS NO SNI
##########################################################################

backend openshift_default
  mode http
  option forwardfor
  #option http-keep-alive
  option http-pretend-keepalive
  # To configure custom default errors, you can either uncomment the
  # line below (server ... 127.0.0.1:8080) and point it to your custom
  # backend service or alternatively, you can send a custom 503 error.
  #server openshift_backend 127.0.0.1:8080
  errorfile 503 /var/lib/haproxy/conf/error-page-503.http

------------------------------------------

BR Aleks

Some clarification question

Reply via email to