[jira] [Created] (CLOUDSTACK-9499) HAProxy [native virtual CS Loadbalancer] - SSL offload support

Tue, 13 Sep 2016 06:36:53 -0700 

Livio A created CLOUDSTACK-9499:
-----------------------------------

             Summary: HAProxy [native virtual CS Loadbalancer] - SSL offload 
support
                 Key: CLOUDSTACK-9499
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9499
             Project: CloudStack
          Issue Type: Improvement
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: API, Network Devices
    Affects Versions: 4.5.2
            Reporter: Livio A


Hi,

SSL offload support in Cloudstack and documented here: 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support 
is currently only available to NetScaler LB devices.

If we try to attach a certificate to a CloudStack Virtual Router LB: 
assignCertToLoadBalancer&certid=3b0621cd-203f-46a9-b3ad-97e7e70c77ab&lbruleid=2556
It returns the following error:
2016-09-05 18:32:16,244 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
(API-Job-Executor-111:ctx-4f7864f6 job-48170) Complete async job-48170, 
jobStatus: FAILED, resultCode: 530, result: 
org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":431,"errortext":"Ssl
 termination not supported by the loadbalancer"} 

The CloudStack VR uses haproxy for LB and ssl offloading is something haproxy 
can handle.

The standard type of configuration issued by cloudstack:

listen 8_8_8_8-443 8.8.8.8:443
                balance roundrobin
                server 8_8_8_8-443_0 192.168.1.2:443 check
                server 8_8_8_8-443_1 192.168.1.3:443 check

By default CS configures it's loadbalancers in tcp mode. To enable SSL 
offloading we would however need this kind of configuration:

listen 8_8_8_8-443
                bind 8.8.8.8:443 ssl crt 
/etc/haproxy/ssl-cert-3b0621cd-203f-46a9-b3ad-97e7e70c77ab.pem crt 
/etc/haproxy/ssl-cert-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.pem
                mode http
                balance roundrobin
                server 8_8_8_8-443_0 192.168.1.2:443 check ssl verify none
                server 8_8_8_8-443_1 192.168.1.3:443 check ssl verify none

This could be implemented by modifying the API and the HAProxyConfigurator 
script. Also, in my example configuration I've put two certificates, HAProxy 
manages this pretty well so it would be nice to be able to assign more than one 
certificate to a LB.

Kind regards,
Alessandro



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to