Hi ilya, Good day to you, and thank you for your reply.
I am quite confused after reading the documentation on how to implement SSL/TLS on haproxy -- it seems that there are 2 methods on how haproxy handles SSL, either SSL Termination (haproxy terminates/decrypts the SSL connection and sending unencrypted connections to the CloudStack management server) or SSL pass-through (haproxy redirects the SSL connection to the Cloudstack management server). Since I implemented HTTPS (and disabled HTTP connection) to the management server, can I confirm that I should use the pass-through method for this case? If anyone can point me to any further documentation on how to implement haproxy LB to load balanced CloudStack management servers running on HTTPS (TLS/SSL) mode, it will be very appreciated. Looking forward to your reply, thank you. Cheers. On Thu, Apr 14, 2016 at 2:31 PM, ilya <ilya.mailing.li...@gmail.com> wrote: > You need another cert for the proxy host. > > In theory, all you could have done it with 1 SSL cert in front of > ha-proxy, then restrict communication to 8080 via iptables from MS to > ha-proxy. > > Though, ideally - SSL accross the board is better. > > With that said, get one more cert for ha-proxy.. > > On 4/13/16 11:06 PM, Indra Pramana wrote: > > Hi ilya and all, > > > > Good day to you, and thank you for your reply. > > > > Yes, I was able to access the second management server using http. To > > resolve the problem, I ended up purchasing another SSL certificate for > the > > second management server, and after converting to PKS12 format and enable > > SSL on server.xml and tomcat6.conf, I managed to access the GUI of the > > second management server, thanks. > > > > Now the issue is on the haproxy load balancer. Each management server can > > be accessed via https without any issue, but accessing it through the > > haproxy load balancer gives the same SSL error message. I am running just > > one haproxy server at the moment. > > > > https://first-management-server:8080/client/ - OK > > https://second-management-server:8080/client/ - OK > > > > https://haproxy-server:8080/client/ - not OK > > > > Below is my haproxy.cfg configuration, I set the configuration based on > > blog article Sadhu has provided: > > > > > http://psiclouds.blogspot.in/2015/03/haproxy-configuring-ha-load-balancer.html > > > > Note that the UI (public facing) and the VM (hypervisor facing) are on > > different NICs/networks since we are using private networks for our > > hypervisors. > > > > Public network: X.X.X.0/28 > > Private network: Y.Y.Y.0/24 > > > > ==== > > listen cloudstack_ui_8080 X.X.X.7:8080 > > bind X.X.X.7:8080 > > mode http > > balance source > > server first-management-server X.X.X.12:8080 cookie A check > > server second-management-server X.X.X.11:8080 cookie B check > > > > listen cloudstack_systemvm_8250 Y.Y.Y.8:8250 > > bind Y.Y.Y.8:8250 > > mode tcp > > option tcplog > > balance source > > server first-management-server Y.Y.Y.3:8250 maxconn 32 check > > server second-management-server Y.Y.Y.6:8250 maxconn 32 check > > ==== > > > > Can advise what I might have missed out on the configuration? > > > > Looking forward to your reply, thank you. > > > > Cheers. > > > > > > On Thu, Apr 14, 2016 at 1:26 PM, ilya <ilya.mailing.li...@gmail.com> > wrote: > > > >> Indra > >> > >> Both MGMT servers should be accessed via web browser. > >> > >> However in your case, since you did not enable SSL on second server as > >> evident by port 8080, you need to use http header and not https. > >> > >> Try http://second-management-server:8080/client/ > >> > >> Also, you can get away with single SSL for both MGMT servers by using > >> "alias" as a Subject Alternate Name when you create Certificate Signing > >> Request. > >> > >> Regards > >> ilya > >> > >> On 4/12/16 10:14 PM, Indra Pramana wrote: > >>> Dear all, > >>> > >>> I have managed to add the second CloudStack management server and add > it > >>> into the cluster. Based on the management server logs, we can see that > >> the > >>> second management server is being added. I haven't configured the > haproxy > >>> LB yet, however I noted that I am not able to access the second > >> management > >>> server's GUI, is it normal? > >>> > >>> https://second-management-server:8080/client/ > >>> > >>> ==== > >>> Secure Connection Failed > >>> > >>> An error occurred during a connection to second-management-server:8080. > >> SSL > >>> received a record that exceeded the maximum permissible length. (Error > >>> code: ssl_error_rx_record_too_long) > >>> > >>> The page you are trying to view cannot be shown because the > >>> authenticity of the received data could not be verified. > >>> Please contact the website owners to inform them of this problem. > >>> ==== > >>> > >>> Is this due to SSL, i.e. I need to purchase the SSL certificate for > this > >>> second management server, similar to the first management server? > >>> > >>> Looking forward to your reply, thank you. > >>> > >>> Cheers. > >>> > >>> > >>> On Mon, Apr 11, 2016 at 10:03 PM, Sanjeev Neelarapu < > >>> sanjeev.neelar...@accelerite.com> wrote: > >>> > >>>> There is no restriction on which interface to use for LB. Make sure > you > >>>> pick the NIC from same network for both the management servers. > >>>> > >>>> Best Regards, > >>>> Sanjeev N > >>>> Chief Product Engineer, Accelerite > >>>> Off: +91 40 6722 9368 | EMail: sanjeev.neelar...@accelerite.com > >>>> > >>>> > >>>> -----Original Message----- > >>>> From: Indra Pramana [mailto:in...@sg.or.id] > >>>> Sent: Monday, April 11, 2016 7:26 PM > >>>> To: users@cloudstack.apache.org > >>>> Subject: Re: Adding a new CloudStack management server > >>>> > >>>> Dear all, > >>>> > >>>> Our management server has two NICs, one internal-facing to the > >> hypervisor > >>>> hosts and another one Internet-facing for our billing system and > console > >>>> users to connect to. If we want to add another management server and > >> load > >>>> balance them, does it mean that we need to load balance both the > >>>> internal-facing and the Internet-facing NICs? > >>>> > >>>> Looking forward to your reply, thank you. > >>>> > >>>> Cheers. > >>>> > >>>> > >>>> On Wed, Apr 6, 2016 at 12:30 PM, Indra Pramana <in...@sg.or.id> > wrote: > >>>> > >>>>> Thanks Glenn and Suresh. > >>>>> > >>>>> Cheers. > >>>>> > >>>>> > >>>>> On Mon, Apr 4, 2016 at 1:01 PM, Suresh Sadhu > >>>>> <suresh.sa...@accelerite.com> > >>>>> wrote: > >>>>> > >>>>>> As Glenn told ,it will work well with haproxy .I found nice blog > >>>>>> from psiclouds ,hope this might be useful to you. > >>>>>> > >>>>>> > >>>>>> > http://psiclouds.blogspot.in/2015/03/haproxy-configuring-ha-load-bala > >>>>>> ncer.html > >>>>>> > >>>>>> regards > >>>>>> Sadhu > >>>>>> Chief Product Engineer, Accelerite > >>>>>> suresh.sa...@accelerite.com > >>>>>> > >>>>>> > >>>>>> > >>>>>> -----Original Message----- > >>>>>> > >>>>>> From: Glenn Wagner [mailto:glenn.wag...@shapeblue.com] > >>>>>> Sent: Monday, April 4, 2016 3:09 AM > >>>>>> To: users@cloudstack.apache.org > >>>>>> Subject: RE: Adding a new CloudStack management server > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> I would also recommend using a load balancing with Cloudstack if you > >>>>>> want to run multiple management servers HA proxy is the preferred > >>>>>> choice (works very well for us) > >>>>>> > >>>>>> Once you have added the second server you need to change the > >>>>>> management server ip in the global setting (search for host) and > also > >>>>>> the management ip in all the cloudstack agents to the new vip , > >>>>>> restart cloudstack > >>>>>> > >>>>>> I would all suggest setting up two haproxy's one primary and the > >>>>>> other secondary using keepalived for redundancy of your haproxy > >>>>>> servers > >>>>>> > >>>>>> Regards > >>>>>> Glenn > >>>>>> > >>>>>> > >>>>>> Regards, > >>>>>> > >>>>>> Glenn Wagner > >>>>>> > >>>>>> glenn.wag...@shapeblue.com > >>>>>> www.shapeblue.com > >>>>>> 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town > >>>>>> 7130South Africa @shapeblue > >>>>>> > >>>>>> -----Original Message----- > >>>>>> From: Indra Pramana [mailto:in...@sg.or.id] > >>>>>> Sent: Sunday, 03 April 2016 2:49 PM > >>>>>> To: users@cloudstack.apache.org > >>>>>> Subject: Adding a new CloudStack management server > >>>>>> > >>>>>> Dear all, > >>>>>> > >>>>>> We are running CloudStack 4.2.0 and all this while we are running on > >>>>>> just one management server. We intend to add another new management > >>>>>> server for redundancy. These are parts of the documentation touching > >>>>>> on how to add another new management server: > >>>>>> > >>>>>> > >>>>>> > http://docs.cloudstack.apache.org/projects/cloudstack-installation/en > >>>>>> /4.8/management-server/#additional-management-servers > >>>>>> > >>>>>> > http://docs.cloudstack.apache.org/en/latest/administration_guide.html > >>>>>> > ?highlight=management%20server%20load#management-server-load-balancin > >>>>>> g > >>>>>> > >>>>>> - Can I confirm that for multiple management servers, a load > >>>>>> balancing server or device is compulsory? Can multiple management > >>>>>> servers still work without load balancing and still achieve HA? > >>>>>> - What do people normally use to setup the load balancing for the > >>>>>> management servers? Is a server running haproxy sufficient? > >>>>>> - Once the second management server and the load balancer has been > >>>>>> setup, I believe we would need to change the management IP to the > VIP > >>>>>> (virtual IP) of the load balancer, what are the things that need to > be > >>>> changed? > >>>>>> > >>>>>> Any help is greatly appreciated. > >>>>>> > >>>>>> Looking forward to your reply, thank you. > >>>>>> > >>>>>> Cheers. > >>>>>> > >>>>>> -ip- > >>>>>> > >>>>>> > >>>>>> > >>>>>> DISCLAIMER > >>>>>> ========== > >>>>>> This e-mail may contain privileged and confidential information > which > >>>>>> is the property of Accelerite, a Persistent Systems business. It is > >>>>>> intended only for the use of the individual or entity to which it is > >>>>>> addressed. If you are not the intended recipient, you are not > >>>>>> authorized to read, retain, copy, print, distribute or use this > >>>>>> message. If you have received this communication in error, please > >>>>>> notify the sender and delete all copies of this message. Accelerite, > >>>>>> a Persistent Systems business does not accept any liability for > virus > >>>> infected mails. > >>>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> > >>>> DISCLAIMER > >>>> ========== > >>>> This e-mail may contain privileged and confidential information which > is > >>>> the property of Accelerite, a Persistent Systems business. It is > >> intended > >>>> only for the use of the individual or entity to which it is addressed. > >> If > >>>> you are not the intended recipient, you are not authorized to read, > >> retain, > >>>> copy, print, distribute or use this message. If you have received this > >>>> communication in error, please notify the sender and delete all copies > >> of > >>>> this message. Accelerite, a Persistent Systems business does not > accept > >> any > >>>> liability for virus infected mails. > >>>> > >>> > >> > > >
