原文地址:http://serversforhackers.com/editions/2014/07/29/haproxy-ssl-termation-pass-through/

Overview

If your application makes use of SSL certificates, then some decisions need to be made about how to use them with a load balancer.

A simple setup of one server usually sees a client's SSL connection being decrypted by the server receiving the request. Because a load balancer sits between a client and one or more servers, where the SSL connection is decrypted becomes a concern.

There are two main strategies.

SSL Termination is the practice of terminating/decrypting an SSL connection at the load balancer, and sending unencrypted connections to the backend servers.

This means the load balancer is responsible for decrypting an SSL connection - a slow and CPU intensive process relative to accepting non-SSL requests.

This is the opposite of SSL Pass-Through, which sends SSL connections directly to the proxied servers.

With SSL-Pass-Through, the SSL connection is terminated at each proxied server, distributing the CPU load across those servers. However, you lose the ability to add or edit HTTP headers, as the connection is simply routed through the load balancer to the proxied servers.

This means your application servers will lose the ability to get the X-Forwarded-* headers, which may include the client's IP address, port and scheme used.

Which strategy you choose is up to you and your application needs. SSL Termination is the most typical I've seen, but pass-thru is likely more secure.

There is a combination of the two strategies, where SSL connections are terminated at the load balancer, adjusted as needed, and then proxied off to the backend servers as a new SSL connection. This may provide the best of both security and ability to send the client's information. The trade off is more CPU power being used all-around, and a little more complexity in configuration.

An older article of mine on the consequences and gotchas of using load balancers explains these issues (and more) as well.

HAProxy with SSL Termination

We'll cover the most typical use case first - SSL Termination. As stated, we need to have the load balancer handle the SSL connection. This means having the SSL Certificate live on the load balancer server.

We saw how to create a self-signed certificate in a previous edition of SFH. We'll re-use that information for setting up a self-signed SSL certificate for HAProxy to use.

Keep in mind that for a production SSL Certificate (not a self-signed one), you won't need to generate or sign a certificate yourself - you'll just need to create a Certificate Signing Request (csr) and pass that to whomever you purchase a certificate from.

First, we'll create a self-signed certificate for *.xip.io, which is handy for demonstration purposes, and lets use one the same certificate when our server IP addresses might change while testing locally. For example, if our local server exists at 192.168.33.10, but then our Virtual Machine IP changes to 192.168.33.11, then we don't need to re-create the self-signed certificate.

I use the xip.io service as it allows us to use a hostname rather than directly accessing the servers via an IP address, all without having to edit my computers' Host file.

As this process is outlined in a passed edition on SSL certificates, I'll simple show the steps to generate a self-signed certificate here:

$ sudo mkdir /etc/ssl/xip.io
$ sudo openssl genrsa -out /etc/ssl/xip.io/xip.io.key 1024
$ sudo openssl req -new -key /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.csr
> Country Name (2 letter code) [AU]:US
> State or Province Name (full name) [Some-State]:Connecticut
> Locality Name (eg, city) []:New Haven
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:SFH
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:*.xip.io
> Email Address []: > Please enter the following 'extra' attributes to be sent with your certificate request
> A challenge password []:
> An optional company name []:
$ sudo openssl x509 -req -days 365 -in /etc/ssl/xip.io/xip.io.csr -signkey /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.crt

This leaves us with a xip.io.csrxip.io.key and xip.io.crt file.

Next, after the certificates are created, we need to create a pem file. A pem file is essentially just the certificate, the key and optionally certificate authorities concatenated into one file. In our example, we'll simply concatenate the certificate and key files together (in that order) to create a xip.io.pem file. This is HAProxy's preferred way to read an SSL certificate.

$ sudo cat /etc/ssl/xip.io/xip.io.crt /etc/ssl/xip.io/xip.io.key | sudo tee /etc/ssl/xip.io/xip.io.pem

When purchasing a real certificate, you won't necessarily get a concatenated "bundle" file. You may have to concatenate them yourself. However, many do provide a bundle file. If you do, it might not be a pem file, but instead be a bundlecertcertkey file or some similar name for the same concept. This Stack Overflow answer explains that nicely.

In any case, once we have a pem file for HAproxy to use, we can adjust our configuration just a bit to handle SSL connections.

We'll setup our application to accept both http and https connections. In the last edition on HAProxy, we had this frontend:

frontend localnodes
bind *:80
mode http
default_backend nodes

To terminate an SSL connection in HAProxy, we can now add a binding to the standard SSL port 443, and let HAProxy know where the SSL certificates are:

frontend localhost
bind *:80
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
mode http
default_backend nodes

In the above example, we're using the backend "nodes". The backend, luckily, doesn't really need to be configured in any particular way. In the previous edition on HAProxy, we had the backend like so:

backend nodes
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server web01 172.17.0.3:9000 check
server web02 172.17.0.3:9001 check
server web03 172.17.0.3:9002 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

Because the SSL connection is terminated at the Load Balancer, we're still sending regular HTTP requests to the backend servers. We don't need to change this configuration, as it works the same!

SSL Only

If you'd like the site to be SSL-only, you can add a redirect directive to the frontend configuration:

frontend localhost
bind *:80
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
redirect scheme https if !{ ssl_fc }
mode http
default_backend nodes

Above, we added the redirect directive, which will redirect from "http" to "https" if the connection was not made with an SSL connection. More information on ssl_fc is available here.


HAProxy with SSL Pass-Through

With SSL Pass-Through, we'll have our backend servers handle the SSL connection, rather than the load balancer.

The job of the load balancer then is simply to proxy a request off to its configured backend servers. Because the connection remains encrypted, HAProxy can't do anything with it other than redirect a request to another server.

In this setup, we need to use TCP mode over HTTP mode in both the frontend and backend configurations. HAProxy will treat the connection as just a stream of information to proxy to a server, rather than use its functions available for HTTP requests.

First, we'll tweak the frontend configuration:

frontend localhost
bind *:80
bind *:443
option tcplog
mode tcp
default_backend nodes

This still binds to both port 80 and port 443, giving the opportunity to use both regular and SSL connections.

As mentioned, to pass a secure connection off to a backend server without encrypting it, we need to use TCP mode (mode tcp) instead. This also means we need to set the logging to tcp instead of the default http (option tcplog). Read more on log formats here to see the difference between tcplog andhttplog.

Next, we need to tweak our backend configuration. Notably, we once again need to change this to TCP mode, and we remove some directives to reflect the loss of ability to edit/add HTTP headers:

backend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 172.17.0.3:443 check
server web02 172.17.0.4:443 check

As you can see, this is set to mode tcp - Both frontend and backend configurations need to be set to this mode.

We also remove option forwardfor and the http-request options - these can't be used in TCP mode, and we couldn't inject headers into a request that's encrypted anyway.

For health checks, we can use ssl-hello-chk which checks the connection as well as its ability to handle SSL (SSLv3 specifically) connections.

In this example, I have two fictitious server backend that accept SSL certificates. If you've read theedition SSL certificates, you can see how to integrate them with Apache or Nginx in order to create a web server backend, which handles SSL traffic. With SSL Pass-Through, no SSL certificates need to be created or used within HAproxy. The backend servers can handle SSL connections just as they would if there was only one server used in the stack without a load balancer.

Resources

Using SSL Certificates with HAProxy--reference的更多相关文章

  1. 【SSL Certificates】什么是数字证书(Certificates)?

    本文涉及的相关问题,如果你的问题或需求有与下面所述相似之处,请阅读本文 ssl certificate 什么是ssl certificates? SSL Certificates 是一种使用数字加密技 ...

  2. SSL and SSL Certificates Explained

    Secure Sockets Layer (SSL) and Transport Layer security (TLS ) are protocols that provide secure com ...

  3. Java Developer's Guide to SSL Certificates

    https://www.codebyamir.com/blog/java-developers-guide-to-ssl-certificates Overview When developing w ...

  4. Creating SSL Certificates for CRM Test Environment

    不必找第三方去申请证书了, Windows Server 自己也可以作为一个CA的. When working on a CRM Test environment there are many sce ...

  5. SSL Certificates深入理解

    http://www.littlewhitedog.com/content-71.html https://www.verisign.com/en_US/website-presence/websit ...

  6. Creating Self-Signed SSL Certificates

    http://weblogic-wonders.com/weblogic/2011/05/25/ssl-configuration-for-weblogic-server/ http://m-butt ...

  7. 在 Postman 中报错:Self-signed SSL certificates are being blocked 的分析与解决

    http://www.shuijingwanwq.com/2019/02/18/3171/

  8. Haproxy ssl 配置方式

    通过haproxy redirect请求重定向的方法实现HTTP跳转HTTPS 配置实现http跳转到https,采用redirect重定向的做法,只需在frontend端添加: frontend h ...

  9. haproxy配置基于ssl证书的https负载均衡

    本实验全部在haproxy1.5.19版本进行测试通过,经过测试1.7.X及haproxy1.3版本以下haproxy配置参数可能不适用,需要注意版本号. 一.业务要求现在根据业务的实际需要,有以下几 ...

随机推荐

  1. 一站式远程页面调试工具spy-debugger 2.0,已支持HTTPS

    项目名称: spy-debugger 项目地址:https://github.com/wuchangming/spy-debugger 关于spy-debugger npm Build Status ...

  2. dedecms 发布文章时,关键字会自动加内链

    在后台找到:核心->批量维护->文档关键词维护 把关键字和链接网址删掉就可以了,生成更新后前端页面就不会再链接了.>_<.

  3. access_token的获取2

    概述 access_token是公众号的全局唯一票据,公众号调用各接口时都需使用access_token.开发者需要进行妥善保存. access_token的存储至少要保留512个字符空间.acces ...

  4. 马的遍历问题-回溯法应用-ACM

    马的遍历问题 在n*m的棋盘中,马只能走“日” 字.马从位置(x,y)处出发,把棋盘的每一格都走一次,且只走一次.找出所有路径. 问题解的搜索空间? 棋盘的规模是n*m,是指行有n条边,列有m条边. ...

  5. 通用方法解决dedecms导航调用二级、三级栏目菜单

    博客之前做网站的时候经常会遇到二级菜单.三级菜单.了解dede的人都知道从5.5版本开始都有二级菜单的调用方法了,网上也有不少的教程文章.不过这个调用需要修改dede源码的二级菜单样式.个人感觉不是很 ...

  6. php学习之基础语法

    这些语法都是在学习视频的过程中整理出来的,有些很简单的语法可能就没有整理了,只是记录了自己看来比较重要的语法内容.   1.变量使用 $ 声明 ,变量区分大小写   变量的类型:      4种标量类 ...

  7. PHP_EOL常量

    PHP_EOL 换行符 unix系列用 \n windows系列用 \r\n mac用 \r PHP中可以用PHP_EOL来替代,以提高代码的源代码级可移植性 如: <?php echo PHP ...

  8. CSS3 box-shadow(阴影使用)

    from: http://jingyan.baidu.com/article/03b2f78c4d9fae5ea237aea6.html css3 box-shadow 内阴影与外阴影 1- box- ...

  9. STM32学习笔记——USART串口(向原子哥和火哥学习)

    一.USART简介 通用同步异步收发器(USART)提供了一种灵活的方法与使用工业标准NRZ异步串行数据格式的外部设备之间进行全双工数据交换.USART利用分数波特率发生器提供宽范围的波特率选择. S ...

  10. windows server 2012安装.net framework3.5失败解决方法

    1.点击开始运行,输入 gpedit.msc,打开“组策略”2.“计算机配置”---“管理模板”---“windows 组件”---“windows 更新”,然后双击“指定 Intranet Micr ...