I've installed haproxy ingress in the GKE cluster since the default ingress (integration with global load balancer) was not satisfying my needs.
So port 80 is the target HTTP port for the load balancer backend on all cluster hosts.
I've simply configured a global HTTPS load balancer to terminate SSL and balance traffic between the k8s nodes auto-scaling group.
Everything seems correctly configured, but I can see backend health checks fail.
I've tried two methods HTTP on /healthz and TCP on port 80.
Both checks fail, and service is unavailable in 99% of the time.
Can anybody help me with this situation?
The problem was the firewall rules.
Health checks were not allowed to access GCE nodes associated with the GKE cluster.
I've added a new rule to VPC to allow 35.191.0.0/16,130.211.0.0/22 source IP ranges and 10253 TCP port associated with haproxy ingress health port.
After adding the rule, health checks passed, and the load balancer started to work.
Related
I'm implementing a Frontend Loadbalancer which passthrough the traffic coming to port 80 and 443 to different backend ports. SSL termination is happening in the backend and HAproxy should not engage with anything other than forwarding the traffic coming to the frontend port 80 and 443 to the respective backend ports.
Port 80 forwarding seems fine and 443 is not working as expected and giving SSL handshake failure. Even my backend service is not coming up on the web browser with a warning saying this is not trusted. I have no clue why this is happening and my HAProxy experience is not that high and below is the current configuration. Please correct me if I'm wrong.
HAProxy is installed on Ubuntu 18.04.5 LTS
Config after the defaults section
frontend k8s_lb
mode tcp
bind x.x.x.x:80
default_backend kube_minions
frontend k8s_lb_https
mode tcp
bind x.x.x.x:443
default_backend kube_minions_https
backend kube_minions
mode tcp
balance roundrobin
server k8s_worker-01 x.x.x.x:32080
server k8s_worker-02 x.x.x.x:32080
backend kube_minions_https
mode tcp
balance roundrobin
server k8s_worker-01 x.x.x.x:32443
server k8s_worker-02 x.x.x.x:32443
The backend story:
I have a k8s cluster and traefik ingress which is running as a DaemonSet on each and every node, and minions are my backend servers. CertManager is in place to do the cert automation with Let's encrypt ACME protocol in the ingress resources, hence SSL termination should be happening through the ingress resources.
I have completed the certificates and everything seems perfect as I have already implemented a similar setup on AWS with a TCP loadbalancer and everything is perfectly working and running prod workloads.
So, I need to mention that backend services are all good and up and running. In this I replaced the AWS loadbalancer with HAProxy and need to implement the same.
Please assist me to fix this as I'm struggling with this and still no luck with the issue.
Thank you.
Sorry, I was able to figure it out and there is nothing to do with traefik and HAProxy for this SSL issue. My Client's DNS is configured in CloudFlare and they have enabled the universal SSL and it caused the issue.
I checked with a new DNS record from route53 working as expected so my HAProxy config do what I need.
I am trying to configure my website to have a secure connection (https://) via Amazon's EC2, ELB, and Route 53.
I am running a t2.micro instance (no Elastic IP or anything). My Elastic Load Balancer has the SSL certificate attached. My SecurityGroup allows for https connections through port 443. I'm not sure what I'm doing wrong here.
All of my configurations are below. Any help is appreciated because, as it stands, I can't access my website at all.
Thank you in advance!
EC2 - - -
Load Balancer - - -
Route 53 - - -
Step 1: Hit the EC2 instance directly and verify that the health check URL responds with an HTTP 200 status code. If not, then get that working first.
You aren't clear about your security group configuration. You should have a security group on your load balancer that allows HTTP and HTTPS connections. Then you should have a security group on your EC2 instance that allows HTTP (port 80) connections from the load balancer's group.
The issue is obviously the failing health check on the load balancer at this point, so no need to look at Route 53 settings right now. You need to concentrate on getting the communication working between the EC2 instance and the load balancer to get that health check to start working. Until then the load balancer won't accept any traffic because it doesn't have instances it considers healthy that it can forward traffic to.
I have set up an instance reachable on http.
I have set up an instance group containing that instance.
I have set up Loadbalancing using an self signed ssl cert.
The external IP of the LB and the instance can be reached.
The forwarding of the request from the LB runs into an time out.
The config for Loadbalancing says "you have 0 instances without errors, you have 1 instance with errors."
I don't see any log entries in the apache logs coming from the lb frontend.
There is no http connection from Google addresses showing up.
Any ideas where to look for or hints to a good guide (not the rather good google docu)?
Yes. You can use Compute Engine HTTPS load balancer with HTTP backend services. Select HTTP as Backend services protocol. For health check, use HTTP health check. Add GCE firewall rules to open tcp:80 for 130.211.0.0/22 and tcp:443 for 0.0.0.0/0 source IP ranges.
I have a problem to add https to my EC2 instance and maybe you guys can have the answer to make it work.
I have a load balancer that is forwarding the connection to my EC2 instance, I've add the SSL certificate to the load balancer and everything went fine, I've add a listener to the port 443 that will forward to the port 443 of my instance and I've configured Apache to listen on both port 443 and 80, now here the screenshot of my load balancer:
The SSL certificate is valid and on port 80 (HTTP) everything is fine, but if I try the with https the request does not got through.
Any idea?
Cheers
Elastic Load Balancer can not forward your HTTPS requests to the server. This is why SSL is there : to prevent a man in the middle attack (amongst others)
The way you can get this working is the following :
configure your ELB to accept 443 TCP connection and install an SSL certificate through IAM (just like you did)
relay traffic on TCP 80 to your fleet of web servers
configure your web server to accept traffic on TCP 80 (having SSL between the load balancer and the web servers is also supported, but not required most of the time)
configure your web servers Security Group to only accept traffic from the load balancer.
(optional) be sure your Web Servers are running in a private subnet, i.e. with only private IP addressed and no route to the Internet Gateway
If you really need to have an end-to-end SSL tunnel between your client and you backend servers (for example, to perform client side SSL authentication), then you'll have to configure your load balancer in TCP mode, not in HTTP mode (see Support for two-way TLS/HTTPS with ELB for more details)
More details :
SSL Load Balancers : http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_SettingUpLoadBalancerHTTPS.html
Load Balancers in VPC :
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForVPC.html
Do you have an HTTPS listener on your EC2 instance? If not, your instance port should be 80 for both load balancer listeners.
I have a PHP app deployed on Elastic Beanstalk, currently with a single instance behind a load balancer and am attempting to enable SSL. The current configuration is as follows:
-I've uploaded my certs to IAM successfully
-On the EB Console Load Balancer config "Listener Port" is off, "Secure Listener Port" is "443", and "Protocol" is set to "HTTPS"
-In my Loadbalancer, accessed through the EC2 console, Load Balancer Port/Protocol 443/HTTPS and Instance Port/Protocol is 80/HTTP (the default HTTP/80 HTTP/80 listener is still there but i've tried removing it to no joy)
-My security groups for both the load balancer and the instance are configured the same: Inbound is allowing all connections from either security group, plus inbound http on 80 and https on 443 (source= 0.0.0.0/0)
When attempting to access the url https://myurl.com, I get 503 service unavailable (server at capacity). I suspect there is an issue with my security group configuration, but can't figure out what it is (have tried referring to this thread).
Any Ideas?
I just experienced this on my ElasticBeanstalk deployment and the reason was that my elastic load balancer had 0 healthy instances in service. There's different health check settings, one that checks over HTTP:80 and one that checks over TCP:80. I haven't investigated thoroughly but for some reason the HTTP:80 setting will result in my servers being marked as unhealthy, but TCP:80 will test correctly. If this comes up again I would suggest looking in there?