I have a new fresh EJBCA installation and I made a copy of it in the same machine in order to test an HA Proxy as a load balancer.
I do the necessary in wildfly config in order to use different port for each instance
I followed this link from the official documentation https://www.ejbca.org/docs/Setting_up_a_HA_Proxy_in_front_of_EJBCA.html
My HAProxy config looks like :
frontend ejbca_front
bind *:8443
option tcplog
mode tcp
default_backend ca_nodes
backend ca_nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 localhost:8453 check
server web02 localhost:8448 check
But when I try to go to the ejbca admin interface on port 8443 the page is not reachable
Any ideas ?
Thanks
Resolved : The line "option ssl-hello-chk" was not necessary in my use case.
Related
I'm implementing a Frontend Loadbalancer which passthrough the traffic coming to port 80 and 443 to different backend ports. SSL termination is happening in the backend and HAproxy should not engage with anything other than forwarding the traffic coming to the frontend port 80 and 443 to the respective backend ports.
Port 80 forwarding seems fine and 443 is not working as expected and giving SSL handshake failure. Even my backend service is not coming up on the web browser with a warning saying this is not trusted. I have no clue why this is happening and my HAProxy experience is not that high and below is the current configuration. Please correct me if I'm wrong.
HAProxy is installed on Ubuntu 18.04.5 LTS
Config after the defaults section
frontend k8s_lb
mode tcp
bind x.x.x.x:80
default_backend kube_minions
frontend k8s_lb_https
mode tcp
bind x.x.x.x:443
default_backend kube_minions_https
backend kube_minions
mode tcp
balance roundrobin
server k8s_worker-01 x.x.x.x:32080
server k8s_worker-02 x.x.x.x:32080
backend kube_minions_https
mode tcp
balance roundrobin
server k8s_worker-01 x.x.x.x:32443
server k8s_worker-02 x.x.x.x:32443
The backend story:
I have a k8s cluster and traefik ingress which is running as a DaemonSet on each and every node, and minions are my backend servers. CertManager is in place to do the cert automation with Let's encrypt ACME protocol in the ingress resources, hence SSL termination should be happening through the ingress resources.
I have completed the certificates and everything seems perfect as I have already implemented a similar setup on AWS with a TCP loadbalancer and everything is perfectly working and running prod workloads.
So, I need to mention that backend services are all good and up and running. In this I replaced the AWS loadbalancer with HAProxy and need to implement the same.
Please assist me to fix this as I'm struggling with this and still no luck with the issue.
Thank you.
Sorry, I was able to figure it out and there is nothing to do with traefik and HAProxy for this SSL issue. My Client's DNS is configured in CloudFlare and they have enabled the universal SSL and it caused the issue.
I checked with a new DNS record from route53 working as expected so my HAProxy config do what I need.
I am trying to my own coturn (TURN) server. I want it to run on port 443. I have Apache already running on that port. Can i use Apache proxy pass to run TURN on port 3479, 53499 but still listening to port 443?
I am not sure how to go about this problem. Is my approach wrong?. If yes, whats the better approach
listening-port=3478
alt-listening-port=3479
tls-listening-port=5349
alt-tls-listening-port=5350
#stening-port=80
#tls-listening-port=443
listening-ip=127.0.0.1
relay-ip=127.0.0.1
external-ip=*****
realm=explain.bookmane.in
server-name=explain.bookmane.in
lt-cred-mech
userdb=/etc/turnuserdb.conf
Apparently, the latest version of COTURN, COTURN 4.5.2r3, recently released this year, and still marked as unstable, has just incorporated support for reverse proxy. I infer this from description I found in its config file: /etc/turnserver.conf
https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf
This is what it says:
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555"
anyone got successful with ejabberd + ssl termination with haproxy 1.7?
frontend ejabberd
bind *:4000 ssl crt /etc/haproxy/certs/my-domain.com.pem
mode tcp
timeout client 3h
option tcplog
option clitcpka
default_backend ejabberd
backend ejabberd
mode tcp
timeout server 60m
option redispatch
option srvtcpka
option independent-streams
balance leastconn
default-server inter 5s rise 3 fall 3 on-marked-down shutdown-sessions
server ejabberd localhost:5222 check slowstart 120s
it works fine without ssl crt. My smack client gives me a No response received within reply timeout. Timeout was 5000ms (~5s). While waiting for establishing TLS.
I also tried with or without ttls on ejabberd conf
I was able to have the exact configuration working, you need to:
Disable tls in ejabberd since HAProxy is doing the ssl offloading and ejabberd is hosted in the same machine:
Comment the certfile line
Comment the starttls line
Correctly configure your client, I have used pidgin, but you should be able to do the same with smack:
Configure correctly address and port (4000 here)
Ensure that you use "old style TLS" and not STARTTLS, the latter won't work with HAProxy.
Otherwise, if you want clients to use STARTTLS configuration, then you have to configure HAProxy to proxy XMPP encrypted traffic (removing "ssl crt .." )
I have some web servers which are MySQL backend. An HAProxy is in front of those web servers. All the web servers are using https.
I tried to use the http check option on both http and https to make sure if the database connection was lost, the HAProxy will failover to another node. My haproxy configuration file:
global
log /dev/log local0
maxconn 4096
#debug
#quiet
user haproxy
group haproxy
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
listen http
bind *:80
mode http
balance roundrobin
stats enable
stats auth haproxy:haproxy
cookie JSESSIONID prefix
stick on src table https
option http-server-close
option forwardfor
default-server inter 5s fall 2
option httpchk
http-check expect ! string Database\ error
server sitea 192.168.0.20 cookie sitea check port 80
server siteb 192.168.0.21 cookie siteb check port 80
listen https
bind *:443
mode tcp
balance roundrobin
stick-table type ip size 5000k expire 2h store conn_cur
stick on src
option tcplog
option ssl-hello-chk
default-server inter 5s fall 2
option httpchk
http-check expect ! string Database\ error
server sitea 192.168.0.20:443 check ssl verify none
server siteb 192.168.0.21:443 check ssl verify none
Look at the last two lines. If I specified "ssl verify none", my HAProxy can successfully check both Apache and MySQL status. However, I can't open the webpage via https(it prompts me This site can’t provide a secure connection. ERR_SSL_PROTOCOL_ERROR).
If I remove that parameter, the webpage can be opened again, but all the https servers status become DOWN in the HAProxy.
P.S. I'm using self-signed certificate currently, because I'm still on testing.
I have found the solution: since I am using https on apache nodes, I have to copy ssl certificates content to haproxy. To do that, copy and merge both private key and the certificate content issued by the CA into one single file(In my case, I put it into /etc/haproxy/haproxy.pem).
Modify the haproxy configuration, change
bind *:443
To
bind *:443 ssl crt /etc/haproxy/haproxy.pem
I need to setup Load balancer as an alternative for ELB for Amazon as they have issue in connection timeout.
Currently, Im using HAProxy and it works normally. However, I need to use SSL for users who wants to connect in https (port 443) to the backend apache servers plus sticky session.
What will be the configuration would looks like? I heard that HAProxy doesn't support SSL in native and can use stunnel or nginx / apache to handle the SSL termination.
I would appreciate anyone to share their knowledge and experiences.
Thanks.
James
To http use something like that.
Change the XXX.XXX.XXX.XXX to your IP address.
listen example-cluster XXX.XXX.XXX.XXX:80
mode http
stats enable
stats auth user:password
stick store-request src
stick-table type ip size 200k expire 2m
balance source
cookie JSESSIONID prefix
option httplog
option httpclose
option forwardfor
option persist
option redispatch
option httpchk HEAD /check.txt HTTP/1.0
server example-webl XXX.XXX.XXX.XXX:80 cookie A check
server example-web2 XXX.XXX.XXX.XXX:80 cookie B check
server example-web3 XXX.XXX.XXX.XXX:80 cookie C check
server example-web4 XXX.XXX.XXX.XXX:80 cookie D check
server example-web5 XXX.XXX.XXX.XXX:80 cookie E check
To your SSL use the mode tcp with balance source:
listen example-cluster-ssl XXX.XXX.XXX.XXX:443
mode tcp
reqadd X-Forwarded-Proto:\ https
stick store-request src
stick-table type ip size 200k expire 2m
option persist
option redispatch
option ssl-hello-chk
balance source
server example-webl XXX.XXX.XXX.XXX:443 check
server example-web2 XXX.XXX.XXX.XXX:443 check
server example-web3 XXX.XXX.XXX.XXX:443 check
server example-web4 XXX.XXX.XXX.XXX:443 check
server example-web5 XXX.XXX.XXX.XXX:443 check
Another way is your upgrade your haproxy to version 1.5, in that version have support to ssl but isn't stable yet.
Take a look at the Stud project on github, which combines extremely well with haproxy, is very performant, scalable, and uses very little resource. Many users are switching to it right now because it's simple and efficient.