Context
debian 64bits.
I try to learn https. I created a loadbalancer but I cannot answer tthe client directly from the backend since it receive the LB ip.
Question
I would like to know how I could achieve the following with ssl connection:
client -------> loadbalancer Level4 -----> 3 backends (ssl termination) -----> Back to client
The goal is to avoid decrypting on the loadbalancer but still be able to send the requests to each of the backend servers, decrypt there and send back to client directly.
Any way to make it happen ?
Related
AWS NLB supports TLS termination
https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/
NLB being a Layer 4 load balancer I would expect it to work in a passthrough mode by directing the incoming packets to one of the backends without much of state maintenance (except for the flow tracking)
Are there any details available on how AWS implements the TLS termination in NLB ?
Is it possible to do it with open source tooling (like IPVS or haproxy) or AWS has some secret sauce here ?
The TLS termination itself is just what it says it is. TLS is a generic streaming protocol just like TCP one level up so you can unwrap it at the LB in a generic way. The magic is that they keep the IPs intact probably with very fancy routing magic, but it seems unlikely AWS will tell you how they did it.
In my SO question here, I have an example of how to terminate a TCP session in HAProxy and pass the unencrypted traffic to a backend.
In short, you need to use ssl in the frontend bind section and both frontend and backend configurations require use of tcp mode. Here is an example of terminating on port 443 and forwarding to port 4567.
frontend tcp-proxy
bind :443 ssl crt combined-cert-key.pem
mode tcp
default_backend bk_default
backend bk_default
mode tcp
server server1 1.2.3.4:4567
We are using rancher docker orchestration tool: it is using HAProxy for enabling load balancing.
I am wondering how how a hanshake is processed if a new HTTPS connection to a service is established.
Is the the handshake done between client and the load balancer (rancher/HAProxy) or will the load balancer just forward the HTTPS requests to the backend service?
It depends how you configure it.
SSL Termination the handshake is done by the load balancer.
SSL pass-through the handshake is done by the backend.
Problem: I have an application connecting to several databases (Redis, Riak, etc) via TCP through HAProxy. Like this:
app -> HAProxy --TLS--> HAProxy -> Redis
Access to HAProxy on Redis side is managed by Chef via iptables. We already use CFSSL for mutual TLS authentication on Nginx<->Nginx connections because it's way faster than waiting until Chef updates configuration.
Wanna make HAProxy on application side use client-side TLS certificate when connecting to HAProxy on DB side.
Actually any other proxy will do on client side but we'd like to keep things simple.
Okay, so I know that we can either forward HTTPS traffic via haproxy to backend servers intact or have SSL terminated at the proxy server, and let remaining course of the traffic be unencrypted. But is there a way to make haproxy work such that the traffic is decrypted at the server and recrypted before being sent to the backend nodes?
Basically I am getting half the job done with SSL termination, but I want traffic to be encrypted again once it leaves the proxy server.
Is this possible with haproxy on its own? or is there some other tool I could use in combination with haproxy to create and manage HTTPS/SSL sessions with backend servers?
Have you tried setting it up like this:
Haproxy terminates the SSL then, instead of forwarding the unencrypted traffic to your backend on a HTTP port, try forwarding it to a HTTPS port on the backend and wrap that in a self signed cert.
i.e:
SSL Traffic -> haproxy:443(domain cert) -> backend:443(internal cert)
I have set this up before and it worked fine
I would like to set up a TLS authentication on the two-server setup with a load balancer that spreads traffic between them. I do not have access to the load balancer, so I need to set up both servers separately. I need a certificate that would be signed by my own CA that I can pass on to the client which I want to authenticate. I know that it is possible to create a CA that is common for both servers, I am not sure how though. Is it as simple as creating a CA on each server with the same configuration?
I would appreciate some guidance.
TLS uses TCP connections, so the load balancer will only balance the establishment of TCP connections. After that the client is tied to any one of the two servers.
The certificate the servers present to their clients should match the URL or IP of the load balancer, so the clients can check if the certificate matches what they intended to connect to.
If you expose which backend server the client has reach (eg. because the load balancer redirects the connection, instead of tunneling it), your servers will probably need a wildcard certificate.