I'm evaluating an approporiate load balancer for a web project. The majority of the traffic to the site will be over ssl. I've read that HAProxy doesn't support ssl for various reasons. Are there ways to configure HAProxy so that it can handle and proxy traffic over https?
cheers,
Cathal.
No, you will need to use an ssl offloaderin front of HaProxy, such as Pound or Stunnel.
You can use 1.5.x development version which supports SSL.
Related
I am getting into load balancing and how security with SSL certificates can be integrated with a load balancer.
Let's say that I want to expose several copies of the same RESTful web service over Amazon Elastic Load Balancer. All should be fine and smooth up until now. However, security has not yet been taken into consideration.
Now, let's say that we want the communication to be secured with an SSL certificate, so we go ahead and buy a certificate. We will have several IP addresses which are all exposing the same RESTful server with the load balancer. These IP addresses will all get mapped to the same domain name (https://thedomain.com). This way, the clients always connect to the same domain. It is then up to the load balancer to redirect to the web service which is getting the least traffic.
The main question is, is it possible for such an architecture with a single SSL certificate? As if this is so, it would be possible to extend the amount of services dynamically without having to change the security.
It is then up to the load balancer to redirect to the web service which is getting the least traffic.
AFAIK, the ELB supports only RoundRobin and Stick sessions. So what you said above will not happen.
is it possible for such an architecture with a single SSL certificate?
You can install the SSL certificate on the ELB and let it do the SSL termination. The traffic between ELB and your Web Nodes will be un-encrypted then. You should explore AWS VPC where you can have a public facing ELB and your Web Nodes will be within Private subnet.
Also, ELB supports TCP load balancing. In this case, you install the Certificate on the Web Nodes and ELB will accept traffic on port 443 from internet and will simply forward it to port 443 on web nodes wherein web nodes have to do SSL encryption/decryption.
Hope this helps.
has anyone looked at accepting HTTPS / SSL connections with meteor?
Apologies.
Specifically: how can I set up meteor to accept and work with HTTPS connections?
Yes *
HTTPS/SSL support was added in v0.3.8
source: Github
*Update: Caveats could apply depending on one's use case. See Brett's comment below.
I do not believe you can use ssl certificates with Meteor yet. What you could do is put a node.js based proxy in front of Meteor and handle ssl connections that way.
Is it possible to deploy a node.js app on Cloud Foundry that listens for HTTPS requests on port 443?
I can find various references to SSL support in the Cloud Foundry forums, but no actual examples of HTTPS apps. The article "Setup SSL on cloudfoundry landscape" seems to indicate that I need to install nginx and use that, but there is not really enough information there to tell me what I need to do.
The SSL connection will terminate at the loadbalancer and then forward the unencrypted HTTP connection to your node app.
Just use https://your-app.cloudfoundry.com instead of http://...
You don't need nginx in particular, but you do need something capable of listening to a port (which Cloud Foundry will assign at the moment, indicated by the environment variable PORT or, for older versions of Cloud Foundry, VCAP_APP_PORT). So nginx will work for this purpose, but if you have made a node.js app, the core module http (optionally paired with express) would be a more natural choice of webserver.
Now if your app requires ssl, you'd think that you'd need to configure your webserver (nginx, express, etc.) for HTTPS, but you do not need to do so because Cloud Foundry handles the SSL and passes the decrypted HTTP to your webserver.
So if you are using node.js core modules, use the http, not https module.
My client ask me to do reverse ssl on his website. But i'm new on this term. Can anyone help me about this.
Please describe or refer how to do it.
Check out this wiki article.
In the case of secure websites, the SSL encryption is sometimes not
performed by the web server itself, but is instead offloaded to a
reverse proxy that may be equipped with SSL acceleration hardware.
"Doing" reverse SSL means choosing a system/server and configuring it. You should start by asking your client whether they already have a reverse proxy in place or if one needs to be set up.
So setting up reverse SSL (like standard SSL) should not impact your web site's design, the backing code and data store etc. It is Transport Level Security (TLS) and might actually be outside the bounds of the contract with your client.
One use case would be running Apache Tomcat behind an Apache Web Server which handles SSL and acts as reverse proxy. Your client should specify more specifically.
Is there a way to disable weak and medium ciphers suites for https, with the standalone Play Framework server?
Couldn't find anything about it.
The intention of the standalone server is not to deal with https traffic. The most common pattern is to use something like lighttpd, nginx or apache as a reverse proxy and offload the https processing to that.
Therefore, your question is more suited to whether it is possible to do what you need in one of the above http servers.
In Play 2.3, it is possible to do this with the AlgorithmChecker, and the AlgorithmChecker can be set up from a custom SSLEngine provider.
https://www.playframework.com/documentation/2.3.x/ConfiguringHttps
https://github.com/playframework/playframework/blob/2.3.x/framework/src/play-ws/src/main/scala/play/api/libs/ws/ssl/AlgorithmChecker.scala