SSL + HAProxy + ISPConfig

Discussion in 'ISPConfig 3 Priority Support' started by BobGeorge, Jul 31, 2017.

  1. BobGeorge

    BobGeorge Member HowtoForge Supporter

    I've got two "frontend" nodes that do load balancing with HAProxy and they send HTTP (port 80) requests onto the web servers (which are mirrored and get the website data from a shared storage server, as covered in the other threads I've posted). This works fine.

    But I'm now confused as to how to handle HTTPS (port 443) requests.

    I'd, of course, want SNI enabled, so that different websites can have their own separate SSL certificates.

    The problem is that if I do SSL termination at HAProxy, then it needs access to all the SSL certificates (and an understanding of SNI to use the correct certificates, according to which virtual host is being accessed). If that's even possible. I don't know.

    Or I could do SSL passthrough instead, but then HAProxy can't actually read the request - as it's encrypted, of course, and you pass it on as "tcp" and not "http" - so how do I pass on the original IP to the web server? With HTTP, I add the "Forwarded-For" header and Apache is configured with "remoteip", so HAProxy passes on the original IP address. But, with SSL, HAProxy can't access the headers to be able to add the extra information.

    Also, on a different note, I'd like to have it that requests for "admin.domain.tld" would be invisibly redirected to "domain.tld:8080", so that the link to the ISPConfig interface is more human-friendly for my users. Rewrite? Redirect? How best to handle that?
     
  2. BobGeorge

    BobGeorge Member HowtoForge Supporter

    On further thought, it's not just SSL that poses a problem. Load balancing FTP is an even bigger nightmare.

    I'm now considering that though HAProxy is great for HTTP traffic, it's not so great when we go beyond that. And, really, the reason I went for HAProxy was simply because of wanting persistence for session cookies.

    So I'm now looking at perhaps changing things to use LVS-NAT for the load balancing instead. It has to be NAT-based, as only the "frontend" nodes can be addressed by the outside Internet.

    LVS is only layer 4, not layer 7, but there is a persistence switch that can be applied, where it'll route to the same server it chose first (while the connection is open or within a timeout period thereafter). Another advantage is that LVS is part of the kernel, so its performance ought to be better than user mode HAProxy too.

    Persistence is the issue, really. Session cookies, SSL also needs to connect to the same server every time as it's the only one that knows how to unencrypt communications, active FTP needs a kind of persistence too (in keeping track of the chosen random high port - the FTP protocol really is a pain for this sort of thing and I'm still not entirely sure how to make it actually work, but I'm more hopeful LVS can at least do it, where HAProxy seems very poorly equipped for FTP and requires tricks like different port ranges, which all seems a bit ugly to me). But if LVS-NAT can deliver that persistence, even if it is layer 4, I should be okay, yes?

    Am I barking up the wrong tree here? Just a confirmation that I'm not going insane early in the morning here would be appreciated. ;D
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    you can either run the ispconfig vhost on port 443 instead of 8080 by changing the port and adding a domain name in the vhost or you create a proxy vhost and proxy the data invisibly to the vhost on port 8080.

    I have not used LVS-NAT, so I can't help you with that.
     
  4. BobGeorge

    BobGeorge Member HowtoForge Supporter

    I tried LVS-NAT and though the IPVS table shows the expected configuration and, running ldirectord in debug mode, shows that the healthchecks on the nodes are working, it's somehow not receiving anything from the virtual IP.

    So, until I figure that one out, I'm back to HAProxy and the original questions, I guess.

    How would one handle SSL and FTP in a HAProxy-based multi-server setup?
     

Share This Page