VMware Horizon Community
sutter
Enthusiast
Enthusiast
‎11-30-2015 08:31 AM

Load balancing with HAProxy and CA signed certificates

Anyone have luck with using HAProxy and CA signed certificates?  I have my own Microsoft CA and am using it to create CA signed certificates for my connection server, security server and my HAProxy load balanced IP address.

If I connect directly to any of my security servers I have no issues, everything works great.  When I connect to the load balanced IP by the host name used in the certificate and DNS it gives me a SSL certificate error.  I can view the certificate and see its using the load balanced certificate.  My problem is I'm not sure if its failing at the first step (the load balancer) or the security server point.  I believe I have it made so it uses the security servers certificate when it is redirected but the debug log is not helpful at all.

Anyone have a sample config that has worked for them by chance?

Reply
10 Replies
chulerico
Enthusiast
Enthusiast
‎11-30-2015 12:26 PM

This works with my certs

listen vdi:443 x.x.x.x:443

    mode tcp

    option tcplog

    balance source

    server vdibroker01:443 x.x.x.x:443 check

    server vdibroker02:443 x.x.x.x:443 check

Did you installe the cert to the load balancer?

Sam

Reply
0 Kudos
sutter
Enthusiast
Enthusiast
‎11-30-2015 02:09 PM

This is my current config file

frontend LBVIP

  mode tcp

  bind LoadBalancerVIPHostname:443 ssl crt /etc/haproxy/haproxy.pem crt /etc/haproxy/certs/ ca-file /etc/haproxy/cafile.pem

  use_backend Security01 if { ssl_fc_sni SecurityServer01HostName }

  use_backend Security02 if { ssl_fc_sni SecurityServer02HostName }

backend Security01

  balance source

  mode tcp

  server secsrv1 HOSTNAMEofSECSRV1

backend Security02

  balance source

  mode tcp

  server secsrv2 HOSTNAMEofSECSRV2

/etc/haproxy/haproxy.pem is the certificate of the Load Balancer's VIP.

/etc/haproxy/certs/ is the location of the security server certificates in .pem format with keys.

/etc/haproxy/cafile.pem is the Root and Intermediate CAs in my infrastructure.

When I use a program to check the certificate and chain it resolves just fine.  View seems to be failing me miserably though.  Notice anything in particular wrong with it?

Reply
0 Kudos
cgrubbe
Enthusiast
Enthusiast
‎12-01-2015 12:46 PM

I have been running HAproxy same general config that chulerico listed. It knows nothing of and doesn't care about the certs, it just hands off the connection to the security server and happy day.  I don't use an internally signed cert on my Security Servers, because they are public facing, but the cert is setup with the hostname that resolves to the load balanced IP.

Reply
larsonm
VMware Employee
VMware Employee
‎12-01-2015 02:15 PM

It looks like you are trying to do SSL offload with HAProxy.

What approach did you use to create your PEM file for HAProxy?  The PEM file typically contains multiple certificates including the intermediate CA and root CA certificates.

ca-file is used to verify client certificates, so you can probably remove that.


Keep the CA certs here /etc/haproxy/certs/ as well.

Reply
0 Kudos
chulerico
Enthusiast
Enthusiast
‎12-02-2015 10:07 AM

yup,

mode tcp won't do ssl offloading

I'm just passing the connection to the connection server, and there is no cert in the haproxy box

couple with keep alive is a neat setup.

Sam

Reply
0 Kudos
sutter
Enthusiast
Enthusiast
‎12-02-2015 10:42 AM

So this might be my problem, TCP mode won't do ssl offloading?  Can you do it with http ssl terminiation?  It would end up looking more something like this:

frontend CorpView

  bind *:80

  bind *:443 ssl crt /etc/haproxy/haproxy.pem

  mode http

  default_backend ViewSec

backend ViewSec

  mode http

  balance roundrobin

  option forwardfor

  option http-server-close

  server view01 *:443 check

  server view02 *:443 check

  http-request set-header X-Forward-Port %[dst_port]

  http-request add-header X-Forward-Porto https if { ssl_fc }

This doesn't seem to work with View though, I get a HTTP 503 error which I believe is a gateway problem.  This might mean HTTP won't work with it.

Reply
0 Kudos
chulerico
Enthusiast
Enthusiast
‎12-02-2015 11:05 AM

sutter,

before there wasn't a straight forward way of doing it, haproxy needed to be couple with stunnel, etc not clean

will try to test it out later today like this, it seems haproxy added support for ssl offload at later point (what version you're using?)

Using SSL Certificates with HAProxy - Servers for Hackers

Sam

Reply
0 Kudos
sutter
Enthusiast
Enthusiast
‎12-02-2015 01:18 PM

I'm currently using 1.5.4.  So SSL termination is an option but it only appears to work with HTTP which won't work with View it seems.

Reply
0 Kudos
nonsparker
Enthusiast
Enthusiast
‎12-03-2015 05:28 AM

is the IP and the DNS name of the VIP in the SSL certs on the security servers as a SAN name?

Twitter @thickguythinapp
Website thickguythinapp.com
Reply
0 Kudos
chulerico
Enthusiast
Enthusiast
‎12-05-2015 02:58 PM

sutter,

view can be set to http

example config

Configure Each View Connection Server for HTTP Traffic

https://techlib.barracuda.com/load/deployinvmwareview


I tried above in older view versions, (at the time it was about getting better performance from the brokers)


so two choices here, stick with mode tcp and let all traffic be encrypted, or disable https at the brokers so you can use mode http.


sam

Reply
0 Kudos