[openstack][octavia] transparent
Hello all, I have some end users who want to receive on their load balanced web servers the client ip address for acl. They also want the https connection is terminated on web servers and not on load balancer. Can I solve with octavia ? I read haproxy can act as transparent only when it is the default router of backends. In our use case the default router is not the load balancer. Any help, please? Ignazio
Hi Ignazio, Currently the amphora driver does not support passing the client source IP directly to the backend member server. However there are a few ways to accomplish this using the amphora driver: 1. Use the proxy protocol for the pool. 2. Terminate the HTTPS on the load balancer and add the X-Forwarded-For header. To use the PROXY protocol you would set up the load balancer like this: 1. Create the load balancer. 2. Create the listener using HTTPS pass through, so either the "HTTPS" or "TCP" protocol. 3. Create the pool using the "PROXY" protocol option. 4. Add your members and health manager as you normally do. Then, on the web servers enable PROXY protocol. On apache this is via the mod_remoteip module and the RemoteIPProxyProtocol directive. See: https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotoco... On nginx it is enabled with the "proxy_protocol" directive. See: https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ Pretty much every web server has support for it. Michael On Fri, Jul 17, 2020 at 10:01 AM Ignazio Cassano <ignaziocassano@gmail.com> wrote:
Hello all, I have some end users who want to receive on their load balanced web servers the client ip address for acl. They also want the https connection is terminated on web servers and not on load balancer. Can I solve with octavia ? I read haproxy can act as transparent only when it is the default router of backends. In our use case the default router is not the load balancer. Any help, please? Ignazio
Many thanks, Michael. Ignazio Il Ven 17 Lug 2020, 19:17 Michael Johnson <johnsomor@gmail.com> ha scritto:
Hi Ignazio,
Currently the amphora driver does not support passing the client source IP directly to the backend member server.
However there are a few ways to accomplish this using the amphora driver: 1. Use the proxy protocol for the pool. 2. Terminate the HTTPS on the load balancer and add the X-Forwarded-For header.
To use the PROXY protocol you would set up the load balancer like this: 1. Create the load balancer. 2. Create the listener using HTTPS pass through, so either the "HTTPS" or "TCP" protocol. 3. Create the pool using the "PROXY" protocol option. 4. Add your members and health manager as you normally do.
Then, on the web servers enable PROXY protocol. On apache this is via the mod_remoteip module and the RemoteIPProxyProtocol directive. See:
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotoco... On nginx it is enabled with the "proxy_protocol" directive. See:
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
Pretty much every web server has support for it.
Michael
On Fri, Jul 17, 2020 at 10:01 AM Ignazio Cassano <ignaziocassano@gmail.com> wrote:
Hello all, I have some end users who want to receive on their load
balanced web servers the client ip address for acl.
They also want the https connection is terminated on web servers and not on load balancer. Can I solve with octavia ? I read haproxy can act as transparent only when it is the default router of backends. In our use case the default router is not the load balancer. Any help, please? Ignazio
On 2020-07-17 17:17 +0000 (+0000), Michael Johnson write: [...]
To use the PROXY protocol you would set up the load balancer like this: 1. Create the load balancer. 2. Create the listener using HTTPS pass through, so either the "HTTPS" or "TCP" protocol. 3. Create the pool using the "PROXY" protocol option. 4. Add your members and health manager as you normally do.
Then, on the web servers enable PROXY protocol. On apache this is via the mod_remoteip module and the RemoteIPProxyProtocol directive. See:
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotoco... On nginx it is enabled with the "proxy_protocol" directive. See:
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
Pretty much every web server has support for it. [...]
Neat! Somehow this is the first I've heard of it. An attempt at a formal specification seems to be published at http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt but I'm not finding any corresponding IETF RFC draft. I agree it looks like a viable solution to the question posed (so long as the LB and servers have support for this custom protocol/encapsulation). Way less problematic than DSR, just unfortunately handled as a de facto standard from what I can see, but looks like https://tools.ietf.org/id/draft-schwartz-tls-lb-00.html touches on ways to hopefully provide a more extensible solution in the future. -- Jeremy Stanley
Hello Michael, I forgot to ask if the configuration you suggested can support acl for clients ip address. Ignazio Il Ven 17 Lug 2020, 19:17 Michael Johnson <johnsomor@gmail.com> ha scritto:
Hi Ignazio,
Currently the amphora driver does not support passing the client source IP directly to the backend member server.
However there are a few ways to accomplish this using the amphora driver: 1. Use the proxy protocol for the pool. 2. Terminate the HTTPS on the load balancer and add the X-Forwarded-For header.
To use the PROXY protocol you would set up the load balancer like this: 1. Create the load balancer. 2. Create the listener using HTTPS pass through, so either the "HTTPS" or "TCP" protocol. 3. Create the pool using the "PROXY" protocol option. 4. Add your members and health manager as you normally do.
Then, on the web servers enable PROXY protocol. On apache this is via the mod_remoteip module and the RemoteIPProxyProtocol directive. See:
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotoco... On nginx it is enabled with the "proxy_protocol" directive. See:
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
Pretty much every web server has support for it.
Michael
On Fri, Jul 17, 2020 at 10:01 AM Ignazio Cassano <ignaziocassano@gmail.com> wrote:
Hello all, I have some end users who want to receive on their load
balanced web servers the client ip address for acl.
They also want the https connection is terminated on web servers and not on load balancer. Can I solve with octavia ? I read haproxy can act as transparent only when it is the default router of backends. In our use case the default router is not the load balancer. Any help, please? Ignazio
I mean acl on load balancer not on web servers..... Il Ven 17 Lug 2020, 20:20 Ignazio Cassano <ignaziocassano@gmail.com> ha scritto:
Hello Michael, I forgot to ask if the configuration you suggested can support acl for clients ip address. Ignazio
Il Ven 17 Lug 2020, 19:17 Michael Johnson <johnsomor@gmail.com> ha scritto:
Hi Ignazio,
Currently the amphora driver does not support passing the client source IP directly to the backend member server.
However there are a few ways to accomplish this using the amphora driver: 1. Use the proxy protocol for the pool. 2. Terminate the HTTPS on the load balancer and add the X-Forwarded-For header.
To use the PROXY protocol you would set up the load balancer like this: 1. Create the load balancer. 2. Create the listener using HTTPS pass through, so either the "HTTPS" or "TCP" protocol. 3. Create the pool using the "PROXY" protocol option. 4. Add your members and health manager as you normally do.
Then, on the web servers enable PROXY protocol. On apache this is via the mod_remoteip module and the RemoteIPProxyProtocol directive. See:
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotoco... On nginx it is enabled with the "proxy_protocol" directive. See:
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
Pretty much every web server has support for it.
Michael
On Fri, Jul 17, 2020 at 10:01 AM Ignazio Cassano <ignaziocassano@gmail.com> wrote:
Hello all, I have some end users who want to receive on their load
balanced web servers the client ip address for acl.
They also want the https connection is terminated on web servers and not on load balancer. Can I solve with octavia ? I read haproxy can act as transparent only when it is the default router of backends. In our use case the default router is not the load balancer. Any help, please? Ignazio
On 2020-07-17 18:55:01 +0200 (+0200), Ignazio Cassano wrote:
Hello all, I have some end users who want to receive on their load balanced web servers the client ip address for acl. They also want the https connection is terminated on web servers and not on load balancer. Can I solve with octavia ? I read haproxy can act as transparent only when it is the default router of backends. In our use case the default router is not the load balancer. Any help, please?
You'll be hard pressed to find any network load balancer which can satisfy this combination of requirements without also requiring some cooperation from the gateway. The ways you typically get the client IP addresses to your servers are one of: 1. Use the load balancer as the default router for the servers so that it doesn't need to alter the IP addresses of the packets (layer 3 forwarding). 2. Terminate SSL/TLS on the load balancer so that it can insert X-Forwarded-For headers into the HTTP requests, and then optionally re-encrypt when sending along to the servers (layer 7 forwarding). 3. A "direct server return" configuration where the load balancer masquerades as the clients and only handles the inbound packets to the servers, while the outbound replies from the servers go directly to the Internet through their default gateway (asymmetric layer 3 forwarding with destination NAT). This is the only option which meets the list of requirements you posed and it's exceptionally messy to implement, since you can't rely on state tracking either on the load balancer or the default gateway (each of them only sees half of the connection). This can also thoroughly confuse your packet filtering depending on where in your network it's applied. A bit of quick searching doesn't turn up any available amphorae for Octavia which support DSR, but even if there were I expect you'd face challenges adapting Neutron and security groups to handle it. -- Jeremy Stanley
Many thanks, Jeremy Il Ven 17 Lug 2020, 19:42 Jeremy Stanley <fungi@yuggoth.org> ha scritto:
On 2020-07-17 18:55:01 +0200 (+0200), Ignazio Cassano wrote:
Hello all, I have some end users who want to receive on their load balanced web servers the client ip address for acl. They also want the https connection is terminated on web servers and not on load balancer. Can I solve with octavia ? I read haproxy can act as transparent only when it is the default router of backends. In our use case the default router is not the load balancer. Any help, please?
You'll be hard pressed to find any network load balancer which can satisfy this combination of requirements without also requiring some cooperation from the gateway. The ways you typically get the client IP addresses to your servers are one of:
1. Use the load balancer as the default router for the servers so that it doesn't need to alter the IP addresses of the packets (layer 3 forwarding).
2. Terminate SSL/TLS on the load balancer so that it can insert X-Forwarded-For headers into the HTTP requests, and then optionally re-encrypt when sending along to the servers (layer 7 forwarding).
3. A "direct server return" configuration where the load balancer masquerades as the clients and only handles the inbound packets to the servers, while the outbound replies from the servers go directly to the Internet through their default gateway (asymmetric layer 3 forwarding with destination NAT). This is the only option which meets the list of requirements you posed and it's exceptionally messy to implement, since you can't rely on state tracking either on the load balancer or the default gateway (each of them only sees half of the connection). This can also thoroughly confuse your packet filtering depending on where in your network it's applied.
A bit of quick searching doesn't turn up any available amphorae for Octavia which support DSR, but even if there were I expect you'd face challenges adapting Neutron and security groups to handle it. -- Jeremy Stanley
participants (3)
-
Ignazio Cassano
-
Jeremy Stanley
-
Michael Johnson