You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Stephan Seitz <s....@heinlein-support.de> on 2018/04/12 08:23:53 UTC
SSL offloading for Virtual Routers / Loadbalancer
Hi!
We've got some projects where it would be very reasonable to have SSL offloading for https available at the loadbalancing component in the VR.
Since loadbalancing is done via haproxy, that wouldn't be impossible to configure (at least for the haproxy.conf).
I wonder if there's some documentation for the management <-> VR communication. IMHO we need to add
- upload/update of ssl certs from the management node to the respective VR
- configuring/updating SSL as additional LB method (besides the tcp-oproxy, tcp and udp methods)
- some VR's feedback or canary code to inform the management node about the LB capabilities(?)
It would be really nice if someone could share some information. How would you start that?
Thanks!
- Stephan
Re: SSL offloading for Virtual Routers / Loadbalancer
Posted by Stephan Seitz <s....@heinlein-support.de>.
Hi Wei!
It would be very kind if you could provide some commits.
If it's ok for you, I'ld start a clone on github and try to port
your changes into 4.11 branch (if i find time also into master)
Thanks in advance!
cheers,
- Stephan
Am Donnerstag, den 12.04.2018, 11:36 +0200 schrieb Wei ZHOU:
> Hi Stephan,
>
> It is done in our own fork based on cloudstack 4.7.1 . We are planning to
> port all our changes to 4.11 with pull requests.
>
> If you need in urgently, I can share some commits with you (it might not
> work on 4.11).
>
> -Wei
>
> 2018-04-12 11:23 GMT+02:00 Stephan Seitz <s....@heinlein-support.de>:
>
> >
> > Thank's for your feedback Wei!
> >
> > I'll dscuss the configuration via tags/values with some collegues, but I
> > think that's a very practical way of configuring some LB specialities.
> >
> > AFAIK there'll be some changes necessary to the codebase. Have you've done
> > that changes internally or do I live in an ideal world and it's available
> > maybe as pullrequest on github?
> > In short, may we use that work? :)
> >
> > cheers,
> >
> > - Stephan
> >
> > Am Donnerstag, den 12.04.2018, 10:59 +0200 schrieb Wei ZHOU:
> > >
> > > Hi Stephan,
> > >
> > > We (Leaseweb in Netherlands) had some work on it. It is implemented by
> > > network tags and lb tags.
> > > Here is our KB:
> > > https://kb.leaseweb.com/display/KB/Network%3A+
> > CloudStack#Network:CloudStack-ConfiguringloadbalancerforanIP
> > AddressofanIsolatedNetwork
> > >
> > >
> > > -Wei
> > >
> > > 2018-04-12 10:23 GMT+02:00 Stephan Seitz <s....@heinlein-support.de>:
> > >
> > > >
> > > >
> > > > Hi!
> > > >
> > > > We've got some projects where it would be very reasonable to have SSL
> > > > offloading for https available at the loadbalancing component in the
> > VR.
> > >
> > > >
> > > >
> > > > Since loadbalancing is done via haproxy, that wouldn't be impossible to
> > > > configure (at least for the haproxy.conf).
> > > >
> > > > I wonder if there's some documentation for the management <-> VR
> > > > communication. IMHO we need to add
> > > > - upload/update of ssl certs from the management node to the
> > respective VR
> > >
> > > >
> > > > - configuring/updating SSL as additional LB method (besides the
> > > > tcp-oproxy, tcp and udp methods)
> > > > - some VR's feedback or canary code to inform the management node about
> > > > the LB capabilities(?)
> > > >
> > > > It would be really nice if someone could share some information. How
> > would
> > >
> > > >
> > > > you start that?
> > > >
> > > >
> > > > Thanks!
> > > >
> > > > - Stephan
> > > >
> > Mit freundlichen Grüßen,
> >
> > Stephan Seitz
> >
> > --
> >
> > Heinlein Support GmbH
> > Schwedter Str. 8/9b, 10119 Berlin
> >
> > http://www.heinlein-support.de
> >
> > Tel: 030 / 405051-44
> > Fax: 030 / 405051-19
> >
> > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > Berlin-Charlottenburg,
> > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> >
> >
> >
Mit freundlichen Grüßen,
Stephan Seitz
--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-44
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Re: SSL offloading for Virtual Routers / Loadbalancer
Posted by Wei ZHOU <us...@gmail.com>.
Hi Stephan,
It is done in our own fork based on cloudstack 4.7.1 . We are planning to
port all our changes to 4.11 with pull requests.
If you need in urgently, I can share some commits with you (it might not
work on 4.11).
-Wei
2018-04-12 11:23 GMT+02:00 Stephan Seitz <s....@heinlein-support.de>:
> Thank's for your feedback Wei!
>
> I'll dscuss the configuration via tags/values with some collegues, but I
> think that's a very practical way of configuring some LB specialities.
>
> AFAIK there'll be some changes necessary to the codebase. Have you've done
> that changes internally or do I live in an ideal world and it's available
> maybe as pullrequest on github?
> In short, may we use that work? :)
>
> cheers,
>
> - Stephan
>
> Am Donnerstag, den 12.04.2018, 10:59 +0200 schrieb Wei ZHOU:
> > Hi Stephan,
> >
> > We (Leaseweb in Netherlands) had some work on it. It is implemented by
> > network tags and lb tags.
> > Here is our KB:
> > https://kb.leaseweb.com/display/KB/Network%3A+
> CloudStack#Network:CloudStack-ConfiguringloadbalancerforanIP
> AddressofanIsolatedNetwork
> >
> > -Wei
> >
> > 2018-04-12 10:23 GMT+02:00 Stephan Seitz <s....@heinlein-support.de>:
> >
> > >
> > > Hi!
> > >
> > > We've got some projects where it would be very reasonable to have SSL
> > > offloading for https available at the loadbalancing component in the
> VR.
> > >
> > > Since loadbalancing is done via haproxy, that wouldn't be impossible to
> > > configure (at least for the haproxy.conf).
> > >
> > > I wonder if there's some documentation for the management <-> VR
> > > communication. IMHO we need to add
> > > - upload/update of ssl certs from the management node to the
> respective VR
> > > - configuring/updating SSL as additional LB method (besides the
> > > tcp-oproxy, tcp and udp methods)
> > > - some VR's feedback or canary code to inform the management node about
> > > the LB capabilities(?)
> > >
> > > It would be really nice if someone could share some information. How
> would
> > > you start that?
> > >
> > >
> > > Thanks!
> > >
> > > - Stephan
> > >
> Mit freundlichen Grüßen,
>
> Stephan Seitz
>
> --
>
> Heinlein Support GmbH
> Schwedter Str. 8/9b, 10119 Berlin
>
> http://www.heinlein-support.de
>
> Tel: 030 / 405051-44
> Fax: 030 / 405051-19
>
> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> Berlin-Charlottenburg,
> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>
>
>
Re: SSL offloading for Virtual Routers / Loadbalancer
Posted by Stephan Seitz <s....@heinlein-support.de>.
Thank's for your feedback Wei!
I'll dscuss the configuration via tags/values with some collegues, but I think that's a very practical way of configuring some LB specialities.
AFAIK there'll be some changes necessary to the codebase. Have you've done that changes internally or do I live in an ideal world and it's available maybe as pullrequest on github?
In short, may we use that work? :)
cheers,
- Stephan
Am Donnerstag, den 12.04.2018, 10:59 +0200 schrieb Wei ZHOU:
> Hi Stephan,
>
> We (Leaseweb in Netherlands) had some work on it. It is implemented by
> network tags and lb tags.
> Here is our KB:
> https://kb.leaseweb.com/display/KB/Network%3A+CloudStack#Network:CloudStack-ConfiguringloadbalancerforanIPAddressofanIsolatedNetwork
>
> -Wei
>
> 2018-04-12 10:23 GMT+02:00 Stephan Seitz <s....@heinlein-support.de>:
>
> >
> > Hi!
> >
> > We've got some projects where it would be very reasonable to have SSL
> > offloading for https available at the loadbalancing component in the VR.
> >
> > Since loadbalancing is done via haproxy, that wouldn't be impossible to
> > configure (at least for the haproxy.conf).
> >
> > I wonder if there's some documentation for the management <-> VR
> > communication. IMHO we need to add
> > - upload/update of ssl certs from the management node to the respective VR
> > - configuring/updating SSL as additional LB method (besides the
> > tcp-oproxy, tcp and udp methods)
> > - some VR's feedback or canary code to inform the management node about
> > the LB capabilities(?)
> >
> > It would be really nice if someone could share some information. How would
> > you start that?
> >
> >
> > Thanks!
> >
> > - Stephan
> >
Mit freundlichen Grüßen,
Stephan Seitz
--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-44
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Re: SSL offloading for Virtual Routers / Loadbalancer
Posted by Wei ZHOU <us...@gmail.com>.
Hi Stephan,
We (Leaseweb in Netherlands) had some work on it. It is implemented by
network tags and lb tags.
Here is our KB:
https://kb.leaseweb.com/display/KB/Network%3A+CloudStack#Network:CloudStack-ConfiguringloadbalancerforanIPAddressofanIsolatedNetwork
-Wei
2018-04-12 10:23 GMT+02:00 Stephan Seitz <s....@heinlein-support.de>:
> Hi!
>
> We've got some projects where it would be very reasonable to have SSL
> offloading for https available at the loadbalancing component in the VR.
>
> Since loadbalancing is done via haproxy, that wouldn't be impossible to
> configure (at least for the haproxy.conf).
>
> I wonder if there's some documentation for the management <-> VR
> communication. IMHO we need to add
> - upload/update of ssl certs from the management node to the respective VR
> - configuring/updating SSL as additional LB method (besides the
> tcp-oproxy, tcp and udp methods)
> - some VR's feedback or canary code to inform the management node about
> the LB capabilities(?)
>
> It would be really nice if someone could share some information. How would
> you start that?
>
>
> Thanks!
>
> - Stephan
>