Pool Side SSL with vCloud Air Load Banacer

Recently I had an interesting situation where a specific error message occurs where standard approach for Load Balancer was used

This document is to explain how to complete HTTPS over vCloud Air Load Balancer throughout to Web servers using Pool Side SSL.

Usually we use Load Balancer with the following configuration:

bigbadinternet

This structure allow us to monitor and block unwanted traffic on the Firewall as well as use single certificate from a trusted provided on the front end and manage the pool of servers on the back in efficient way.

In our case Firewall and LB (Load Balancer) are on the Edge gateway allowing secure communication between Client and VIP (Virtual IP). However, when the LB server connect to the Web server the content is delivered insecurely and Client web browser is complaining about the page having mixed content (present information over secure connection delivered and containing unsecured links).

As additional requirement in case client uses HTTP instead of being dropped by the firewall to be redirected to secure site on 443 HTTPS.

 

To overcome this problem there are two possible scenarios
1. Using SSL passthrough where we use the certificates from Web servers and where Load Balancer is only forwarding packets to web servers – which in our case was not the desired solution.
2. Using Pool Side Certificate where request comes to the LB encrypted then request is decrypted and then is encrypted again and sent to the Web server over HTTPS. See diagram below:

Pool Side SSL

This configuration will grant secured connected from client’s browser to Web server entirely over secure HTTPS protocol, and will avoid the mixed content warning on customer side.

In this document I will show required configuration steps needed for Load Balancer service Edge gateway with Advanced Networking Services to setup Pool Side SSL.

 

1. Generating Certificate This step is required if you do not have certificate for the configuration

a. Go to Certificates tab select actions -> Generate CSR
b. Provided required details on the form
c. Once created select it and from action select Self sign Certificate

bigbadinternet10

2. Setting up Load balancer profiles we will create two profiles for HTTP and HTTPS

a. Go to Load Balancer tab and select Application profiles
b. Click on the icon and create HTTP Profile this will be used only for redirect pool later:

bigbadinternet2c. Click on the icon and create HTTPS Profile with the following settings:

i. Type HTTPS
ii. Enable Pool Side SSL
iii. Select the Self signed certificate for Virtual server Certificates and Pool Certificates

bigbadinternet3

3. Setting Pools

a. Go to Pools tab and create a Pool

i. Select monitors setting if created or use NONE as the screenshot
ii. Add members and use ports 443 for port and monitor

bigbadinternet4

4. Create Application Rule:

a. Go to Application rules and create a new rule:
b. HTTP redirect –

 

bigbadinternet5

5. Setup VIPs

a. Create HTTP VIP forwarder

i. Create new VIP Use HTTP profile
ii. For default pool select NONE
iii. Under advanced settings add the Application rule created in step 4

bigbadinternet6

bigbadinternet7

 

b. Create HTTPS VIP

i. Use HTTPS profile
ii. select HTTPS for protocol
iii. Use default pool HTTPS Pool created in step 3

bigbadinternet8

 

Once this is created we will have two listeners
One on port 80 redirecting with 301 response  everything that comes on HTTP to secure HTTPS profile
Second everything that comes on HTTPS profile will use the Self-signed certificate will decrypt the packet and then will encrypt it again with same or different certificate if configured to the Web servers on port 443. This way we will ensure that traffic will be secure the whole way from client to Web server and there will be no issue with mixed content. As a down side the number of operations on the Edge gateway will be doubled, and due to this make sure Edge is  sized properly to match the page load X-Large or Quiad-Large to be able to handle the number of operations for you production environment.

 

Documents used:

http://arstechnica.com/information-technology/2015/05/web-served-how-to-make-your-site-all-https-all-the-time-for-everyone/

https://www.haproxy.com/doc/aloha/7.0/haproxy/http_rewriting.html

The following two tabs change content below.
Kalin is Cloud Services Engineer at VMware, he has over 4 years experience in Virtualization field. Before joining VMware he was part of Center of Excellence at IBM. His main scope of work in VMware is closely related with the cloud solution and consultation with clients looking to adopt Hybrid Cloud for their business needs. He has a master degree in engineering from Technical University of Varna and holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, and others.

About Kalin Hadzhivelikov

Kalin is Cloud Services Engineer at VMware, he has over 4 years experience in Virtualization field. Before joining VMware he was part of Center of Excellence at IBM. His main scope of work in VMware is closely related with the cloud solution and consultation with clients looking to adopt Hybrid Cloud for their business needs. He has a master degree in engineering from Technical University of Varna and holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, and others.

Bookmark the permalink.

Comments are closed