Juniper Openstack

Lbaas: SSL termination is not working

Bug #1463512 reported by Vinod Nair on 2015-06-09

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R2.20	Invalid	High	Divakar Dharanalakota	Juniper Openstack r2.20-fcs
Trunk	Invalid	High	Divakar Dharanalakota	Juniper Openstack r3.0-fcs

Bug Description

SSL termination is not working with lbaas. The ha proxy config has the vip bindings to port 443 , but the ssl cert config is missing in the haproxy.conf

cat /var/lib/contrail/loadbalancer/ebf5f87a-b2a3-4b6c-946b-89e1f4df9fc0/etc/haproxy/haproxy.cfg
global
    daemon
    user nobody
    group nogroup
    stats socket /var/lib/contrail/loadbalancer/ebf5f87a-b2a3-4b6c-946b-89e1f4df9fc0/etc/haproxy/haproxy.cfg.sock mode 0666 level user

defaults
    log global
    retries 3
    option redispatch
    timeout connect 5000
    timeout client 50000
    timeout server 50000

listen contrail-config-stats :5937
    mode http
    stats enable
    stats uri /
    stats auth haproxy:contrail123

frontend c5866fb4-00a4-4d35-bed6-3ac2bdd13334
    bind 11.1.0.4:443
    mode http
    default_backend ebf5f87a-b2a3-4b6c-946b-89e1f4df9fc0

backend ebf5f87a-b2a3-4b6c-946b-89e1f4df9fc0
    mode http
    balance roundrobin
    server 136b3567-4aa3-4cfc-9e57-c8069fa61260 12.1.0.12:8080 weight 1
    server 1ae4d088-e901-43fe-b18a-a3127eca303c 12.1.0.11:8080 weight 1
    server 230060be-0353-45a6-9f50-07c7bc60a66a 12.1.0.1:8080 weight 1
    server 2342bb68-0d28-4ebc-85fd-1a270f5a25b1 12.1.0.7:8080 weight 1
    server 2957fd89-c08c-4130-b36d-1133bc80e9c8 12.1.0.16:8080 weight 1
    server 68c49fdc-ddcc-498e-8b71-890866c1a07f 12.1.0.13:8080 weight 1
    server 8f61b36a-c3f6-44d4-a672-fa3464b80d98 12.1.0.10:8080 weight 1
    server a9c5034c-bc2f-4e74-ae26-fbd78277baff 12.1.0.3:8080 weight 1
    server aafe9927-0451-436f-881c-9541635591e5 12.1.0.2:8080 weight 1
    server ab505160-0baa-4341-8719-ad923be7e9bb 12.1.0.9:8080 weight 1

Version 2.20 Build 41 Juno 14.04

tried with below two options in agent,.conf

haproxy_ssl_cert_path=/store/RSA4096.pem
root@cs-scale-8:~# cat /etc/contrail/contrail-vrouter-agent.conf | grep haproxy_ssl_cert_path
haproxy_ssl_cert_path=/store/RSA4096.pem

haproxy_ssl_cert_path=/store/RSA4096.pem
root@cs-scale-8:~# cat /etc/contrail/contrail-vrouter-agent.conf | grep haproxy_ssl_cert_path
haproxy_ssl_cert_path=/store/

VIP-CONFIG
============
neutron --os-tenant-name=PROJ1 lb-vip-create --name FESSL-VIP --protocol-port 443 --protocol HTTP --subnet-id VIP1-SUBNET1 POOL2

See original description

Tags:

Vinod Nair (vinodnair) on 2015-06-09

description:	updated
description:	updated

Revision history for this message

Divakar Dharanalakota (ddivakar) wrote on 2015-06-10:

Vinod,
while configuring VIP protocol needs to be configured as HTTPS for SSL connection. Configuring port 443 is not sufficient. Please try it with protocol https.
-Divakar

OpenContrail Admin (ci-admin-f) on 2015-06-11

information type:

Proprietary → Public

Revision history for this message

Divakar Dharanalakota (ddivakar) wrote on 2015-06-11:

Following is our behavior:

1) We have a requirement to terminate SSL at back end servers but haproxy still need to load balance SSL packets.

2) If we want SSL termination to happen in haproxy process, VIP protocol should be chosen as HTTPS. Pool protocol also need to be HTTPS. This is because neutron dictates protocol to be same in frontend and backend. It does not mean it is end to end SSL. Packet to backend will go as cleartext to a port that is configured on port member. (I think different pool members can listen on different port numbers and haproxy will terminate SSL and sends clear-text packets to the port that particular member is listening on). The moment VIP protocol is https, Vrouter generates the haproxy config with SSL certificates (not because of port 443)

3) If we want SSL termination to happen in back end pool members, configure the VIP and pool proto as TCP and use VIP port as 443. Backend pool members can listen on any port (including 443 and 80). This ensures that haproxy load balances the traffic but does not terminate SSL. Vrouter does not generate haproxy config with SSL certs.

-Divakar

It has been tested as per above configuration and found to be working fine. So closing the bug.
-Divaiar

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.