Comment 2 for bug 1463512
Revision history for this message
| Divakar Dharanalakota (ddivakar) wrote | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Following is our behavior:
1) We have a requirement to terminate SSL at back end servers but haproxy still need to load balance SSL packets.
2) If we want SSL termination to happen in haproxy process, VIP protocol should be chosen as HTTPS. Pool protocol also need to be HTTPS. This is because neutron dictates protocol to be same in frontend and backend. It does not mean it is end to end SSL. Packet to backend will go as cleartext to a port that is configured on port member. (I think different pool members can listen on different port numbers and haproxy will terminate SSL and sends clear-text packets to the port that particular member is listening on). The moment VIP protocol is https, Vrouter generates the haproxy config with SSL certificates (not because of port 443)
3) If we want SSL termination to happen in back end pool members, configure the VIP and pool proto as TCP and use VIP port as 443. Backend pool members can listen on any port (including 443 and 80). This ensures that haproxy load balances the traffic but does not terminate SSL. Vrouter does not generate haproxy config with SSL certs.
-Divakar
It has been tested as per above configuration and found to be working fine. So closing the bug.
-Divaiar