relayd TLS load balancer for multiple websites

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd TLS load balancer for multiple websites

mabi
Hi,

I was wondering if it is possible to use relayd as load balancer with TLS termination for multiple different websites residing on different server.

From reading the man page I understand that for this purpose I will need to use one "relay" entity per website which will then have its own "http protocol" entity. If this is correct, this means I will require one public IP address per website which seems to me a bit a waste hence my asking.

The alternative would be to have one "relay" entity but this means I can only have one "http protocol" entity assigned to it from my understanding. This also means that I would have to have to use one single SSL certificate file which includes every CN for each of my website. My feeling tells me that this does not sound good practice. Then how would relayd know that website www.website1.com has to be forwarded to the hosts in <table1> and that website www.website2.com has to be forwarded to the hosts in <table2>? Would you in the "http protocol" entity filter using the HTTP "Host" header (such as SNI)?

Sorry for all these questions but I am trying to find out the best way/good practice to setup a relayd TLS load balancer for a different websites/webapps/domains and can't find much documentation about this specific case.

Note here that I will be using the acme-client for all of the domains.

Thanks for your input.

Best,
Mabi
Reply | Threaded
Open this post in threaded view
|

Re: relayd TLS load balancer for multiple websites

Bryan Harris
Here is what I did, which I learned from the httpd & relayd book by Michael
W Lucas (I recommend).  I cannot remember why I set the top header options,
I must have been trying to learn about them.  The host ones are to figure
out the site and send the connection to the table above.

ext_addr="..."
int_addr="127.0.0.1"
vm1_addr="192.0.2.11"
vm2_addr="192.0.2.12"
vm3_addr="192.0.2.13"
vm4_addr="192.0.2.14"

table <myself> { $int_addr }
table <website> {
  $vm1_addr
  $vm2_addr
  $vm3_addr
  $vm4_addr
}

# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
http protocol https {
  # playing with these options
  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
  match request header set "Keep-Alive" value "$TIMEOUT"
  match request header set "Connection" value "close"

  match request header "Host" value "website.example.com" forward to
<website>
  match request header "Host" value "example.com" forward to <myself>
  match request header "Host" value "www.example.com" forward to <myself>

}

relay wwwtls {
  # Run as a SSL/TLS accelerator
  listen on $ext_addr port 443 tls
  protocol https

  forward to <myself> port 80 check tcp
  forward to <website> port 80 mode loadbalance check tcp
}

V/r,
Bryan

On Thu, Sep 28, 2017 at 7:32 AM, mabi <[hidden email]> wrote:

> Hi,
>
> I was wondering if it is possible to use relayd as load balancer with TLS
> termination for multiple different websites residing on different server.
>
> From reading the man page I understand that for this purpose I will need
> to use one "relay" entity per website which will then have its own "http
> protocol" entity. If this is correct, this means I will require one public
> IP address per website which seems to me a bit a waste hence my asking.
>
> The alternative would be to have one "relay" entity but this means I can
> only have one "http protocol" entity assigned to it from my understanding.
> This also means that I would have to have to use one single SSL certificate
> file which includes every CN for each of my website. My feeling tells me
> that this does not sound good practice. Then how would relayd know that
> website www.website1.com has to be forwarded to the hosts in <table1> and
> that website www.website2.com has to be forwarded to the hosts in
> <table2>? Would you in the "http protocol" entity filter using the HTTP
> "Host" header (such as SNI)?
>
> Sorry for all these questions but I am trying to find out the best
> way/good practice to setup a relayd TLS load balancer for a different
> websites/webapps/domains and can't find much documentation about this
> specific case.
>
> Note here that I will be using the acme-client for all of the domains.
>
> Thanks for your input.
>
> Best,
> Mabi
Reply | Threaded
Open this post in threaded view
|

Re: relayd TLS load balancer for multiple websites

mabi
Thanks Bryan for your example.

I saw in your example you only use the example.com domain. I would be using multiple domains such as example1.com, example2.com, exampleX.com, and so on. Would it also work in that case? Again I suppose here that I need to have all these different domains in one single SSL certificate file, right?

On the relayd.conf man page I read that the second "forward to" config parameter in a "relay" entity is used as backup in case the first "forward to" table is down. So one could think in your config that your second "forward to <website>" would be used as you backup table.

Finally what is the purpose of setting the Connection HTTP header to close as you have here below?

match request header set "Connection" value "close"

> -------- Original Message --------
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 2:21 PM
> UTC Time: September 28, 2017 12:21 PM
> From: [hidden email]
> To: mabi <[hidden email]>
> openbsd-misc <[hidden email]>
>
> Here is what I did, which I learned from the httpd & relayd book by Michael W Lucas (I recommend).  I cannot remember why I set the top header options, I must have been trying to learn about them.  The host ones are to figure out the site and send the connection to the table above.
>
> ext_addr="..."
> int_addr="127.0.0.1"
> vm1_addr="192.0.2.11"
> vm2_addr="192.0.2.12"
> vm3_addr="192.0.2.13"
> vm4_addr="192.0.2.14"
>
> table <myself> { $int_addr }
> table <website> {
>   $vm1_addr
>   $vm2_addr
>   $vm3_addr
>   $vm4_addr
> }
>
> # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
> http protocol https {
>   # playing with these options
>   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>   match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
>   match request header set "Keep-Alive" value "$TIMEOUT"
>   match request header set "Connection" value "close"
>
>   match request header "Host" value "website.example.com" forward to <website>
>   match request header "Host" value "example.com" forward to <myself>
>   match request header "Host" value "www.example.com" forward to <myself>
>
> }
>
> relay wwwtls {
>   # Run as a SSL/TLS accelerator
>   listen on $ext_addr port 443 tls
>   protocol https
>
>   forward to <myself> port 80 check tcp
>   forward to <website> port 80 mode loadbalance check tcp
> }
>
> V/r,
> Bryan
>
> On Thu, Sep 28, 2017 at 7:32 AM, mabi <[hidden email]> wrote:
>
>> Hi,
>>
>> I was wondering if it is possible to use relayd as load balancer with TLS termination for multiple different websites residing on different server.
>>
>> From reading the man page I understand that for this purpose I will need to use one "relay" entity per website which will then have its own "http protocol" entity. If this is correct, this means I will require one public IP address per website which seems to me a bit a waste hence my asking.
>>
>> The alternative would be to have one "relay" entity but this means I can only have one "http protocol" entity assigned to it from my understanding. This also means that I would have to have to use one single SSL certificate file which includes every CN for each of my website. My feeling tells me that this does not sound good practice. Then how would relayd know that website www.website1.com has to be forwarded to the hosts in <table1> and that website www.website2.com has to be forwarded to the hosts in <table2>? Would you in the "http protocol" entity filter using the HTTP "Host" header (such as SNI)?
>>
>> Sorry for all these questions but I am trying to find out the best way/good practice to setup a relayd TLS load balancer for a different websites/webapps/domains and can't find much documentation about this specific case.
>>
>> Note here that I will be using the acme-client for all of the domains.
>>
>> Thanks for your input.
>>
>> Best,
>> Mabi
Reply | Threaded
Open this post in threaded view
|

Re: relayd TLS load balancer for multiple websites

Marcus MERIGHI
In reply to this post by mabi
[hidden email] (mabi), 2017.09.28 (Thu) 13:32 (CEST):
> I was wondering if it is possible to use relayd as load balancer with
> TLS termination for multiple different websites residing on different
> server.

With a public IP per website: yes. Else: no.

reyk@, 2014-07-24, "no SNI yet"
https://marc.info/?l=openbsd-misc&m=140621533620964

recent thread:
https://marc.info/?l=openbsd-misc&m=150599591326006

Marcus

btw, protonmail's "text/plain, base64, utf-8" reportedly keeps people
from seeing these messages.

Reply | Threaded
Open this post in threaded view
|

Re: relayd TLS load balancer for multiple websites

mabi
Thanks for the pointer regarding SNI not being supported in relayd. I will go on and find another solution, probably HAproxy.

> -------- Original Message --------
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 3:02 PM
> UTC Time: September 28, 2017 1:02 PM
> From: [hidden email]
> To: mabi <[hidden email]>
> openbsd-misc <[hidden email]>
>
> [hidden email] (mabi), 2017.09.28 (Thu) 13:32 (CEST):
>> I was wondering if it is possible to use relayd as load balancer with
>> TLS termination for multiple different websites residing on different
>> server.
>
> With a public IP per website: yes. Else: no.
>
> reyk@, 2014-07-24, "no SNI yet"
> https://marc.info/?l=openbsd-misc&m=140621533620964
>
> recent thread:
> https://marc.info/?l=openbsd-misc&m=150599591326006
>
> Marcus
>
> btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people
> from seeing these messages.
Reply | Threaded
Open this post in threaded view
|

Re: relayd TLS load balancer for multiple websites

Darren Tucker
On 28 September 2017 at 06:32, mabi <[hidden email]> wrote:
> Thanks for the pointer regarding SNI not being supported in relayd. I will go on and find another solution, probably HAproxy.

For a small number of domains it would probably be feasible to get a
single certificate with multiple SANs.  Letsencrypt at least supports
this as long as all of the domains map (or can be made to map) to the
place requesting the certificate.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|

Re: relayd TLS load balancer for multiple websites

Comète-2
In reply to this post by mabi
28 septembre 2017 15:50 "mabi" <[hidden email]> a écrit:

> Thanks for the pointer regarding SNI not being supported in relayd. I will go on and find another
> solution, probably HAproxy.
>
>> -------- Original Message --------
>> Subject: Re: relayd TLS load balancer for multiple websites
>> Local Time: September 28, 2017 3:02 PM
>> UTC Time: September 28, 2017 1:02 PM
>> From: [hidden email]
>> To: mabi <[hidden email]>
>> openbsd-misc <[hidden email]>
>>
>> [hidden email] (mabi), 2017.09.28 (Thu) 13:32 (CEST):
>>> I was wondering if it is possible to use relayd as load balancer with
>>> TLS termination for multiple different websites residing on different
>>> server.
>>
>> With a public IP per website: yes. Else: no.
>>
>> reyk@, 2014-07-24, "no SNI yet"
>> https://marc.info/?l=openbsd-misc&m=140621533620964
>>
>> recent thread:
>> https://marc.info/?l=openbsd-misc&m=150599591326006
>>
>> Marcus
>>
>> btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people
>> from seeing these messages.

Hi,

I use Nginx for this, in production, since many years, it's simple and works well.

Comete

Reply | Threaded
Open this post in threaded view
|

Re: relayd TLS load balancer for multiple websites

Stuart Henderson
In reply to this post by Darren Tucker
On 2017-09-28, Darren Tucker <[hidden email]> wrote:
> On 28 September 2017 at 06:32, mabi <[hidden email]> wrote:
>> Thanks for the pointer regarding SNI not being supported in relayd. I will go on and find another solution, probably HAproxy.
>
> For a small number of domains it would probably be feasible to get a
> single certificate with multiple SANs.  Letsencrypt at least supports
> this as long as all of the domains map (or can be made to map) to the
> place requesting the certificate.

With the dns-01 challenge type they don't need to be mapped to the same
place at all. Though the normal http-01 challenge requests don't use TLS,
so it should be easy enough to proxy them, even with relayd.