I configured API-M 2.5.0 cluster with HAproxy Load Balancer by manuals :
https://docs.wso2.com/display/CLUSTER44x/Configuring+HAProxy
https://docs.wso2.com/display/CLUSTER44x/Setting+up+a+Cluster
LB doesn't work. I tried to use a self-signed certficate or commercial cert for LB, but when i restart haproxy i have errors in logs:
localhost haproxy[95255]: Server as_wso2_com/node1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 10ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
I think a problem in CA cert or chain. I tried to use CA cert in HAproxy config, didn't help. Any suggestion?
HAproxy config:
frontend ft_wrk
default_backend bk_wrk
bind wso2.com:80
backend bk_wrk
balance roundrobin
server node1 1.1.1.3:9763
server node2 1.1.1.4:9763
frontend https-in
bind *:443 ssl crt /etc/haproxy/1.pem
acl is_mgt hdr_beg(host) -m beg 1.1.1.2
acl is_wrk hdr_beg(host) -m beg 1.1.1.3
use_backend mgt_as_wso2_com if is_mgt
use_backend as_wso2_com if is_wrk
default_backend as_wso2_com
backend as_wso2_com
balance roundrobin
server node1 1.1.1.3:9443 check ssl verify none
server node2 1.1.1.4:9443 check ssl verify none
backend mgt_as_wso2_com
server server1 1.1.1.2:9443 check ssl verify none
I tried to load balance API with Nginx, but i have errors with SSL cert too. I created question about it:
SSL certificate error on Nginx load balancer on WSO2 API cluster. I didn't get reply.
problem was in mtls on api, i disabled mtls and it works.
Related
I recently had to update my SSL certificate for my AWS Elasticbeanstalk. After the SSL certificate was updated, it started returning HTTP 503 error if I use HTTPS. It used to work fine earlier with HTTPS.
Finally figured out that when I changed my SSL certificate, the HTTPS out port 443 was some how mapped to inbound 443 port instead of port 80. All communication between load balancer and EC2 happens on HTTP on port 80. The load balancer which takes requests from external internet takes the HTTPS on port 443. So ensure the internal port mapping is 80 with HTTP and external is 443 with HTTPS
I have a nginx ingress controller on GKE, it is behind an TCP LB from GCP.
We have some requests that take longer than 30s to process, and the TCP LB seems to be killing the connection with aounrd this timeout (30~35s).
How can I change the LB timeout?
Any other workaround so that the LB does not close the connection would be helpful too. (maybe on nginx to send some packet to keep alive?)
Observation: the HTTP LoadBalancer has this config, I know. But I need it on TCP. In fact, this ingress controller was installed acording to these docs on GCP:
https://cloud.google.com/community/tutorials/nginx-ingress-gke
We are running rails application with unicorn and websocket.
We are using AWS ELB as ingress
SSL terminates on ELB and forwards traffic to application.
Nginx ingress routes traffic to web app running unicorn/puma on port 8080.
App works but our websocket responds with 200 instead of 101. We have enabled CORS and used required annotations in ingress.
This are annotations used for the ingress controller service
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
service.beta.kubernetes.io/aws-load-balancer-ssl-cert::arn:aws:iam::xxx:server-certificate/staging
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
When we use aws loadbalancer protocol as tcp and load balancer ports as 443 it fails on infinite redirect loop.
Following are the annotations used in the ingress:
nginx.ingress.kubernetes.io/service-upstream: true
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
ingress.kubernetes.io/force-ssl-redirect: "true"
Our sample nginx configuration we used earlier without ingress is here
How to get websockets working with nginx ingress controller with AWS ELB ?
Is it possible to try without CORS?
Part of the handshake is the client must send at least these headers:
Sec-WebSocket-Key
Sec-WebSocket-Version
And maybe something else. Look at https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#The_WebSocket_Handshake
I have ELB setup in AWS
1. TCP port 443 forward to 8080 port on instance (nginx)
2. www.example.com point to ELB dns
3. myserver.mydomain is my instance hostname
Now i have setup ssl on ELB for domain www.example.com
Now for ssl on nginx so that all communication is ssl. I want o know that
DO i need to upload ssl on nginx for www.example.com or myserver.mydomain or its IP adddress
Ok as per your comment if you want the SSL from the server side too. Then this are the two steps you need to follow.
Upload SSL for "www.example.com" on you server and configure nginex to server 443 port.
Change the ELB listeners from 443-80 to 443-443.
And it will work
I have an EC2 instance on Amazon (AWS). The instance is behind a ELB (Elastic Load Balancer). I want to allow HTTPS connections to reach the EC2 instance.
Is it necessary to have the load balancer configured for HTTPS, ie, to check the certificates etc, or can this just be done traditionally within the EC2 instance and virtual host SSL configuration ?
The reason I'm asking is because I have allowed traffic via ELB -> EC2 for port 80 and 443, but only port 80 reaches the instance.
EDIT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00021s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
EDIT 2
Here is my other stack overflow questions explaining the bigger problem I have, hence why I opened this question. HTTPS only works on localhost
Check whether any application is running on port 443.
Use this command to check:
nmap -sT -O localhost
EDIT
Add the certificate files on the server and then upload them to IAM using the command:
aws iam upload-server-certificate --server-certificate-name my-server-cert
--certificate-body file://my-certificate.pem --private-key file://my-private-key.pem
--certificate-chain file://my-certificate-chain.pem
For more info check this:
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html