We have several applications behind an F5 load balancer now. The SSL is terminated at the F5 load balancer, and the traffic is sent back to the server nodes as plain unencrypted http traffic.
Can the Wso2 identity server nodes be configured behind an F5, so that all traffic is plain unecrypted http traffic, and the F5 handles the SSL?
If that is not the way wso2 identity server is designed to work, could you please describe, in general terms, how to load balance wso2 behind a physical load balancer like an F5? Or if you have any links to documents about other load balancers, that would be ideal.
I have found some guides showing how to use Apache or ELB, but they are not translating well to an F5. The F5 is designed to act as a true proxy.
Wso2 carbon products support HTTP/HTTPs protocols by default and since F5 supports both http/https, you can configure this. Therefore as you configure with other servers, map the IP address and the port with services that you want to map with wso2 carbon products.
This document explains how to do it with Nginx. Hope this will be useful.
Yes, the F5 can do SSL Offloading. If you are concerned about the cost of SSL certificates, you could use self-signed certificates on your Identity Server nodes.
In our installation, we install the same SSL certificate (e.g., for secure.example.com) on the F5 and all the Identity Server nodes.
Hope this helps!
Related
First of all, I'm in no way an expert at security or networking, so any advice would be appreciated.
I'm developing an IOS app that communicates with an API hosted on an AWS EC2 linux machine.
The API is deployed using **FastAPI + Docker**.
Currently, I'm able to communicate with my remote API using HTTP requests to my server's public IP address (after opening port 80 for TCP) and transfer data between the client and my server.
One of my app's features requires sending a private cookie from the client to the server.
Since having the cookie allows potential attackers to make requests on behalf of the client, I intend to transfer the cookie securely with HTTPS.
I have several questions:
Will implementing HTTPS for my server solve my security issue? Is that the right approach?
The FastAPI "Deploy with Docker" docs recommend this article for implementing TLS for the server (using Docker Swarm Mode and Traefik).Is that guide relevant for my use-case?
In that article, it says Define a server name using a subdomain of a domain you own. Do I really need to own a domain to implement HTTPS? Can't I just keep using the server's IP address to communicate with it?
Thanks!
Will implementing HTTPS for my server solve my security issue? Is that the right approach?
With HTTP all traffic between your clients and the ec2 is in plain text. With HTTPS the traffic is encrypted, so it is secure.
FastAPI "Deploy with Docker"
Sadly can't comment on the article.
Do I really need to own a domain to implement HTTPS?
Yes. The SSL certificates can only be registered for domains that you own. You can't get the certificate for domain that is not yours.
I am having an issue setting up Apache NiFi behind AWS ALB. I can currently access the UI when hitting the server's public IP address directly but have been unsuccessful getting it working behind the ALB. It does work behind the ALB when HTTPS is not setup in NiFi. It fails to work when NiFi https is enabled with certificate authentication. Any help is appreciated. Thank you.
The ALB is not going to pass the client certificate to the server. If you want to use use client certificate authentication, you will have to switch to an NLB with TCP passthrough, at which point the NiFi server will be serving an SSL certificate directly to the client, and the client's certificate will be passed through the load balancer to the Nifi server.
Greeting
I have created the Certificate through Certificate Manager in AWS, the free one. And successfully verified as well as put it in the Elastic Load Balancer (ELB). The status of the certificate shows it's issued and Is Used? shows Yes in the Certificate Manager.
Overall, I have completed these two steps without any problem, but the SSL does not work with my domain name. When I type "mydomain.com" with or without prefix http://, it works, but when I type "mydomain.com" with https:// prefix, it does not work
I have researched to find the solution and a way to install SSL into Microsoft Windows IIS on AWS, but no document describes about that.
Can anyone share this experience? I really appreciate
Looking forward for the reply and thanks
You do not need to setup SSL on your web server when you use a load balancer. Assign the SSL certificate to the load balancer (as you did). Then in your HTTPS listener in the load balancer listen on HTTPS, but connect to your web server over HTTP.
In the Amazon Console for your load balancer under the "Listeners" tab, the "Load Balancer Protocol" will be HTTPS and the "Instance Protocol" will be HTTP.
This has the benefit of offloading SSL to the load balancer which decreases CPU load on your web server.
If you do want to setup SSL on your web server, then you cannot use the Amazon SSL certificate. You will need to use the standard methods and purchase a certificate from someone else.
I have set up two elastic load balancers with two target groups in a similar configuration. One is a "network" ELB and the other is an "application" ELB. I've registered the SPN for each, set up IIS app pools appropriately, etc. The network ELB works but the application ELB makes the client browser present an authentication challenge prompt.
In both cases the server returns a WWW-Authenticate: Negotiate response initially.
Can someone explain to me what about the way Kerberos works makes these two scenarios different?
I am trying to configure an AWS Application Load Balancer (vs. a Classic Load Balancer) to distribute traffic to my EC2 web servers. For compliance reasons I need end to end SSL/HTTPS encryption for my application.
It seems to me the simplest way to ensure that traffic is encrypted the entire way between clients and the web servers is to terminate the HTTPS connection on the web servers.
My first question: Is it possible to pass through HTTPS traffic through an AWS Application Load Balancer to the web servers behind the load balancer in this manner?
From what I've gathered from the AWS documenation, it is possible to pass traffic through in this manner with a Classic Load Balancer (via TCP pass through). However, the Application Load Balancer looks like it wants to terminate the HTTPS connection itself, and then do one of the following:
send traffic to the web servers unencrypted, which I can't do for compliance reasons
create a new HTTPS connection to the web servers, which seems like extra work load
My second question: is that understanding of the documentation correct?
Terminating the SSL connection at the web servers requires you to change the load balancer listener from HTTPS to TCP. ALB doesn't support this, only classic ELB. Further, if you were terminating the SSL at the web server the load balancer wouldn't be able to inspect the request since it wouldn't be able to decrypt it, so it wouldn't be able to do all the fancy new routing stuff that the ALB supports.
If you actually want to use an ALB for the new features it provides, and you need end-to-end encryption, you will have to terminate SSL at the ALB and also have an SSL certificate installed on the web servers. The web server certificate could be something like a self-signed cert since only the ALB is going to see that certificate, not the client.
I assume you need end-to-end encryption for compliance reasons (PCI, HIPAA, etc.). Otherwise there isn't a very compelling reason to go through the hassle of setting it up.