Skip to end of metadata
Go to start of metadata

HTTPS Load Balancing

HTTPS load balancing requires an SSL certificate and the associated key pair.  This page describes how to set it up . 
Note that in https offload pools client-side traffic uses https and server-side traffic uses http. For additional information on https offload pools, please check Load Balancing Pool Types page. 

Note also that pool type can't be changed from http to https by just changing its port value via manage-lb-pool modify command.  You have to create a new pool with the type specified as https (refer to manage-lb-pool man page for command options details).

1. Start an Instance

Reserve an available server and launch an instance as usual via manage-server reserve and manage-instance launch commands (see manage-server and manage-instance wiki man pages).  When the instance status has changed from "starting" to "running," log in to the instance in a usual way:

$ ssh -i key.pem root@8.19.73.92

(It's supposed here that you use key.pem as your private key file to login to your instances).

2. Install and Configure Your Web Server

Installing Apache (package name is "httpd"):

[root@newinstance ~]# yum install httpd

Make Apache start automatically on reboot:

[root@newinstance ~]# chkconfig httpd on
[root@newinstance ~]# /sbin/service httpd start
Starting httpd:                                            [  OK  ]
[root@newinstance ~]# /sbin/service httpd status
httpd (pid 4051 4050 4049 4048 4047 4046 4045 4044 4042) is running...

Let's create a dummy web page on the server to check that our installation works:

[root@newinstance ~]# echo "Hello World, this is instance one" > /var/www/html/index.html
[root@newinstance ~]# curl http://localhost/index.html
Hello World, this is instance one

Now installing SSL module for Apache (mod_ssl):

[root@newinstance ~]# yum install mod_ssl

3. Configure SSL Using Self-signed Certificate

(For a certificate signed by a certificate authority, see Configure SSL Using Authorized Certificate and Certificate Chains below.)

We have to alter the SSL configuration by editing /etc/httpd/conf.d/ssl.conf file (installed with mod_ssl module) to make the web server aware of the secure certificate. 

We also need to generate a Certificate Authority (CA) key pair
Here are basic steps we should perform to create a self-signed certificate:

1. Creating RSA key and certificate request:

[root@newinstance ~]# openssl req -new > cert.csr

After setting the passphrase and answering to several questions, we got two files – cert.csr privkey.pem

2. Removing passphrase from the key (need to enter passphrase set on step 1.) 

[root@newinstance ~]# openssl rsa -in privkey.pem -out server.key

3. Converting request into a signed certificate:

[root@newinstance ~]# openssl x509 -in cert.csr -out server.crt -req -signkey server.key -days 1825

(Use whatever number of days you need.)

4. Now we have a private key. Let's set the correct permissions for it:

[root@newinstance ~]# /bin/chmod 600 server.key

5. Moving certificates to the place they belong:

[root@ ~]# mv server.crt /etc/pki/tls/certs/
[root@002 ~]# mv userkey.pem /etc/pki/tls/private/

Configuring the basics in ssl.conf:

[root@newinstance ~]# vi /etc/httpd/conf.d/ssl.conf

The path and filename /etc/httpd/conf.d/ssl.conf are correct for CentOS5.

<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 #no SSL v. 2 by default
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
</VirtualHost>

Starting web server:

[root@newinstance ~]# /sbin/service httpd restart
Starting httpd:                                            [  OK  ]

Next we need temporarily open port 443 to our instance via manage-vlan tool.
Let's query instance via port 443 directly (no load balancing yet).

[root@newinstance ~]# curl -k https://localhost

Using -k option to let curl perform an "insecure" SSL connection using our self-signed certificate.

4. Configure SSL Using Authorized Certificate and Certificate Chains

This is not much different from the previous step except we already have a signed certificate (server.crt), key (server.key), and chain certificate (intermediate_bundle.crt) issued by some Certification Authority.

Let's check if passphrase is removed from the key file (the API does not currently support passphrase encrypted private keys):

[root@newinstance ~]# openssl rsa -noout -text -in server.key

If the key was created with a passphrase, prompt to enter it will appear.  Then removing the passphrase as follows:

[root@newinstance ~]# openssl rsa < server.key > server_no_pass.key

Entering existing passphrase when prompted.  Now we got new key file without a passphrase.  The original key file remained unchanged.

Setting permissions:

[root@newinstance ~]# chmod 600 server_no_pass.key

Movinging certificates and key to the right place:

[root@newinstance ~]# mv  server.crt  intermediate_bundle.crt /etc/pki/tls/certs/
[root@newinstance ~]# mv  server_no_pass.key root@8.19.73.92:/etc/pki/tls/private/

Configure the basics in ssl.conf on your instance:

[root@newinstance ~]# vi /etc/httpd/conf.d/ssl.conf

(The path and filename /etc/httpd/conf.d/ssl.conf are correct for CentOS 5.)

<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 #no SSL v. 2 by default
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server_no_pass.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate_bundle.crt
</VirtualHost>

Starting web server:

[root@newinstance ~]# /sbin/service httpd restart
Starting httpd:                                            [  OK  ]

5. Load Balancing Instances

Load Balancing an HTTPS pool is just like load balancing an HTTP pool with two exceptions:
1) When you create the pool, you must use the --type parameter to select "https".  Otherwise, the default "http" pool type will be set; the type cannot be modified later.
2) You must use port 443 instead of the standard HTTP port 80.

First we need to reserve a virtual IP to assign to the pool (manage-lb-ip list and manage-lb-ip reserve commands).

For example:

[root@newinstance ~]# manage-lb-pool create --name my-pool --ip LAX1:8.19.72.223 --certificate server.crt --key server_no_pass.key --chain intermediate_bundle.crt --port 443 --type https --username <USERNAME>
LB pool created:
id: 87
name: my-pool

Adding instances to the pool:

[root@newinstance ~]# manage-lb-pool add-node --name=my-pool --node=8.19.73.92:443 --username <USERNAME>
LB pool 'my-pool (87)' with IP address 8.19.72.223
Node 8.19.73.92:443 added

Note: do not assign port 80 instead of 443 for an HTTPS load-balancing pool, as it won't work.  If you don't specify any port number, port 443 will be assigned automatically.

Next – repeating these steps for other nodes that should be added to the pool.

Checking if the load balancer is properly loading your instances by using the "manage-lb-pool status" command:

[root@newinstance ~]# manage-lb-pool status --name=my-pool --username <USERNAME>
LB pool 'my-pool (87)' with IP address 8.19.72.223
SSL certificate is set
.-----------------------------------------.
| Nodes                                   |
+-------------+------+--------------------+
| ip          | port | status             |
+-------------+------+--------------------+
| 8.19.73.92  | 443  | MONITOR_STATUS_UP  |
'-------------+------+--------------------'

All set.  Now we can check our HTTPS balancer from the outside.

If you have problems with your certificate, check the following page: SSL Certificate and HTTPS Load-Balancing Problems.
As always, please create a ticket at https://portal.xandr.com/ or contact us at support@xandr.com if you have any questions or concerns.

  • No labels