Rancher SSL behind F5

I feel like I’m so close to getting this working. I’m running rancher server 1.3 now (was running 1.2.2) hoping the newest version would fix the problem but it hasn’t. I have done a new install behind an F5 with three nodes. I can log in fine via http (80). When I try over https, it kicks me back to the login screen with no message. This is with localauth authentication enabled. I’ve gone through the installation instructions many times and can’t find anything I’ve missed. I feel like it has to be something on the F5, but I’m not sure as I don’t manage that system here. Right now the F5 is only using the certificate on the public side. Does that need to exist on the side for the nodes as well? We had that configured before and it didn’t seem to work at all. In the instructions there is a reference to doing the setup the same as for an external DB with one additional command for the load balancer.

“Running Rancher server in High Availability (HA) is as easy as running Rancher server using an external database, exposing an additional port, and adding in an additional argument to the command for the external load balancer.”

What is that referring to?

Any help would be appreciated.

Thanks!

It sounds like you only have an HTTP vip on the F5. On the F5 there needs to be 2 vips, 1 for port 80 HTTP, and one for port 443 HTTPS. You will need to use the default iRule - _sys_https_redirect on the HTTP vip to redirect incoming traffic from the HTTP vip to the HTTPS vip.

Phillip, thanks for the response! I just confirmed that this is what we already have in place. Does the certificate need to exist on both sides of the configuration? Not sure if that makes sense. In the previous version of Rancher HA, we had to have it in both places. It wasn’t mentioned in the instructions for this version. While the older version seemed to be much more bloated and took longer to get going, it did work. I haven’t yet been able to log in via HTTPS with 1.2+.

I don’t run Rancher HA, so i’m not sure about the cert, but… typical scenario for SSL offloading is that the cert only exists on your LB. The HA setup may have a dep on SSL communication between the nodes/service that make up the HA cluster.

I have tried adding the cert to both sides now and that appears to break it completely. I can confirm that it is currently redirecting all traffic from 80/443->8080. I still only get the login screen. When I try to log in with a known good account, it simply flashes and goes back to the login screen with no errors. I don’t see any feedback in the docker logs via "docker logs -f "

As noted here, you need to insert a few headers (presumably with an iRule) on the F5: https://docs.rancher.com/rancher/v1.2/en/installing-rancher/installing-server/basic-ssl-config/

I’d also recommend Strict-Transport-Security: max-age=31536000; includeSubDomains; preload so minimise the chance of any redirects if the above are ignored for any reason.

1 Like

That was it! It took awhile for the guy that manages that system to get the headers right which is why I haven’t responded until now. It’s up and working though.

Thanks everyone for your help!

1 Like

Would it be possible for you (or someone) to post the irule you are using (with all of the identifying data stripped) to rewrite the headers perchance?

I’m having issues with sessions returning 401 authing through Active Directory if I attempt to log in from a uri that isn’t the site root (for instance, the incorrect password returned URI) and I’m almost positive it’s the header rewrite.

I’m also having issues with an incorrect DETECTED_CATTLE_AGENT_IP being detected upon host registration which I’m nearly positive is caused by the f5 not inserting the client IP into the XFF header.

Thanks!