Request host on loadbalancer doesn't work as expected might I be doing something wrong?

zot24 · July 19, 2016, 12:11pm

I got the following on my docker-compose.yml file:

ports:
    - 443:443/tcp
    - 5000:5000/tcp
  labels:
    io.rancher.loadbalancer.target.sslproxy: portus.my.domain:443=443
    io.rancher.loadbalancer.target.registry: registry.my.domain:443=443,5000=5000

I’m expecting to be able to request https://registry.my.domain and https://registry.my.domain:5000 and be able to access to the registry container and at the same time be able to do https://portus.my.domain and access to the sslproxy container that will terminate SSL and connect to portus container.

I’m following the Advance Load Balancer rules on Rancher documentation trying to achieve this -> http://docs.rancher.com/rancher/latest/en/cattle/adding-load-balancers/#advanced-load-balancing-l7 but I just can’t, am I doing something wrong? is this not the expected behavior when adding the <REQUEST_HOST>?

Thanks

zot24 · July 19, 2016, 12:52pm

As a temporary fix I’m just letting the sslproxy to redirect traffic from registry.my.domain:443 to registry.my.domain:5000 but that’s not what I want I don’t want to relay on that extra container just to redirect.

Notice: that I don’t need SSL termination on the registry url what I want it’s be able query registry.my.domain as if I were querying registry.my.domai:5000 and my registry have the secure flag turned on so it needs to be https

denise · August 3, 2016, 5:27am

For every service specified on the load balancer, it is registered for every load balancer listening port.

So for your case, I think you’d need to add in a dummy routing rules

http://docs.rancher.com/rancher/latest/en/cattle/adding-load-balancers/#examples-of-using-multiple-ports-in-advanced-routing-options

zot24 · August 3, 2016, 7:11am

Thanks @denise!

My last question will be is it not possible to use the same ports? and just rely on the domain name to do the routing? like:

ports:
    - 443:443/tcp
  labels:
    io.rancher.loadbalancer.target.portus: portus.my.domain:443=443
    io.rancher.loadbalancer.target.registry: registry.my.domain:443=443

vincent · August 3, 2016, 8:04am

Only if you do SSL termination at the balancer so it can extract the HTTP Host header from the decrypted request.

(It is actually possible to do hostname routing for SSL requests without termination by looking at the SNI portion of the TLS handshake, but that is not supported yet. I think that made it into the new refractors balancer for 1.2, @alena?)

alena · August 3, 2016, 4:36pm

@vincent yes, SNI routing will be a part of LB refactor

Topic		Replies	Views
[Solved] Rancher Load Balancers and SSL Rancher 1.x	3	1293	November 27, 2016
V1.2 Loadbalancer virtual hosts Rancher 1.x	2	1234	December 18, 2016
SSL magic with a load balancer Rancher 1.x	3	1298	June 3, 2016
Load Balancer not allowing both HTTP and HTTPS rules Rancher 1.x	7	2625	April 21, 2017
Setup Rancher Server / Rancher LoadBalancer Rancher 1.x	4	1090	April 1, 2016

Request host on loadbalancer doesn't work as expected might I be doing something wrong?

Related Topics