SSL enabled ports behind the load balancer

I had to go into the haproxy config on an LB I’d created and manually set the backends to be ssl enabled. I also turned ssl-verify to none in the global section.

Am I missing something on the web interface that would let me configure a backend as ssl?

The current options are:

  • SSL passthrough, using a TCP listener instead of HTTP.

    • request --ssl--> balancer --same-ssl--> container.
    • The balancer has no idea what’s in the request (so you can’t use advanced routing rules) and just sends it to one of the backends.
  • SSL termination on the balancer.

    • request --ssl--> balancer --plaintext--> container.
    • The balancer has the cert and decrypts the request, so it can make routing decisions based on it, add stickiness cookies, etc.

We do not currently have a way to do termination + re-encryption (request --ssl--> balancer --different-ssl--> container). I know that’s an option that things like ELB have, but the communication from the balancer to the container is already running over an encrypted IPSec tunnel.

As I said in IRC, what you might actually need is just setting the target port to 80. If the target port is blank it defaults to the same as the source port, which if your server is also listening on 443 will send unencrypted requests to the encrypted port.

Thanks for the information

Are there plans to add this functionality?

I am working on using a suite of products from WSO2, which require even when fronted by an SSL terminating load balancer, to have the traffic hitting the product be coming in through SSL. I have attempted to to route it to the HTTP port (9763), but it always tries to redirect back to the SSL port (which then puts us in a redirect loop). For some parts of it, it would probably be okay to just do SSL pass through, but other parts do require session stickiness, which cannot be done with SSL pass through.

While we can’t commit to a date, we do review the list of feature requests frequently in GitHub. If you could create a request in GitHub, that’d be great.

Done :slight_smile: Issue #2448.

Thank you for your support!

Is there a way to make the container has been ssl terminated?
So for example I can enable http to https redirection at container level

@alex88 I don’t believe there is a way at this time. I believe #2448 is the enhancement request for what you are asking for.

To me that seems to have SSL on LB -> container connection. My idea was to either add an header to the container requests from the LB that states the request was SSL terminated on the LB side

@alex88 SSL terminated HTTP requests have 2 headers added:

X-Forwarded-For: <ip> tells you the IP address that made the original request (since the request the target service sees will be from the load balancer’s IP)

X-Forwarded-Proto: https tells you that the request was originally SSL.

Oh awesome! The X-Forwarded-Proto was what I needed! Thanks!

Hi ammmze!

I’m working with WSO2 API Manager in Rancher, and I have the same problem. I’ve added a Rancher Load Balancer as the frontend, but I don’t know if you resolve the communication between the load balancer and the API Manager, because it has HTTPS exposed. How do you solve that? thanks!

We have an F5 load balancer and we ended up re-encrypting the traffic there. We also haven’t gotten enough buy in from everybody to use rancher, so we currently are just using different docker-compose files on our various hosts.

Ok ammmze, thanks a lot!