Thanks Andrija, LB outside of the VR sounds like a good idea. An appliance based on, say cloud-init + ansible and so on could do the trick; alas it'd need to be outside ACS. I guess as users we could maybe come up with a spec for an improvement, at least we'd have something the devs could look at whenever it is possible.
Regards, Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Andrija Panic" <andrija.pa...@gmail.com> > To: "dev" <d...@cloudstack.apache.org> > Cc: "users" <users@cloudstack.apache.org> > Sent: Thursday, 2 November, 2017 23:21:37 > Subject: Re: HTTPS LB and x-forwarded-for > We used to make some special stuff for one of the clients, where all LB > configuration work is done from outside of the ACS, i.e. python script to > feed/configure VR - install latest haproxy 1.5.x for transparent proxy, > since client insisted on SSL termination done on backend web SSL servers.... > Not good idea, that is all I can say (custom configuration thing) - but the > LB setup is actually good - transparent mode haproxy, works on TCP level, > so you can see "real client IP" on the backend servers (which must use VR > as the default gtw, as per default, so the whole setup works properly). > > I'm still looking forward to see some special support of LB inside VR via > ACS - proper LB setup inside VR via GUI/API - i.e. to enable LB > provisioning SCRIPT (bash, or whatever), where all needed > install+configure can be done from client side - otherwise covering all > user cases, with proper HTTP checks and similar....is impossible to do > IMHO. > > Some other clients, actually have internal FW appliance (i.e. multihomed > VM, acting as gtw for all VMs in all networks), and haproxy instaled on > this device (with NAT configured from VR to this internal FW/VM, so remote > IP can be seen properly) - this setup is fully under customer control, and > can provide any kind of special haproxy config... > > > > > > > On 31 October 2017 at 19:54, Nux! <n...@li.nux.ro> wrote: > >> Hello, >> >> Of the people running an LB (VR) with https backends, how do you deal with >> the lack of x-forwarded-for since for port 443 there's just simple TCP >> balancing? >> >> Has anyone thought of terminating SSL in the VR instead? Ideas? >> >> Cheers >> >> -- >> Sent from the Delta quadrant using Borg technology! >> >> Nux! >> www.nux.ro >> > > > > -- > > Andrija Panić