[chef] Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: haproxy Cookbook

[Sean Escriva < >]

Douglas Garstang 
<
 >
 writes:

> Sean,
>
> As far as I know there's no way to pass the pem certificate. It's the 'crt'
> setting I believe in the haproxy config. Am I missing that somewhere?
>

Actually this is possible. The cookbook in master provides a 'haproxy'
resource that is data driven so you could use:

haproxy "sslproxy" do
 config Mash.new(
 :global => {
   ... your global settings
 },
 :defaults => {
   ... your default settings
 }
 :frontend => {
      :ssl => {
        :bind => "*:443 ssl crt /etc/ssl/*your ssl key*"
        ...your other settings for frontend named 'ssl'
     }         
   }
 )
end

this will then get serialized to the correctly formatted haproxy.cfg and
should work as expected provided your build of haproxy supports those options.

The data handed to the 'config' parameter can come from anything you
like, inline using Mash.new as in this example or via attributes of your
choosing nested under node['haproxy']['config']

If you see areas for improvement, definitely let us know!

-sean

>
> On Fri, Mar 14, 2014 at 4:17 PM, Sean Escriva 
> <
 >wrote:
>
>> Douglas Garstang 
>> <
 >
>>  writes:
>>
>> > Given that haproy 1.5 already supports SSL, wouldn't the approach with
>> the
>> > least effort here, be to enhance the community haproxy cookbook to also
>> > support it?
>> >
>>
>> What enhancements to support SSL would you really like to see?
>>
>> The cookbook alread provides a fully data drive lwrp to configure
>> haproxy to your hearts content:
>>
>> https://github.com/hw-cookbooks/haproxy#haproxy
>>
>> If you need haproxy to support things that aren't availailable out of
>> the box with the system packages there the source install recipe:
>>
>>
>> https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb
>>
>> I'm interested to hear how specifically the current haproxy cookbook
>> falls short of what you need. How could it best be enhanced to support
>> what you need for SSL support?
>>
>> >
>> >
>> > On Fri, Mar 14, 2014 at 8:23 AM, Nathan Williams 
>> > <
 
>> >wrote:
>> >
>> >> Ah! That's right, I forget the regular stunnel package doesn't do
>> >> X-Forwarded-For.
>> >> On Mar 13, 2014 3:43 PM, "Eric Herot" 
>> >> <
 >
>> >>  wrote:
>> >>
>> >>> Not sure if you're doing this on EC2 but if you are there is also the
>> >>> option of terminating SSL on ELB, which will insert a header
>> >>> (X-Forwarded-For I believe) containing the source IP.
>> >>>
>> >>> There are actually patches to add that header with Stunnel but I will
>> >>> admit that that option does kind of suck. :-)
>> >>> --
>> >>> Eric
>> >>>
>> >>> On March 13, 2014 at 6:23:35 PM, Robert Tsai 
>> >>> (
 )
>> >>> wrote:
>> >>>
>> >>> I agree with Daniel. Ngnix and HAproxy is a great combo for ssl
>> >>> termination.  Definitely use HttpRealIp and you can balance based on
>> source
>> >>> ip if needed.
>> >>>
>> >>> As for the recipe, we decided to do a wrapper recipe to tie the two
>> >>> together.
>> >>>
>> >>> On Mar 13, 2014, at 2:56 PM, Daniel Condomitti 
>> >>> <
 >
>> >>> wrote:
>> >>>
>> >>>  I normally use nginx to terminate SSL which means we can inject a
>> >>> header containing the source IP address. Combining this with the
>> >>> HttpRealIp[0] module means you get the real client IP in your backend
>> logs.
>> >>>
>> >>> This doesn't help if you're not proxying HTTP though.
>> >>>
>> >>> [0] http://wiki.nginx.org/HttpRealipModule
>> >>>
>> >>> On Thursday, March 13, 2014 at 2:53 PM, Lopaka Delp wrote:
>> >>>
>> >>>  Hello,
>> >>>
>> >>> HAProxy 1.5 has SSL.  Unfortunately, it's still under development/beta.
>> >>>  In the haproxy community cookbook, looks like there is a recipe to
>> make
>> >>> and install from source and enable SSL:
>> >>>
>> >>>
>> >>>
>> https://github.com/hw-cookbooks/haproxy/blob/master/recipes/install_source.rb
>> >>>
>> >>>
>> >>> This might not be the 'fastest' way to go to enable SSL, but it's one
>> way.
>> >>>
>> >>> Another way would be to have a frontend which does SSL ie apache.
>> >>>
>> >>> Hope this helps.
>> >>>
>> >>> Lopaka
>> >>>
>> >>>
>> >>> On Thu, Mar 13, 2014 at 2:44 PM, Douglas Garstang <
>> >>> 
 >
>> >>>  wrote:
>> >>>
>> >>>  Actually... stunnel might not be such a good solution as I believe I
>> >>> will lose the source IP address, and I dont want to lose that...
>> >>>
>> >>>
>> >>> On Thu, Mar 13, 2014 at 2:34 PM, Douglas Garstang <
>> >>> 
 >
>> >>>  wrote:
>> >>>
>> >>>  Thanks Eric.
>> >>>
>> >>> I had forgotten that haproxy doesn't support SSL yet. I think 1.5 does
>> >>> (which is what an apt-get install gets me), but even though, the
>> haproxy
>> >>> cookbook apparently does not. I'll check out the stunnel cookbook.
>> >>>
>> >>> Good to know it's not just me that finds the haproxy cookbook
>> >>> documentation confusing. The examples don't work as is either.
>> >>>
>> >>> Douglas.
>> >>>
>> >>>
>> >>> On Thu, Mar 13, 2014 at 2:21 PM, Eric Herot 
>> >>> <
 
>> >wrote:
>> >>>
>> >>>  I would strongly suggest pairing the haproxy cookbook with the stunnel
>> >>> cookbook in order to get this working.  Otherwise haproxy has no native
>> >>> support for SSL.  The SSL options in that cookbook just create another
>> >>> listener for you to then connect to (with, for example, stunnel).
>> >>>
>> >>>  Does that answer your question?
>> >>>
>> >>>  BTW if you find that cookbook confusing or insufficient (we did, but
>> the
>> >>> last time I looked at it was a while ago), we also maintain one which
>> is
>> >>> pretty functional (although the docs may be slightly out of date at
>> this
>> >>> point):
>> >>>
>> >>>  https://github.com/evertrue/et_haproxy-cookbook
>> >>>  --
>> >>> Eric
>> >>>
>> >>> On March 13, 2014 at 5:15:52 PM, Douglas Garstang (
>> >>> 
 )
>> >>>  wrote:
>> >>>
>> >>>   Can anyone recommend a functional haproxy cookbook that support sssl?
>> >>> The most likely candidate, at https://github.com/hw-cookbooks/haproxy,
>> >>> has knobs for enabling ssl, but as far as I can see, no way to pass
>> the pem
>> >>> file location. (the setting is 'crt' i think).
>> >>>
>> >>> Alternatively, if there's a way a wrapper cookbook could easily add
>> that
>> >>> functionality...
>> >>>
>> >>> Douglas
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>  --
>> >>> Regards,
>> >>>
>> >>> Douglas Garstang
>> >>> http://www.linkedin.com/in/garstang
>> >>> Email: 
>> >>> 
 
>> >>> Cell: +1-805-340-5627
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Regards,
>> >>>
>> >>> Douglas Garstang
>> >>> http://www.linkedin.com/in/garstang
>> >>> Email: 
>> >>> 
 
>> >>> Cell: +1-805-340-5627
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>>  Lopaka Delp
>> >>> RightScale - Linux Systems Engineer
>> >>> 
 
>> >>> 805-243-0998
>> >>>
>> >>>
>> >>>
>> >
>> >
>> > --
>> > Regards,
>> >
>> > Douglas Garstang
>> > http://www.linkedin.com/in/garstang
>> > Email: 
>> > 
 
>> > Cell: +1-805-340-5627
>>
>> --
>> -sean
>>
>
>
>
> -- 
> Regards,
>
> Douglas Garstang
> http://www.linkedin.com/in/garstang
> Email: 
> 
 
> Cell: +1-805-340-5627

-- 
-sean