SSL Offloading
Nowadays, it is common (and convenient) to use the Load-Balancer SSL capabilities to cypher/uncypher traffic from clients to the web application platform.
Performing SSL at the Load-Balancer Layer is called “SSL offloading“, because you offload this process from your application servers.
Note that SSL offloading is also “marketingly” called SSL acceleration. The only acceleration performed is moving SSL processing from application server, which have an other heavy task to perform, to an other devices in the network…
So no acceleration at all, despite some people claming they do accelerate SSL in a dedicated ASIC, they just offload…
The diagram below shows what happens on an architecture with SSL offloading. We can clearly see that the traffic is encrypted up to the Load-Balancer, then it’s in clear between the Load-Balancer and the application server:
Benefits of SSL offloading
Offloading SSL from the application servers to the Load-Balancers have many benefits:
* offload an heavy task from your application servers, letting them to focus on the application itself
* save resources on your application servers
* the Load-Balancers have access to clear HTTP traffic and can perform advanced features such as reverse-proxying, Cookie persistence, traffic regulation, etc…
* When using an ALOHA Load-Balancer (or HAProxy), there are much more features available on the SSL stack than on any web application server.
It seems there should only be positive impact when offloading SSL.
Counterparts of SSL offloading
As we saw on the diagram above, the load-balancer will hide three important information from the client connection:
1. protocol scheme: the client was using HTTPS while the connection on the application server is made over HTTP
2. connection type: was it cyphered or not? Actually, this is linked to the protocol scheme
3. destination port: on the load-balancer, the port is usually 443 and on the application server should be 80 (this may change)
Most web application will use 301/302 responses with a Location header to redirect the client to a page (most of the time after a login or a POST) as well as requiring an application cookie.
So basically, the worst impact is that your application server may have difficulties to know the client connection information and may not be able to perform right responses: it can break totally the application, preventing it to work.
Fortunately, the ALOHA Load-Balancer or HAProxy can help in such situation!
Basically, the application could return such responses to the client:
Location: http://www.domain.com/login.jsp
And the client will leave the secured connection…
Tracking issues with the load-balancer
In order to know if your application supports well SSL offloading, you can configure your ALOHA Load-Balancer to log some server responses.
Add the configuration below in your application frontend section:
capture response header Location len 32 capture response header Set-Cookie len 32
Now, in the traffic log, you’ll see clearly if the application is setting up response for HTTP or HTTPS.
NOTE: some other headers may be needed, depending on your application.
Web Applications and SSL offloading
Here we are 🙂
There are 3 answers possible for such situation, detailed below.
Client connection information provided in HTTP header by the Load-Balancer
First of all, the Load-Balancer can provide client side connection information to the application server through HTTP header.
The configuration below shows how to insert a header called X-Forwarded-Proto containing the scheme used by the client.
To be added in your backend section.
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
Now, the ALOHA Load-Balancer will insert the following header when the connection is made over SSL:
X-Forwarded-Proto: https
and when performed over clear HTTP:
X-Forwarded-Proto: http
It’s up to your application to use this information to answer the right responses: this may require some code update.
HTTP header rewriting on the fly
An other way is to rewrite the response setup by the server on the fly.
The following configuration line would match the Location header and translate it from http to https if needed.
Rewriting rspirep http://www.domain.com:80/url:
rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { ssl_fc }
NOTE: above example applies on HTTP redirection (Location header), but can be applied on Set-cookie as well (or any other header your application may use).
NOTE2: you can only rewrite the response HTTP headers, not in the body. So this is not compatible with applications setting up hard links in the HTML content.
SSL Bridging
In some cases, the application is not compatible at all with SSL offloading (even with the tricks above) and we must use a ciphered connection to the server but we still may require to perform cookie based persistence, content switching, etc…
This is called SSL bridging, or can also be called a man in the middle.
In the ALOHA, there is nothing to do, just do SSL offloading as usual and add the keyword ssl on your server directive.
Using this method, you can choose a light cipher and a light key between the Load-Balancer and the server and still use the Load-Balancer advanced SSL feature with a stronger key and a stronger cipher.
The application server won’t notice anything and the Load-Balancer can still perform Layer 7 processing.
Hi Baptiste,
Thanks very much for your patience. It seems not working in my environment. My haproxy version is 1.5-dev12, and the conf:
frontend ft_test
mode http
#bind *:80
bind 0.0.0.0:443 ssl crt /opt/haproxy-ssl/haproxy.pem
default_backend bk_test
backend bk_test
mode http
server srv1 192.168.0.63:80
#option forwardfor
#reqadd X-Forwarded-Proto: https if { is_ssl }
rspirep ^Location: http://(.*):80(.*) Location: https://1:4432
rspirep ^Location: http://(.*) Location: https://1
You can see I just want the haproxy only accept https request from the client, but i’ve tried your two ways—reqadd and reporep—all failed. what’s the problem?
regards
Hi,
there is no magic, you must analyze your application first then create the rules accordingly.
If you need more help, please contact HAProxy ML (no registration required).
Baptiste
I think you mean X-Forwarded-Proto not X-Forwared-Proto?
true and fixed.
Thans Simon.
Bpiste