TLS Termination


#1

We collect log files on one site and then send them over the internet via TCP + TLS to our servers in the cloud. The log files need to be sent evenly between the two servers, so we have put HAProxy infront of them.

Currently the only config I have added to get the connection from the local server to the servers in the cloud via HAPRoxy is:

listen graylog 
    bind *:20000
    mode tcp
    option tcplog
    balance roundrobin
    server graylog1 10.32.4.4:20001 check
    server graylog2 10.32.4.5:20001 check

I believe I need to terminate TLS at the HAProxy server, how would I go about doing this?

Cheers,

G


#2

I’ve still got nowhere, can anyone help?


#3

What do you need to encrypt: client to haproxy, haproxy to backend servers, or both? Do you have a certificate ready to be installed on haproxy?


#4

So the logs come to HAproxy encrypted, we want to decrypt them at that point and send them in plaintext from the backend. I am about to set up a certificate for it now.


#5

Ok, the add ssl crt /path/to/certificate to the bind line.

You can find a more complete and secure example here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.7.9&openssl=1.0.1e&hsts=yes&profile=intermediate


#6

I have added that option and it doesn’t seem to have worked.

frontend gl-frontend
    mode tcp
    default_backend gl-cluster
    bind *:20000 ssl crt /etc/certs/ha-selfsigned.pem

backend gl-cluster
        mode tcp
        balance roundrobin
        server GL1 10.19.0.4:20001
        server GL2 10.19.0.5:20001

#7

Doesn’t work how? Can you elaborate a little bit?


#8

Okay so the ssl termination is now working, but it only sends to one host. The connection is never broken.

Edited:

We send the data on from the proxy to two nodes and we are only seeing one connection being made to one node and the connection is never broken and therefore data is never send to the other node.


#9

So the connection when sending the logs from one site to another is just one long TCP connection that sends all the logs. Obviously haproxy is set up to balance the TCP connections and when there’s only one, it will just go to one node. Is there anyway to resolve this?


#10

To load-balance you need multiple sessions. If there is only one session, only one server will see the load.

This is especially true in TCP mode, as haproxy does not understand and interact at application layer, but on layer 4 (TCP) only.