Add backend re-encryption to the LB cookbook
This patch adds a cookbook section for creating backend re-encryption pools with optional client authentication. Change-Id: If2a732d7b692f3cd6c422efbb1f71103ffecc4c9
This commit is contained in:
parent
4b4638e67d
commit
076c3adc36
@ -623,6 +623,116 @@ HTTP just get redirected to the HTTPS listener), then please see `the example
|
|||||||
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.11 --protocol-port 80 pool1
|
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.11 --protocol-port 80 pool1
|
||||||
openstack loadbalancer listener create --protocol-port 80 --protocol HTTP --name listener2 --default-pool pool1 lb1
|
openstack loadbalancer listener create --protocol-port 80 --protocol HTTP --name listener2 --default-pool pool1 lb1
|
||||||
|
|
||||||
|
Deploy a load balancer with backend re-encryption
|
||||||
|
-------------------------------------------------
|
||||||
|
This example will demostrate how to enable TLS encryption from the load
|
||||||
|
balancer to the backend member servers. Typically this is used with TLS
|
||||||
|
termination enabled on the listener, but, to simplify the example, we are going
|
||||||
|
to use an unencrypted HTTP listener. For information on setting up a TLS
|
||||||
|
terminated listener, see the above section
|
||||||
|
:ref:`basic-tls-terminated-listener`.
|
||||||
|
|
||||||
|
**Scenario description**:
|
||||||
|
|
||||||
|
* Back-end servers 192.0.2.10 and 192.0.2.11 on subnet *private-subnet* have
|
||||||
|
been configured with an HTTPS application on TCP port 443.
|
||||||
|
* A Certificate Authority (CA) certificate chain and optional Certificate
|
||||||
|
Revocation List (CRL) have been obtained from an external certificate
|
||||||
|
authority to authenticate member server certificates against.
|
||||||
|
* Subnet *public-subnet* is a shared external subnet created by the cloud
|
||||||
|
operator which is reachable from the internet.
|
||||||
|
* We want to configure a basic load balancer that is accessible from the
|
||||||
|
internet, which distributes web requests to the back-end servers.
|
||||||
|
|
||||||
|
**Solution**:
|
||||||
|
|
||||||
|
1. Create a barbican *secret* resource for the member CA certificate. We will
|
||||||
|
call this *member_ca_cert*.
|
||||||
|
2. Optionally create a barbican *secret* for the CRL file. We will call this
|
||||||
|
*member_ca_crl*.
|
||||||
|
3. Create load balancer *lb1* on subnet *public-subnet*.
|
||||||
|
4. Create listener *listener1*.
|
||||||
|
5. Create pool *pool1* as *listener1*'s default pool, that is TLS enabled, with
|
||||||
|
a Certificate Authority (CA) certificate chain *member_ca_cert* to validate
|
||||||
|
the member server certificate, and a Certificate Revocation List (CRL)
|
||||||
|
*member_ca_crl* to check the member server certificate against.
|
||||||
|
6. Add members 192.0.2.10 and 192.0.2.11 on *private-subnet* to *pool1*.
|
||||||
|
|
||||||
|
**CLI commands**:
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
openstack secret store --name='member_ca_cert' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < member_ca.pem)"
|
||||||
|
openstack secret store --name='member_ca_crl' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < member_ca.crl)"
|
||||||
|
openstack loadbalancer create --name lb1 --vip-subnet-id public-subnet
|
||||||
|
# Re-run the following until lb1 shows ACTIVE and ONLINE statuses:
|
||||||
|
openstack loadbalancer show lb1
|
||||||
|
openstack loadbalancer listener create --name listener1 --protocol HTTP --protocol-port 80 lb1
|
||||||
|
openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --listener listener1 --protocol HTTP --enable-tls --ca-tls-container-ref $(openstack secret list | awk '/ member_ca_cert / {print $2}') --crl-container-ref $(openstack secret list | awk '/ member_ca_crl / {print $2}')
|
||||||
|
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.10 --protocol-port 443 pool1
|
||||||
|
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.11 --protocol-port 443 pool1
|
||||||
|
|
||||||
|
Deploy a load balancer with backend re-encryption and client authentication
|
||||||
|
---------------------------------------------------------------------------
|
||||||
|
This example will demostrate how to enable TLS encryption from the load
|
||||||
|
balancer to the backend member servers with the load balancer being
|
||||||
|
authenticated using TLS client authentication. Typically this is used with TLS
|
||||||
|
termination enabled on the listener, but, to simplify the example, we are going
|
||||||
|
to use an unencrypted HTTP listener. For information on setting up a TLS
|
||||||
|
terminated listener, see the above section
|
||||||
|
:ref:`basic-tls-terminated-listener`.
|
||||||
|
|
||||||
|
**Scenario description**:
|
||||||
|
|
||||||
|
* Back-end servers 192.0.2.10 and 192.0.2.11 on subnet *private-subnet* have
|
||||||
|
been configured with an HTTPS application on TCP port 443.
|
||||||
|
* A Certificate Authority (CA) certificate chain and optional Certificate
|
||||||
|
Revocation List (CRL) have been obtained from an external certificate
|
||||||
|
authority to authenticate member server certificates against.
|
||||||
|
* A TLS certificate and key have been obtained from an external Certificate
|
||||||
|
Authority (CA). The now exist in the files member.crt and member.key. The
|
||||||
|
key and certificate are PEM-encoded and the key is not encrypted with a
|
||||||
|
passphrase (for this example).
|
||||||
|
* Subnet *public-subnet* is a shared external subnet created by the cloud
|
||||||
|
operator which is reachable from the internet.
|
||||||
|
* We want to configure a basic load balancer that is accessible from the
|
||||||
|
internet, which distributes web requests to the back-end servers.
|
||||||
|
|
||||||
|
**Solution**:
|
||||||
|
|
||||||
|
1. Combine the member client authentication certificate and key to a single
|
||||||
|
PKCS12 file.
|
||||||
|
2. Create a barbican *secret* resource for the PKCS12 file. We will call
|
||||||
|
this *member_secret1*.
|
||||||
|
3. Create a barbican *secret* resource for the member CA certificate. We will
|
||||||
|
call this *member_ca_cert*.
|
||||||
|
4. Optionally create a barbican *secret* for the CRL file. We will call this
|
||||||
|
*member_ca_crl*.
|
||||||
|
5. Create load balancer *lb1* on subnet *public-subnet*.
|
||||||
|
6. Create listener *listener1*.
|
||||||
|
7. Create pool *pool1* as *listener1*'s default pool, that is TLS enabled, with
|
||||||
|
a TLS container reference for the member client authentication key and
|
||||||
|
certificate pkcs12, also with a Certificate Authority (CA) certificate chain
|
||||||
|
*member_ca_cert* to validate the member server certificate, and a
|
||||||
|
Certificate Revocation List (CRL) *member_ca_crl* to check the member server
|
||||||
|
certificate against.
|
||||||
|
8. Add members 192.0.2.10 and 192.0.2.11 on *private-subnet* to *pool1*.
|
||||||
|
|
||||||
|
**CLI commands**:
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
openssl pkcs12 -export -inkey member.key -in member.crt -passout pass: -out member.p12
|
||||||
|
openstack secret store --name='member_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < member.p12)"
|
||||||
|
openstack secret store --name='member_ca_cert' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < member_ca.pem)"
|
||||||
|
openstack secret store --name='member_ca_crl' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < member_ca.crl)"
|
||||||
|
openstack loadbalancer create --name lb1 --vip-subnet-id public-subnet
|
||||||
|
# Re-run the following until lb1 shows ACTIVE and ONLINE statuses:
|
||||||
|
openstack loadbalancer show lb1
|
||||||
|
openstack loadbalancer listener create --name listener1 --protocol HTTP --protocol-port 80 lb1
|
||||||
|
openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --listener listener1 --protocol HTTP --enable-tls --ca-tls-container-ref $(openstack secret list | awk '/ member_ca_cert / {print $2}') --crl-container-ref $(openstack secret list | awk '/ member_ca_crl / {print $2}') --tls-container-ref $(openstack secret list | awk '/ member_secret1 / {print $2}')
|
||||||
|
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.10 --protocol-port 443 pool1
|
||||||
|
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.11 --protocol-port 443 pool1
|
||||||
|
|
||||||
.. _heath-monitor-best-practices:
|
.. _heath-monitor-best-practices:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user