Matthew Sanders
2018-11-03 19:31:19 UTC
NOTE: *I am not subscribed to the mailing list, would you be able to CC me
in the responses? Thanks!*
I have started integrating HAProxy as the entry point to all of my server
infrastructure projects.
I wanted to get the community's thoughts on how best to handle Client
Certificates for secure portions of a site (preferably on a single
machine). I wanted to make this as optimal as possible, but it seems like
in order to do this with HAProxy currently I need to make a few sacrifices.
I may be wrong, but I would imagine the primary use case for Client
Certificates would be to secure a site (or in many, if not most cases, a
section of a site like admin.example.comor example.com/admin, etc.). The
full shotgun approach works well as it is... but even with 'verify
optional' some users may have a degraded experience even if they are not
using the secure portion of the site. They may be prompted for certificate
by the browser for example.
I ran into a few work arounds to the problem, but I fear there is a few
performance considerations with these approaches and felt there must be a
more native way HAProxy could help with this situation.
In this blog post:
https://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
The author references an answer from another community member who suggests
the first approach here:
https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3
The second (but pretty much the same) approach I found was on Stack
Exchange here: https://serverfault.com/a/663923
I prefer the second approach as it doesn't use the abstract namespace which
as the documentation points out are not 'rebindable' with multi-process
soft-restart.
My concerns are:
1. This relies on SNI which will add some delay up front 'tcp-request
inspect-delay 5s'. This happens even if I plan to terminate the TLS
connection at HAProxy.
2. Then we route to a backend internally to then route to another loopback
causing some more minor delay.
3. The internal routing would then increase the unix open file count per
request
Is there any other solutions that may avoid these issues, or am I
needlessly worried about it in the first place? Can HAProxy be improved to
more natively support such a workflow?
I know I could create a second machine to reserve for the secure routes. I
also could utilize a stage environment (still another machine) and allow
the admin site to allow the user to select the environments to work against
(example operations would be migrating user/project data, making custom
queries for management, etc.)
Thank you so much for your time,
Matt
in the responses? Thanks!*
I have started integrating HAProxy as the entry point to all of my server
infrastructure projects.
I wanted to get the community's thoughts on how best to handle Client
Certificates for secure portions of a site (preferably on a single
machine). I wanted to make this as optimal as possible, but it seems like
in order to do this with HAProxy currently I need to make a few sacrifices.
I may be wrong, but I would imagine the primary use case for Client
Certificates would be to secure a site (or in many, if not most cases, a
section of a site like admin.example.comor example.com/admin, etc.). The
full shotgun approach works well as it is... but even with 'verify
optional' some users may have a degraded experience even if they are not
using the secure portion of the site. They may be prompted for certificate
by the browser for example.
I ran into a few work arounds to the problem, but I fear there is a few
performance considerations with these approaches and felt there must be a
more native way HAProxy could help with this situation.
In this blog post:
https://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
The author references an answer from another community member who suggests
the first approach here:
https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3
The second (but pretty much the same) approach I found was on Stack
Exchange here: https://serverfault.com/a/663923
I prefer the second approach as it doesn't use the abstract namespace which
as the documentation points out are not 'rebindable' with multi-process
soft-restart.
My concerns are:
1. This relies on SNI which will add some delay up front 'tcp-request
inspect-delay 5s'. This happens even if I plan to terminate the TLS
connection at HAProxy.
2. Then we route to a backend internally to then route to another loopback
causing some more minor delay.
3. The internal routing would then increase the unix open file count per
request
Is there any other solutions that may avoid these issues, or am I
needlessly worried about it in the first place? Can HAProxy be improved to
more natively support such a workflow?
I know I could create a second machine to reserve for the secure routes. I
also could utilize a stage environment (still another machine) and allow
the admin site to allow the user to select the environments to work against
(example operations would be migrating user/project data, making custom
queries for management, etc.)
Thank you so much for your time,
Matt