Website clouds, certificates and upstream load balancer

Category: azure pack

Question

eSundet on Thu, 06 Nov 2014 07:45:12


We are running a website clouds in a Ha-setup with the fe-role behind a Netscaler hardware loadbalancer. The front end servers have rfc-1918 ip adresses. 

Have anyone looked at the DNS-RegisterSSLBindings.ps1 scripts for invoking the setup on Netscaler or a similar Loadbalancer (eg. F5). In the script it states

"when all IP based SSL bindings for a hostname are successfully configured on all front ends this script will be called to finish configuration and register public IP => internal bindings with the physical load balancer"

Does that mean that the actual ssl offload is handeled by the FE-servers so what we have to do in the netscaler is to create one new vip with ssl bridge and point that vip to the set of ip-addresses that the fe servers will use?

Replies

Ilya Finkelshteyn on Fri, 14 Nov 2014 03:17:12


Hello,

Generally yes.

First, please note that this is done for IP SSL feature. This feature is needed for old client who cannot send server name indication (http://en.wikipedia.org/wiki/Server_Name_Indication) in SSL request. For those clients we need create explicit IP-port binding on every FrontEnd and map it to specific certificate. So if you need to support those clients (more precisely – your clients what to support old OS/Browsers combinations), you need IP SSL. And you have hardware load balancer in front of your FrontEnds you need to configure this script to map unique external VIP to specific bindings on FrontEnds. Otherwise you can just use SNI SSL and all clients will use the same VIP for everything.

This script is being called automatically every time new IP SSL binding is created (e.g. when customer decided to use IP SSL in Portal). Hostname and array of bindings is being passed to this script. It is supposed that hosting provider modify this script to automate creation of mappings between some VIP on load balancer and those bindings, and optionally automate creation DNS records.

Also please note that mappings for classic HTTP traffic should be updated too, because as long as DNS records for website changed to the new VIP, not only SSL, but also plain HTTP traffic will go to new VIP.

After script finished it’s job, it should return VIP as part of return value object and this VIP will be displayed in Portal for end user. Please see oversimplified example.

More sophisticated example scripts for F5 LTM are here: https://github.com/WAPWebsites/IPSSL/

Please feel free to ask additional questions :)

Thank you,
Ilya.

>>>>>>> Oversimplified  DNS-RegisterSSLBindings.ps1

param([string] $hostName, [string[]] $bindings)
$ErrorActionPreference = "Stop"
 
# when all IP based SSL bindings for a hostname are successfully configured on all front ends
# this script will be called to finish configuration and register public IP => internal bindings
# with the physical load balancer

[void] [System.Reflection.Assembly]::Load("microsoft.web.hosting.common, Version=7.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
$retVal = New-Object Microsoft.Web.Hosting.Common.ScriptResult;

try

{
    # add logic here to register the hostname and its bindings
    #assume that $hostName and $bindings were passed to hardware load balancer specific script f5.ps1 and it returned VIP

    $vip = c:\f5.ps1 $hostName $bindings;
    $retVal.Data = $vip;
    $retVal.ErrorCode = 0;
}

catch [Exception]
{
    $retVal.ErrorCode = -1;
    $retVal.Message = $_.Exception.Message;
}


return $retVal;


>>>>>>> Fake F5.ps1:
#it is fake and does nothing with $hostName and $bindings

return "10.1.1.1";