This topic has 4 replies, 2 voices, and was last updated 6 years, 1 month ago by migault1990.

  • Author
    Posts
  • #12382
     migault1990
    Participant

    Hey All –

    I am working on deploying 2 OpenAM servers.

    I am configuring HAProxy Loadbalancer to redirect traffic between those 2 OpenAM Servers.

    I want to implement Sticky/Persistent Session using OpenAM Session Cookies / amlbcookie.

    One of the requirement is to have end to end encryption User -> HAPROXY -> OpenAM.

    Here are my questions :

    1.) When traffics hit HAProxy, Do we have to decrypt/rencrypt the traffic for HAProxy to analyze the OpenAM Session Cookies /amlcookie and redirect the traffic to the proper OpenAM Server?
    2.) Or should we setup HAProxy to do SSL Pass through?

    To summarize, what’s the ideal SSL Setup when you have a loadbalancer and multiple OpenAM Servers.

    Cheers,

    Louis

    #12383
     rusty.deaton
    Participant

    Like anything, right, it depends. If you are hosting this in a cloud environment, I wouldn’t necessarily recommend termination at the load balancer, and in fact stateless sessions may be a better choice because of this. If you are hosting this in an environment where you can accept the risk of SSL termination at the load balancer, then by all means, go for it.

    A better option may be TLS bridging. By performing termination at the LB you get more advanced routing and balancing capabilities, and by enforcing encryption through the remainder of the network you help ensure there are no potential issues across a cloud environment with regards to packet capture.

    #12385
     migault1990
    Participant

    Thanks for the insight.

    What about SSL Overhead by doing TLS bridging?

    #12386
     rusty.deaton
    Participant

    I mean yes, there’s going to be overhead in a bridging configuration, but this again comes down to the risk you’re willing to take on as an organization as well as the SLAs you have in place to meet. Generally a well-configured HAProxy instance with sufficient resources isn’t going to add too much in the way of overall latency to a given transaction, but it is something to keep in mind when constructing a given workflow. Additionally with a bridging configuration you can force-upgrade all traffic that moves across the proxy that may come to you as HTTP, which may be a plus to you as well depending on use case. For instance, a simple ACL for that might be something like-

    redirect scheme https code 301 if !{ ssl_fc }

    OpenAM + HAProxy can be amazing if you have the time to commit to both.

    #12400
     migault1990
    Participant

    Let say we have 1 instance of HAProxy and 2 instance of OpenAM.

    What would be the HAProxy Configuration file?

    The requirements are :

    1.) TLS/SSL Bridging
    2.) Session Stickiness using OpenAM Cookies

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?