Support SSL termination on Cloud Load Balancers
Joe
shared this idea
Cloud Load Balancer is now offering SSL Termination via the API. Thanks for your patience on this release.
The API documents and API Getting Started guide are located at http://docs.rackspace.com
57 comments
-
Mark
commented
So can you help me understand how this solution is a viable option for anyone? If from the LB to the web server you have unencrypted data...why do this? Why would you get an SSL and then leave yourself open to be sniffed the last leg of the journey? Who does that, unless you just want to appear secure? I mean if you really care about your customers data, are you going to leave that big of a hole in your infrastructure? I don't get this...yes, I know your only vulnerable to other Rack customers on your segment...but having a hard time coming up with this actually being a viable solution.
-
mdalluge
commented
Update to the issue, hopefully this will help others: After some extensive testing, rackspace was able to confirm that the "Default" response is in fact being returned from the Cloud Load Balancer due to the 30 second session timeouts. In addition, they we able to verify that when using a regular HTTPS Load Balancer (with SSL passthrough), these requests are not subject to the timeout, and complete successfully. The reason behind that is that the SSL terminated Load Balancers are HTTP Load Balancers, and the traffic is treated as such. The session timeouts exist only on HTTP traffic, as per the API documentation:
"To prevent abuse, HTTP sessions have a timeout of 20 seconds before being closed."
-
mdalluge
commented
We went to SSL termination on the LB on one of our main applications, and reports that have large data sets are timing out with a message of Default. When our traffic was split between 80 and 443 LB's with no SSL termination we were not experieincing these performance problems, but since all traffic flows through 1 and we have the cert attached to the LB, we are experieincing slower reporting times, time outs, and frustrated customers. And true to form, it's being hinted that it's our application. No issues before the conversion, issues after...but it's our application. Also you should note....there is a 30 second timeout on the LB which is hard coded. Why we would be hitting this 30 second timeout with SSL term on the LB, but not hitting it before we did this is beyond me, and something the Rack Cloud team has yet to answer. For us the alternative is to once again only get the LB IP, by pulling out or go with their very expensive F5 solution - $1000 a month. Unless this is solved quickly, we are going to have to pull back from doing the SSL term at the LB.
-
Joseph,
You should now be seeing the appropriate X-Forwarded-Proto header in the HTTP request headers. Sorry for the delay on this.-Josh
-
dalefraser,
We do intend to support this in the UI. Stay tuned. :)Josh
-
Hi Anonymous, no contract is required to leverage the SSL termination feature.
-Josh -
Anonymous
commented
I'm losing customers over this stupid issue, and Rackspace wanted me to sign a service contract just for them to spend a few clicks to create a new https load balancer with SSL Cert. This is freaking rediculous!!!
-
dalefraser
commented
I dont see why they wouldn't build this into the UI, I can do everything else from the UI and I can configure this in Amazon on the UI.
-
Joseph Yancey
commented
To setup the load balancer to support ssl termination, you have to use the api. It was actually quite simple. You just have to create an http load balancer and call the api endpoint to setup ssl termination giving it your keys and certs. Once that's done, it works fine.
I have encountered a problem where the load balancer isn't attaching the X_FORWARDED_PROTO (or something similar) header indicating if the request was encrypted or not. I've had a ticket in to support for 24 hours now and the only response I've received is "we're looking into it and we'll update this ticket in a timely manner". This is the worst support I've received from rackspace by far. I realize this feature is new and all so I expected bugs but the least they could do is let us know what the issue is. We're all SysAdmins here. We know how this stuff works.
-
dalefraser
commented
I'm really not sure whats been done here, but I dont use the API. I use the control panel. And according to it "Session Persistence cannot be enabled for protocols other than HTTP (Port 80)."
-
Cloud Load Balancer is now offering SSL Termination via the API. Thanks for your patience on this release.
The API documents and API Getting Started guide are located http://docs.rackspace.com
-
mdalluge
commented
This was suppose to be available end of last year, then it was pushed to 2nd quarter of this year. That was extremely disappointing...however to post this comment, get our hopes up and then there's nothing since January 20th. is just plain unprofessional. We've been with Rackspace for 8 years and really enjoyed the fanatical support we received, until we went to the cloud. Things like these really cause us to question if staying with Rackspace merely for their reputation is a good move. How long can that reputation hold up with issues such as these.
-
Joseph Yancey
commented
Just an FYI, I JUST received an email from rackspace that stated:
I apologize for the lack of information around SSL termination.
Generally, our support teams are not briefed on the exact details of new
enhancements until shortly before they are released. SSL termination will
be announced and made available this week. Watch our blog for more
details. -
Joseph Yancey
commented
I just spoke with a cloud servers engineer (through live chat) and asked about this. I was forwarded to this post (which I already knew about) and when I asked if "Very Soon" meant days, weeks, months, or years; He told me he was leaning towards months but still had no ETA. I mentioned possibly having to migrate to amazon and that didn't seem to phase him. It seems like they get that a-lot.
-
dalefraser
commented
What a joke, why post it will be available "very soon" then post nothing for 40 days.
-
Martin Rouillard
commented
Same for Us, We just opened an account at Amazon, can't wait anymore.
-
Paul
commented
This is a 100% required feature, without access to HTTP_X_FORWARDED_FOR over SSL we lose all unique visitor counts and click stats. This is a must or us to use this service. As it stands we will have to migrate elsewhere.
-
karolo
commented
Think this maybe too late for me, my client wants me to start their build tomorrow so going to have to use Amazon. Thats a lot of hosting/servevrs to move away from Rackspace, going to be a long week
-
Stef
commented
As there is many unhappy peoples here, can we get a clear ETA so we can decide to wait or move else where ?
-
need it now
commented
When is this feature coming? We are not going to be able to wait much longer, we will move to another host to handle this.
