We used to make some special stuff for one of the clients, where all LB configuration work is done from outside of the ACS, i.e. python script to feed/configure VR - install latest haproxy 1.5.x for transparent proxy, since client insisted on SSL termination done on backend web SSL servers.... Not good idea, that is all I can say (custom configuration thing) - but the LB setup is actually good - transparent mode haproxy, works on TCP level, so you can see "real client IP" on the backend servers (which must use VR as the default gtw, as per default, so the whole setup works properly).
I'm still looking forward to see some special support of LB inside VR via ACS - proper LB setup inside VR via GUI/API - i.e. to enable LB provisioning SCRIPT (bash, or whatever), where all needed install+configure can be done from client side - otherwise covering all user cases, with proper HTTP checks and similar....is impossible to do IMHO. Some other clients, actually have internal FW appliance (i.e. multihomed VM, acting as gtw for all VMs in all networks), and haproxy instaled on this device (with NAT configured from VR to this internal FW/VM, so remote IP can be seen properly) - this setup is fully under customer control, and can provide any kind of special haproxy config... On 31 October 2017 at 19:54, Nux! <n...@li.nux.ro> wrote: > Hello, > > Of the people running an LB (VR) with https backends, how do you deal with > the lack of x-forwarded-for since for port 443 there's just simple TCP > balancing? > > Has anyone thought of terminating SSL in the VR instead? Ideas? > > Cheers > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > -- Andrija Panić
