Skip to main content
Question

HAProxy offloading

C
Forum|alt.badge.img+3

Hi Guys,
This is a followup in regards to https://jamfnation.jamfsoftware.com/discussion.html?id=6195

First, I have my JAMF server in AWS. I was running on an XL instance and running into utilization issues. So, I split my instance into multiple mediums and put a server in front of it running haproxy 1.5.

When I run SSL via the proxy I run into multiple issues. (this is with HAproxy as a http proxy with SSL)
If I run HAProxy as an SSL proxy, I need to connect to the JAMF servers over port 8080 so that the session works. When I do this, I can no longer enroll machines but the web interface works. The machines fail to enroll as they can't get the SSL certificate. (Thats the sudo jamf enroll error)

If I disable SSL on HAproxy and run it with SSL on the servers themselves I run into an issue with the web interface and sessions timing out all the time. (this is with HAproxy as a TCP proxy)

Does anyone have a working config for HAproxy or have any idea on how the fix this?

    3 replies

    J
    Forum|alt.badge.img+7
    • jdziat
    • Contributor
    • 44 replies
    • August 6, 2013

    Have you configured your server.xml file already? And why are you using port 8080 I thought all https connections went over 8443 unless you have already changed that. Any chance we could get more information on the setup you have so we can be of more help?

    C
    Forum|alt.badge.img+3
    • chrismay
    • Author
    • New Contributor
    • 2 replies
    • August 7, 2013

    Sure, I can post the configs in HAProxy.

    Working config with tons of SSL issues. (Cookie Problems, Multiple Auth issues, Reported IP is that of the load balancer for all jamf recon updates):

    global
        daemon
        maxconn 512

defaults
        mode http
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000

frontend jamf
        mode tcp
        bind 0.0.0.0:8443
        default_backend jamfservers

backend jamfservers
        mode tcp
        balance roundrobin
        server s1 SERVER1:8443 check
        server s2 SERVER2:8443 check
        server s3 SERVER3:8443 check

listen stats :8080
        mode http
        stats enable
        stats hide-version
        stats realm Haproxy Statistics
        stats uri /
        stats auth Username:Password

    Works for everything but enroll (Enroll fails for SSL reasons) (All SSL is offloaded from JAMF to the HAproxy) <- this is what I want to work

    global
        daemon
        maxconn 512

defaults
        mode http
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000

frontend jamf
        mode http
        bind 0.0.0.0:8443 ssl crt /etc/haproxy/ssl/main.crt
        default_backend jamfservers

backend jamfservers
        mode http
        balance roundrobin
        cookie SERVERID insert nocache indirect
        option forwardfor
        server s1 SERVER1:8080 cookie A check
        server s2 SERVER2:8080 cookie B check
        server s3 SERVER3:8080 cookie C check

listen stats :8080
        mode http
        stats enable
        stats hide-version
        stats realm Haproxy Statistics
        stats uri /
        stats auth Username:Password

    JAMF has port 8080 open for HTTP to allow the load blancer to inject cookies used to address route issues.
    Thanks

    C
    Forum|alt.badge.img+3
    • chrismay
    • Author
    • New Contributor
    • 2 replies
    • September 16, 2013

    anyone?

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings