- Jamf Nation Community
- Products
- Jamf Pro
- HAProxy offloading
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
HAProxy offloading
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-06-2013 10:05 AM
Hi Guys,
This is a followup in regards to https://jamfnation.jamfsoftware.com/discussion.html?id=6195
First, I have my JAMF server in AWS. I was running on an XL instance and running into utilization issues. So, I split my instance into multiple mediums and put a server in front of it running haproxy 1.5.
When I run SSL via the proxy I run into multiple issues. (this is with HAproxy as a http proxy with SSL)
If I run HAProxy as an SSL proxy, I need to connect to the JAMF servers over port 8080 so that the session works. When I do this, I can no longer enroll machines but the web interface works. The machines fail to enroll as they can't get the SSL certificate. (Thats the sudo jamf enroll error)
If I disable SSL on HAproxy and run it with SSL on the servers themselves I run into an issue with the web interface and sessions timing out all the time. (this is with HAproxy as a TCP proxy)
Does anyone have a working config for HAproxy or have any idea on how the fix this?
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-06-2013 12:08 PM
Have you configured your server.xml file already? And why are you using port 8080 I thought all https connections went over 8443 unless you have already changed that. Any chance we could get more information on the setup you have so we can be of more help?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-07-2013 12:11 PM
Sure, I can post the configs in HAProxy.
Working config with tons of SSL issues. (Cookie Problems, Multiple Auth issues, Reported IP is that of the load balancer for all jamf recon updates):
global
daemon
maxconn 512
defaults
mode http
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend jamf
mode tcp
bind 0.0.0.0:8443
default_backend jamfservers
backend jamfservers
mode tcp
balance roundrobin
server s1 SERVER1:8443 check
server s2 SERVER2:8443 check
server s3 SERVER3:8443 check
listen stats :8080
mode http
stats enable
stats hide-version
stats realm Haproxy Statistics
stats uri /
stats auth Username:PasswordWorks for everything but enroll (Enroll fails for SSL reasons) (All SSL is offloaded from JAMF to the HAproxy) <- this is what I want to work
global
daemon
maxconn 512
defaults
mode http
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend jamf
mode http
bind 0.0.0.0:8443 ssl crt /etc/haproxy/ssl/main.crt
default_backend jamfservers
backend jamfservers
mode http
balance roundrobin
cookie SERVERID insert nocache indirect
option forwardfor
server s1 SERVER1:8080 cookie A check
server s2 SERVER2:8080 cookie B check
server s3 SERVER3:8080 cookie C check
listen stats :8080
mode http
stats enable
stats hide-version
stats realm Haproxy Statistics
stats uri /
stats auth Username:PasswordJAMF has port 8080 open for HTTP to allow the load blancer to inject cookies used to address route issues.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-16-2013 03:35 PM
anyone?
