Jamf Nation Community

I'll give pound and nginx a shot -- I'd love the configs if you're willing to share.

I use HAProxy if you're looking for another alternative also...

also varnish https://www.varnish-software.com/

@Lotusshaney - you still up for sharing those pound configs?

seconded!

Hi All, Here is my pound config :-

User        "www-data"
Group       "www-data"
#RootJail   "/chroot/pound"

## Logging: (goes to syslog by default)
##  0   no logging
##  1   normal
##  2   extended
##  3   Apache-style (common log format)
LogLevel    1

## check backend every X secs:
Alive       30

# poundctl control socket
Control "/var/run/pound/poundctl.socket"


ListenHTTP
    Address 172.16.169.131
    Port    80
    HeadRemove "X-Forwarded-For"
    Service
        Redirect    "https://172.16.169.131:8443"
    End
End

ListenHTTPS
    Address 172.16.169.131
    Port    8443
    HeadRemove "X-Forwarded-For"
    Cert "/etc/pound/pound.pem"
    Service
        BackEnd
            Address 172.16.169.128
            Port    9006
        End
        BackEnd
            Address 172.16.169.129
            Port    9006
        End
        BackEnd
            Address 172.16.169.130
            Port    9006
        End
        Session
            Type    Cookie
            ID  "JSESSIONID"
            TTL 300
        End
    End
End

The way I have pound set up is that it's doing the SSL termination and Load balancing to 3 servers. Each backend entry is a server, you can add or remove servers from here.

The SSL Cert is loaded onto the pound server and pound forwards the data to the servers in clear HTTP but data going to the clients is SSL'ed

The ListenHTTP is just redirecting HTTP to HTTPS just incase.

Don't forget that the normal JSS loadbalancer config of clicking a box won't work 100%, you will get the IP address of the loadbalancer as the IP address of the client mac, you need to add some more to the Tomcat's config. Have a look here :-

https://jamfnation.jamfsoftware.com/article.html?id=305

@Lotusshaney][/url

How did you setup SSL termination using the load balancer?

I've added the cert to the pound server.

I also modified the server.xml file on my tomcat instance with the following:

<Connector port="8080" proxyPort="443" scheme="https" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="443" />

Do I need to add the cert somewhere on the tomcat server also? Traffic appears to be being redirected properly when accessing the JSS web portal, but I'm unable to enroll machines.

Thanks!

@Lutz][/url -- the pound config posted by @Lotusshaney][/url has that item covered in line 32-- I had a little trouble with the .pem file, but fixed that when i rebuilt it in the correct order. Once that's fixed, it should be handing off the sessions automatically.

@Lutz - also, I totally added the signed cert via the web app as well, and configured tomcat to work behind a load balancer [also via the web app]. Works like a charm.

@kraigschroth - thanks, that helps. I'm running into a small snag though. Because I have multiple JSS instances running on the same Tomcat server, the web app doesn't have the ability to add the cert directly.

Any idea on how/where to add the certs manually through command line? They're running on ubuntu servers.

@Lutz If you're using multi context sessions, you'll need to import the all of those items into the Tomcat keystore, and then declare the /path/to/keystore.jks and password in your /path/to/tomcat/conf/server.xml file for the appropriate connector. You can use keytool to import the correct items into the tomcat keystore using the -import verb. Just make sure to import the root CA cert into the keystore using the alias -root and the signed certificate with the -alias of tomcat.

@Lutz][/url][/url][/url][/url][/url][/url][/url][/url @kraigschroth][/url][/url][/url][/url][/url][/url][/url][/url
Do you really have to upload the .pem file to all WebApps?
I don't think so.

If it's self-signed;
1) You create a Key and CSR on the Load Balancer
2) Get the CSR signed from JSS's CA
3) Upload it to Load Balancer and combine the Key and JSS signed Cert to single .pem file and use it with Pound.

If you have a properly signed certificate from a third party vendor like Comodo;
Just combine the Key and signed Cert to single .pem file and use it it directly with Pound. No need to get JSS's CA as it has been signed properly.

@Lotusshaney
Can you please post the nginx config as well.

@Kumarasinghe - I edited my response to reflect that. I have done that extra step historically for testing purposes.

@Lutz @Kumarasinghe is correct -- you don't technically *have* to upload it to the instances, but you certainly *can*. I do it as a part of my testing process (validating against instances in my dev/prod environments) and without knowing more about how your mulitcontext deployment is configured you may or may not want to do either. I'll leave that up to your choice.

@Kumarasinghe @kraigschroth thanks for all of your help, I was able to get everything working last week.

For the sake of completeness and anyone using this for reference, I do have a properly signed cert from a third party.
Using that directly with Pound works great, no technical need to install them on your Tomcat instances.

Initially, after setting up the SSL termination with Pound I started getting certificate errors when attempting to enroll machines via Quick add package. Like an amature I of course started troubleshooting the most complicated pieces first, which lead me to configuring the certs on the LB & JSS' and re-editing the Tomcat .xml files.

With all of the changes I'd been making with config files and cert requests, etc. I forgot to check the basics. In my JSS Global Management Settings, I never changed my JSS URL to match that of the Load Balancer address and port. I changed that and everything started working 100%.

Thanks again for all the help, it did keep me sane and clarified a few things.

@Lotusshaney
I really like to see your nginx config. Can you please post it here.
Thanks.

Has anyone had any success setting up a jds behind a nginx load balancer. I'm seeing a lot of errors in /usr/local/jds/logs/jamf.log 661 ERROR Communication error with the JSS, 661 ERROR (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

When we look at the JDS in the JSS we get
Display Name - no name
Root - Yes
Parent JDS Instance - NONE
Hostname
JDS URL: https://FQDN
Reported IP Address
jamfds binary Version:
Operating System:
Operating System Version:
Total Memory:
Available Memory:
Hard Drive Size: -1024 B
Hard Drive Used Space: -1 %