haproxy on top of mod_vhost_ldap

Right now this is just collection of random notes.

HAProxy performance

There are some numbers available in https://github.com/observing/balancerbattle

The contestants were http-proxy (node.js), nginx, haproxy and haproxy+stud.

Debian/Ubuntu HAProxy packages

For SSL SNI support, you need to use haproxy 1.5.x available from http://haproxy.debian.net/

GNU Parallel

If you are working with many domains, it's best to use parallel instead of xargs for better utilization of CPU/Cores:

sudo apt-get install parallel
< list parallel CMD {}

x509 Certificates and Keys

The certs and keys need to be concatenated into one .pem file. If you are using any intermediate certs (f.e. StartSSL needs one), put that into the file as well.

As a rule of thumb - one website, one file. The haproxy loads everything from the directory.

haproxy.cfg has 'strict-sni' - that is - it will refuse to load the website if SNI was not provided or it doesn't have the correct certificate:

$ openssl s_client -servername sdghjhsgs.com -connect 127.0.0.1:443
CONNECTED(00000003)
140657022617232:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 unrecognized name:s23_clnt.c:762:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 327 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

If you want to have default certificate add one more crt directive to the bind line (it has to be first) with specific certificate.

The certificates have one common key (server.key) generated by:

openssl genrsa -out server.key 512

Then do something like:

< allowed_sites parallel --jobs 10% ./gen-pem.sh {}

https relaying

haproxy can connect to backend severs via https. This is not strictly necessary if haproxy is running on localhost.

TODO: Test it...

Running haproxy for local tests

Run on foreground::

haproxy -c haproxy.cf

For production just move the configuration file to /etc/haproxy/ (and probably use some supervisor - there's systemd in wheezy-backports).

Testing the connection

For a single connection issue:

openssl s_client -servername <SNI_name> -connect localhost:443

For a massive test (test each domain 20 times) do:

< allowed_sites xargs -i sh -c 'for a in $(seq 0 20); do echo {}; done' | parallel curl --insecure --resolve {}:443:127.0.0.1 -s -o /dev/null "https://{}/"

Configuring mod_vhost_ldap

New slapd in jessie needs schema in ldif format, I have attached it to this repository. Just add cn={4}mod_vhost_ldap.ldif to /etc/ldap/slapd.d/cn=config/cn=schema/ directory.

Imporing test domains

To generate LDIF that can be imported to SLAPD:

cat import > import.ldif
< allowed_sites parallel --jobs 100% ./gen-vhosts.sh {}
ldapadd -x -D <binddn> -w <bindpw> < import.ldif

Apache2 configuration

Install mod_vhost_ldap:

sudo apt-get install libapache2-mod-vhost-ldap

Now configure the LDAP access and basedn in /etc/apache2/mods-enabled/vhost_ldap.conf

Enable required modules:

sudo a2enmod ldap
sudo a2enmod vhost_ldap

And restart apache2:

sudo apache2ctl restart