dannyman.toldme.com


Technical

Load Balancer Config: when “Not Authorized” means “Yes”

I wanted to share a clever load balancer config strategy I accidentally discovered. The use case is you want to make a web service available to clients on the Internet. Two things you’ll need are:

1) an authentication mechanism
2) encrypted transport (HTTPS)

You can wrap authentication around an arbitrary web app with HTTP auth. Easy and done.

For encrypted transport of web traffic, I now love sslmate is the greatest thing since sliced bread. Why?

1) Inexpensive SSL certs.
2) You order / install the certs from a command line.
3) They feed you the conf you probably need for your software.
4) Then you can put the auto-renew in cron.

So, for example, an nginx set up to answer on port 443, handle the SSL connection, do http auth, then proxy over to the actual service, running on port 12345:

server {
    listen 443;
    server_name example.com;
    location / {
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   Host      $http_host;
        proxy_pass         http://127.0.0.1:12345;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        auth_basic "Restricted";                    #For Basic Auth
        auth_basic_user_file /etc/nginx/.htpasswd;  #For Basic Auth
    }
    # Sample config from https://sslmate.com/help/buy
    ssl on;
    ssl_certificate_key /etc/sslmate/example.com.key;
    ssl_certificate /etc/sslmate/example.com.chained.crt;
    # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
    # &c.
}

The clever load balancer config? The health check is to hit the server(s) in the pool, request / via HTTPS, and expect a 401 response. The load balancer doesn’t know the application password, so if you don’t let it in, you must be doing something right. If someone mucks with the server configuration and disables HTTP AUTH, then the load-balancer will get 200 on its health checks, regard success as an error, and “fail safe” by taking the server out of the pool, thus preventing people from accessing the site without a password.

Tell the load balancer that success is not an acceptable outcome

Tell the load balancer that success is not an acceptable outcome

Read More

Next:
Previous:
Categories: Technical

Danny Howard is 100% responsible for the content on this site, except some of it is stolen. (Sorry about that.)

Intellectual property on this web site is reserved for re-use under the terms of the Creative Commons license. Derivative works may be created for non-commercial purposes, with proper attribution.

You can contact me via e-mail: dannyman@toldme.com

Most of //dannyman.toldme.com/ is powered by WordPress.

If you're hip to RSS and whatnot, you can subscribe to this site.

Mastodon

Discover more from dannyman.toldme.com

Subscribe now to keep reading and get access to the full archive.

Continue reading