(Migrated) Issues when setting up HAProxy with ssl/tls only

Community support
#1

(This message has been automatically imported from the retired mailing list)

I have updated the HAProxy config to only support ssl (By updating haprox=
y to version 1.5 and changing it config according to the zato docs. Good =
docs.) The haproxy end-point works fine and only allows calls on https. I=
know the frontend naming in the pastebin below says fron=5Fhttp=5Fplain =
(sorry).

This is my config:

http://pastebin.com/25t4mqbW

When opening

http://localhost:8183/zato/load-balancer/manage/cluster/1/

it returns an error page/message saying:

KeyError at /zato/load-balancer/manage/cluster/1/
u’bind’
Request Method: GET
Request URL: http://appcloud-test.foxway.com:8183/zato/load-balancer/m=
anage/cluster/1/
Django Version: 1.3.7
Exception Type: KeyError
Exception Value: =20
u’bind’
Exception Location: /opt/zato/2.0.1/zato-web-admin/src/zato/admin/web/vie=
ws/load=5Fbalancer.py in manage, line 156
Python Executable: /opt/zato/2.0.1/bin/python
Python Version: 2.7.3
=E2=80=A6
=46or some reason it does not find the =E2=80=98bind=E2=80=99 config key =
anymore. I have not yet looked deeply into exactly how this is parsed or =
if I can do something smart about it.

And also when selecting the cluster to list services (on http://appcloud-=
test.foxway.com:8183/zato/service/details) it still points to http://loca=
lhost:11223

Where or how can I update the cluster link to https=3F

And if I can get any pointer to where/why the bind parameter is not recog=
nized it would be nice.

–=C2=A0
Daniel Grindelid

#2

On 22/04/15 11:34, Daniel Grindelid wrote:

For some reason it does not find the ‘bind’ config key anymore. I have
not yet looked deeply into exactly how this is parsed or if I can do
something smart about it.

Hi Daniel,

this is how it looks like in pristine form right after an LB has been
created:

frontend front_http_plain

mode http
default_backend bck_http_plain

option forwardfor
option httplog # ZATO frontend front_http_plain:option log-http-requests
bind 127.0.0.1:11223 # ZATO frontend front_http_plain:bind
maxconn 200 # ZATO frontend front_http_plain:maxconn

monitor-uri /zato-lb-alive # ZATO frontend front_http_plain:monitor-uri

You need to keep track of ‘# ZATO’ markers and insert them back where
they belong, including everything that they are followed with.

Where or how can I update the cluster link to https?

If you mean the address that LB exposes for servers to be invoked, that
very config file is the place.

#3

:slight_smile: Thank you. These where not just comments, but definitions for zato.
I did not realize.

Br, Daniel Grindelid

–=C2=A0
Daniel Grindelid

=46r=C3=A5n:=C2=A0Dariusz Suchojad <dsuch=40zato.io>
Svara:=C2=A0Dariusz Suchojad <dsuch=40zato.io>>
Datum:=C2=A022 april 2015 at 12:40:25
Till:=C2=A0Daniel Grindelid <daniel.grindelid=40gmail.com>>, zato-discuss=
=40lists.zato.io <zato-discuss=40lists.zato.io>>
=C3=84mne:=C2=A0 Re: =5BZato-discuss=5D Issues when setting up HAProxy wi=
th ssl/tls only =20

On 22/04/15 11:34, Daniel Grindelid wrote: =20

=46or some reason it does not find the =E2=80=98bind=E2=80=99 config ke=
y anymore. I have =20
not yet looked deeply into exactly how this is parsed or if I can do =20
something smart about it. =20

Hi Daniel, =20

this is how it looks like in pristine form right after an LB has been =20
created: =20

frontend front=5Fhttp=5Fplain =20

mode http =20
default=5Fbackend bck=5Fhttp=5Fplain =20

option forwardfor =20
option httplog =23 ZATO frontend front=5Fhttp=5Fplain:option log-http-req=
uests =20
bind 127.0.0.1:11223 =23 ZATO frontend front=5Fhttp=5Fplain:bind =20
maxconn 200 =23 ZATO frontend front=5Fhttp=5Fplain:maxconn =20

monitor-uri /zato-lb-alive =23 ZATO frontend front=5Fhttp=5Fplain:monitor=
-uri =20

You need to keep track of ‘=23 ZATO’ markers and insert them back where =20
they belong, including everything that they are followed with. =20

Where or how can I update the cluster link to https=3F =20

If you mean the address that LB exposes for servers to be invoked, that =20
very config file is the place. =20

#4

Now it almost works.

However I am not getting if it is zato that is translating this line from=
the config:

=C2=A0monitor-uri /zato-lb-alive =23 ZATO frontend front=5Fhttp=5Fplain:m=
onitor-uri

to=C2=A0

http://localhost:11223/zato-lb-alive=C2=A0

=23 which doesn=E2=80=99t work since it says http (that is not available)=
and renders a stack trace

Could not open URL =5Bhttp://0.0.0.0:11223/zato-lb-alive=5D, e:=5BTraceba=
ck (most recent call last):
=46ile =22/opt/zato/2.0.1/zato-agent/src/zato/agent/load=5Fbalancer/ser=
ver.py=22, line 432, in =5Flb=5Fagent=5Fis=5Fhaproxy=5Falive
conn =3D urllib.urlopen(url)
=46ile =22/usr/lib/python2.7/urllib.py=22, line 86, in urlopen
return opener.open(url)
=46ile =22/usr/lib/python2.7/urllib.py=22, line 207, in open=5Cn ret=
urn getattr(self, name)(url)
=46ile =22/usr/lib/python2.7/urllib.py=22, line 351, in open=5Fhttp
=5C’got a bad status line=5C’, None)
IOError: (=5C’http protocol error=5C’, 0, =5C’got a bad status line=5C’, =
None)
=5D=E2=80=99>=C2=A0

on Config GUI view page instead of

https://localhost:11223/zato-lb-alive

I=E2=80=99ll do some more investigation/education to see if I can underst=
and how/what works.

Br, Daniel Grindelid

=46r=C3=A5n:=C2=A0Dariusz Suchojad <dsuch=40zato.io>
Svara:=C2=A0Dariusz Suchojad <dsuch=40zato.io>>
Datum:=C2=A022 april 2015 at 12:40:25
Till:=C2=A0Daniel Grindelid <daniel.grindelid=40gmail.com>>, zato-discuss=
=40lists.zato.io <zato-discuss=40lists.zato.io>>
=C3=84mne:=C2=A0 Re: =5BZato-discuss=5D Issues when setting up HAProxy wi=
th ssl/tls only =20

On 22/04/15 11:34, Daniel Grindelid wrote: =20

=46or some reason it does not find the =E2=80=98bind=E2=80=99 config ke=
y anymore. I have =20
not yet looked deeply into exactly how this is parsed or if I can do =20
something smart about it. =20

Hi Daniel, =20

this is how it looks like in pristine form right after an LB has been =20
created: =20

frontend front=5Fhttp=5Fplain =20

mode http =20
default=5Fbackend bck=5Fhttp=5Fplain =20

option forwardfor =20
option httplog =23 ZATO frontend front=5Fhttp=5Fplain:option log-http-req=
uests =20
bind 127.0.0.1:11223 =23 ZATO frontend front=5Fhttp=5Fplain:bind =20
maxconn 200 =23 ZATO frontend front=5Fhttp=5Fplain:maxconn =20

monitor-uri /zato-lb-alive =23 ZATO frontend front=5Fhttp=5Fplain:monitor=
-uri =20

You need to keep track of ‘=23 ZATO’ markers and insert them back where =20
they belong, including everything that they are followed with. =20

Where or how can I update the cluster link to https=3F =20

If you mean the address that LB exposes for servers to be invoked, that =20
very config file is the place. =20

#5

On 22/04/15 14:44, Daniel Grindelid wrote:

However I am not getting if it is zato that is translating this line
from the config:

monitor-uri /zato-lb-alive # ZATO frontend front_http_plain:monitor-uri

to

http://localhost:11223/zato-lb-alive

Yes, this is Zato doing it.

If you have a look here …

https://github.com/zatosource/zato/blob/master/code/zato-web-admin/src/zato/admin/templates/zato/cluster/addresses.html

… you’ll notice that http:// is hard-coded.

This should not be the case, naturally, and will be changed to
accommodate the fact that a LB can be fully behind TLS:

https://github.com/zatosource/zato/issues/433

thanks,

#6

Good idea.

I guess it is also here:

https://github.com/zatosource/zato/blob/master/code/zato-agent/src/zato/a=
gent/load=5Fbalancer/server.py=23L429

and possibly somewhere else since I do not seem to be able to update the =
cluster address for listing service by updating the addresses.html

The addresses in the template is just used in web-admin I presume.


Daniel Grindelid

=46r=C3=A5n:=C2=A0Dariusz Suchojad <dsuch=40zato.io>
Svara:=C2=A0Dariusz Suchojad <dsuch=40zato.io>>
Datum:=C2=A022 april 2015 at 14:55:58
Till:=C2=A0Daniel Grindelid <daniel.grindelid=40gmail.com>>, zato-discuss=
=40lists.zato.io <zato-discuss=40lists.zato.io>>
=C3=84mne:=C2=A0 Re: =5BZato-discuss=5D Issues when setting up HAProxy wi=
th ssl/tls only =20

On 22/04/15 14:44, Daniel Grindelid wrote: =20

However I am not getting if it is zato that is translating this line =20
from the config: =20
=20
monitor-uri /zato-lb-alive =23 ZATO frontend front=5Fhttp=5Fplain:monit=
or-uri =20
=20
to =20
=20
http://localhost:11223/zato-lb-alive =20

Yes, this is Zato doing it. =20

If you have a look here … =20

https://github.com/zatosource/zato/blob/master/code/zato-web-admin/src/za=
to/admin/templates/zato/cluster/addresses.html =20

… you’ll notice that http:// is hard-coded. =20

This should not be the case, naturally, and will be changed to =20
accommodate the fact that a LB can be fully behind TLS: =20

https://github.com/zatosource/zato/issues/433 =20

thanks, =20