10 June 2022

OCI SSL Lbaas

Clear post of the different use cases of SSL lbaas in OCI:

https://www.ateam-oracle.com/post/load-balancing-ssl-traffic-in-oci

  • SSL Termination: in this scenario, an organization has deemed that the Backend servers serve just HTTP or TCP based requests, i.e. no HTTPS or SSL requests. However, the client requests (say from browser) still need to be secured. Both these requirements are satisfied by having the Load Balancer play the role of an intermediary where the SSL connection terminates at the Load Balancer and the connections between the Load Balancer and the Backend servers are unsecured.

    Listener: "Use SSL". 

    1. The Listener listens on port 443.
    2. The “Use SSL” check box is selected
    3. The certificate bundle LB-Cert-1 is chosen.
    4. The Backend Set “Backend-NoSSL” created in the previous steps is selected to complete the configuration of the Listener.
    5. “Verify Peer Certificate” in the above figure is used for client authentication.


  • SSL Tunneling: In this scenario, it is required that the entire transport channel between the client and the Backend server is secured. In other words, no intermediate entity including the Load Balancer should be able to see any of the contents of either the request or the response.

    In the below figure, the TCP connection is tunneled through the Load Balancer all the way to a Backend. Thus the SSL connections get terminated at the Backend servers. To illustrate this scenario, I will use a Backend Set comprising of two new Oracle Linux compute instances - lb-ssl-backend-1, lb-ssl-backend-2. Unlike the SSL Termination scenario where the two servers had just Apache HTTP Server installed, here I have installed Apache with mod_ssl package on both the instances.

    Listener: NOT "Use SSL". 

    1. For SSL Tunneling, the “Protocol” field should be “TCP”. This has some ramifications and we will discuss them shortly.
    2. Also, the “Use SSL” check box should remain unselected (default) as shown in the figure below.
    3. The Backend Set selected is the one which we defined in the previous step.
     

  • End To End SSL: in this scenario, the SSL connection from the client terminates at the Load Balancer and then a new SSL connection is initiated from the Load Balancer to the Backend server. This configuration is useful if the Load Balancer needs to filter HTTP headers in requests and responses.



    Listener: "Use SSL". 
    Backend: "Use SSL". 

https://www.ateam-oracle.com/post/load-balancing-ssl-traffic-in-oci


Posted by at No comments :
Labels: , ,
Subscribe to: Posts ( Atom )

My Blog List

Blog Archive

Disclaimer

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.