I want to find out how to set up a WCF service, which communicates with client via certificate over SSL (HTTPS) in a load balancer environment. The certificate is used for message exchanges.
Update
Below is current setup:
WCF 3.5 is used, but can be changed to ver 4 if required.
IIS7.5 and ASP.NET 3.5
certificate is installed on each IIS,
each WCF app is installed on each IIS,
certificate is issued to *.mydomainname.com, where my app is under myapp.mydomainname.com
does load balancer require certificate?
Goal
Client uses certificate to communicate with WCF service over HTTPS in load balancer.
Any idea would be very much appreciated!
Your site hosting the service must be exposed on domain name for example:
myapplication.enterprise.com
This configuration must be done on all application servers in the web farm (load balanced servers) = you must assign correct host header. You must request / create certificate for this domain name and install it (including private key) on all servers in the farm. You must configure your web sites on all servers to use this certificate. DNS record for the domain name must be configured to point to IP address of the load balancer.
Load balancing must be done on TCP level to maintain HTTPS between client and your servers. In this scenario load balanced environment should become completely transparent to client and load balancer will not need the certificate because it will only forward TCP connections and SSL tunnel will be created with the real web server.
Related
I have got a setup like this
Load balancer
Machine 1 - haproxy load balancer
Machine 2 - haproxy load balancer
Web servers
Machine 1 - nginx with app
Machine 2 - nginx with app
Now where should I set up SSL certificate. On loadbalancers or web servers or on both?
What is the correct way of doing it?
The "correct way" to do this depends on your setup. If your load balancers are on the same machines as your webservers, it doesn't matter which you choose to put the cert on. If they are on different servers, encryption depends on how important security is for these particular web apps. If you put the certs on the load balancers you will have unencrypted traffic visible to anyone in your network (as it goes from load balancer to server). If you put certs on your nginx server you will have encryption all the way through to the local server, but you will have to change your haproxy a little to have it route encrypted traffic properly. You also will not be able to route off the url path. You can also put certs on both to be able to route off the url path, but that is a little more to manage (two certs vs one). Overall it's probably best to put the cert on nginx server, assuming your don't need to do any routing in the load balancer off of the url. Also definitely do your own research.
Currently my application is under a load balancer (NetScaler) and it does SSL Offload, so my application run in http, but externally is on https. In IIS is bound only http:80. The load balancer use a certificate called *.mycert.com
Now I have to require for a client certificate for a specific folder of my application /Services, but the certificate is myPeskyCert so different from *.mycert.com. This is necessary because I have to respect how the client will call me.
Currenlty I'm following the following answers:
Can IIS require SSL client certificates without mapping them to a windows user?
What is the difference between requiring an SSL cert and accepting an SSL cert?
,but in this way my application:
I have to do ssl bridging, so I have to bind 443 on the web app
in this way ALL my application is presented as myPeskyCert
How do I have to handle IIS in order to present my application as *.mycert.com, but ask for myPeskyCert when the folder /Services is requested?
It's non possible, a certificate must refer to the entire site bound.
The solution is the following:
bound the application to two different url binding
on the balancer set one certificate or the other with ssloffload on the two different url
I've set up a load balancer using ARR on my server. I have two content servers that are hosting the web application and its API. Individually I am able to access the websites.
I've added the servers to a new Server Farm, I've given it a name as well.
Now, here comes the catch.
I don't have a DNS assigned to the server IP.
I'm not sure how to access the web sites through the load balancer. Is there a port on the server on which the farm works? or a URL?
I'm trying to setup Nginx for some personal web services I have running on my home server.
The network is setup with router between the server and the internet, the router has a Dynamic DNS service running such that I can connect to it while not at home.
I would like Nginx to handle connections from the local network such that it will serve the web services over HTTP and HTTPS without any authentication.
Connections from outside the local network, should redirected to HTTPS for security, and should also be required to authenticate.
The available web services are the same in the both cases. Connections directly to the IP should also be handled in the same way. I already have the web services running over HTTP, so this question is only about how to setup my server blocks
Is this possible?
Here is our current infrastructure:
2 web servers behind a shared load balancer
dns is pointing to the load balancer
web app is done in asp.net, with wcf services
My question is how to set up the SSL certificate to support https connection.
Here are 2 ideas that I have:
SSL certificate terminates at the load balancer. secure/unsecure communication behind the load balancer will be forwarded to 2 different ports.
pro: only need 1 certificate as I scale horizontally
cons: I have to check secure or not secure by checking which port the request is
coming from. doesn't quite feel right to me
WCF by design will not work when IIS is binded 2 different ports
(according to this)
SSL certificate terminates on each of the server?
cons: need to add more certificates to scale horizontally
thanks
Definitely terminate SSL at the load balancer!!! Anything behind that should NOT be visible outside. Why wouldn't two ports for secure/insecure work just fine?
You don't actually need more certificates at all. Because the externally seen FQDN is the same you use the same certificate on each machine.
This means that WCF (if you're using it) will work. WCF with the SSL terminating on the external load balancer is painful if you're signing/encrypting at a message level rather than a transport level.
You don't need two ports, most likely. Just have the SSL virtual server on the load balancer add an HTTP header to the request and check for that. It's what we do with our Zeus ZXTM 5.1.
You don't have to get a cert for every site there are such things as wildcard certs. But it would have to be installed on every server. (assuming you are using subdomains, if not then you can reuse the same cert across machines)
But I would probably put the cert on the load balancer if not just for the sake of easy configuration.