Overview

When designing and building highly available and mass-scalable applications, a reliable system like ZEVENET ADC is an absolute necessity. With the rising demand for real-time delivery, Fast writes and reads to databases, brands must adapt the to the latest specs and protocols so as to stay relevant within the marketplace. Security is a crucial element to the safety of customer data, and this element gives ZEVENET a huge edge over Haproxy.

As a current haproxy user, we will discuss concepts that you’re already familiar with and use them to make similar configurations using ZEVENET ADC.

Prerequisites

One must meet these basic requirements to transfer configurations from Haproxy to ZEVENET ADC.

1. An instance of ZEVENET ADC must be installed on your PC, bare-metal, virtual environment, or one must have an active ZVNcloud account. Request an evaluation for on-premise deployment.
2. One must have access to the Web graphical interface. If you don’t, follow this quick Installation guide.
3. We assume you are an active user of Haproxy and you are familiar with the concepts we will discuss in the section below.
4. One must be able to create a virtual server in the ZEVENET load balancer. Here is a quick guide: Layer 4 and Layer 7 Virtual Server Configuration

Basic Concepts

In this section, let us discuss a few concepts based on the HAproxy configuration. We will outline similar ideas in ZEVENET ADC and later use them to describe SSL offloading and HTTP to HTTPS redirection using ZEVENET load balancer.

mode: The mode command defines whether the load balance profile is layer 4 or layer 7. ZEVENET uses Profiles for defining whether the configuration is Layer 4 or 7. These profiles include HTTP and L4xNAT

timeout connect: Timeout connect defines how long HAproxy should wait before connecting to a backend server. ZEVENET uses backend connection timeout. The default value is 20 seconds.

timeout client: This setting defines how long HAproxy should wait for a response from the client. If this time expires without receiving a signal from the client, the connection will terminate. ZEVENET uses client request timeout. The default value is 30 seconds.

timeout server: Timeout server defines how long HAproxy should wait for a response from a backend server. If this time elapses without a response from a backend server, the connection will terminate. ZEVENET uses backend response timeout. The default value is 45 seconds.

bind: Bind defines one or multiple listening IP addresses bundled with their ports. This port(s) listen(s) for incoming traffic and then server them to the backend servers. Here is a sample expression:

listen http_https_proxy_www.
    bind ipv6@:80
    bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem

The Front Facing section of ZEVENET ADC is a Farm and it has listeners that distribute traffic to various Services.

maxconn: Limits the number of connections HAproxy will serve. This command protects the load balancer from running out of memory. ZEVENET ADC is highly optimized to server over 140,000 concurrent connections at layer 7 and over 10 million connections at layer 4. However, you can establish the maximum number of connections within an L4xNAT profile using the Max. Conns field when configuring Backends.

ssl-default-bind-ciphers: Bind ciphers define the default TLS/SSL ciphers on HAproxy. ZEVENET load balancer comes with preloaded high security ciphers, SSL offloading, and the end-user can customize their ciphers through the custom security flag.

ssl-default-bind-options: This feature disables or enables older versions of TLS/SSL. Access a similar configurations through HTTPS parameters within the Global settings of an HTTP profile on ZEVENET ADC.

Example configuration: SSL offloading and Use of Ciphers

SSL Offloading refers to decrypting incoming SSL/TLS traffic and forwarding it to one or more servers in unencrypted form. The load balancer/Reverse-proxy uses a suite of algorithms (Ciphers) to encrypt and decrypt data.

The use of ciphers in SSL/TLS termination is important because it determines the level of security that is provided for the transmitted data. In general, stronger ciphers provide more secure communication, but they may also require more processing power to encrypt and decrypt the data. As a result, it is important to carefully consider which ciphers are used in SSL/TLS termination, taking into account both security and performance.

HAproxy configurations

To set up ssl offloading with HAproxy, we use the settings below.

frontend myDomain
    mode http
    bind :80
    bind :443 ssl crt /etc/ssl/certs/zevenet.com.ssl.pem
    default_backend domainBackends

From the snippet above, Haproxys listen for incoming traffic on both ports, 80 and 443. However the port 443 includes a directive to directory where the ssl certificate is saved.

Meanwhile, you can specify the default ciphers to use on the load balancer by the settings: ssl-default-bind-ciphers and the ssl version using ssl-default-bind-option.

       ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

ZEVENET configurations

To achieve a similar result with ZEVENET, ensure you have created an HTTP farm profile. If you forgot, refer to this article: Layer 4 and Layer 7 Virtual Server Configuration

1. On the Menu, go to LSLB > Farms and click on the layer 7 (HTTPS) farm profile.



2. Under general settings, change the port number to 443.
3. Change the Listener from HTTP to HTTPS.
4. Under HTTPS parameters, enable or disable old TLS/SSL versions.
5. Choose SSL offloading as your cipher.
6. The load balancer is preload with a zencert.pem SSL certificate, but you can include a custom certificate if you have created one.
7. Update the configurations by clicking the Apply button.

To learn more about the HTTP profile, SSL certificates and configuring a custom SSL certificate using the Let’s Encrypt on ZEVENET ADC, refer to these guides.

1. Layer 7 (HTTP Profile) in ZEVENET ADC.
2. SSL certificates on ZEVENET ADC.
3. Let’s Encrypt program on ZEVENET ADC.

Example configurations: HTTP to HTTPS Redirection

When clients visit services through an unsecured port, sometimes you must redirect them to a secure server. We achieve this by responding with a permanent redirection status code 301. The client’s browser will automatically to connect to the secure IP and port sent in the location header.

Haproxy configurations

With haproxy, the code http-request redirect redirects users if they visit through port 80 to port 443.

frontend myDomain
    mode http
    bind :80
    bind :443 ssl crt /etc/ssl/certs/ssl.pem
    http-request redirect scheme https unless { ssl_fc }
    default_backend domainBackends

HTTP to HTTPS redirection in ZEVENET ADC

Using the Steps outlined in this article: Layer 4 and Layer 7 Virtual Server Configuration, create both an HTTP and an HTTPS Farm.

Ensuring that you have both the HTTP and HTTPS farms;

1. Go to LSLB > Farms and click the Edit Icon of the HTTP farm.
2. Click the Services tab and open the service you want to Edit.



3. Toggle on the enable redirect button.
4. Choose redirect type Append.
5. Select the redirect code: 301.
6. Enter the redirect URL by prepending https:// to the IP address. If the IP address of the secure Farm is 10.0.0.18, then the redirect url will be https://10.0.0.18
7. Update the changes by clicking the Apply button.
8. Restart the farm for changes to take effect.

Also watch:

Additional Resources

Using the Let’s encrypt program to autogenerate an SSL certificate.
Datalink/Uplink load balancing With ZEVENET ADC.
DNS load balancing with ZEVENET ADC.
Protection from DDoS attacks.
Application, Health and Network Monitoring in ZEVENET ADC.
Web Application Firewall configuration.
Configuring SSL certificates for the load balancer.