MaaS 3.2 has COMPLETELY BROKEN HA Region config with haproxy

dandruczyk · 30 August 2022 18:41

Upgrading to maas 3.2.4 has completely broken HA region configurations behind haproxy as per your docs. I ALREADY USE haproxy to terminate SSL to my region controllers, this has worked for several YEARS with 2.x, now with 3.2 it forces a rewrite to the http://:5240.

I DO NOT want to have to manage certs within the individual maas region controllers. it’s a PITA, not easily idempotent, and one more thing to be forgotten. The haproxy config is puppet managed ion our systems with automatic restart on cert renewal, and I really don’t want to re-invent the wheel to do the same with maas, when it should “just work properly and stop trying to out-think things” when behind the haproxy and not keep trying to rewrite to the non-SSL URI.

Pleas take out the forced redirect to http, or update your docs for a haproxy with SSL termination in front of MaaS 3.2+ that actually works…

in pre 3.2 I could go th https://maas-staging.mydomain.net and it would jsut work fine, not doing that redirects to http://maas-staging.mydomain.net/MAAS/r
Trying to go to https://maas-staging.mydiomain.net/MAAS/r/machines just gives you a “loading machines” page that NEVER LOADS.

This is NOT COOL when things are break like this that ARE NOT DOCUMENTED. Its critically important to test with ALL your supported configurations from simplest single rack+region, to enterprisey multi-region controlle HA behind haproxy or nginx or apache2 to ensure you stop breaking people on minor version upgrades (I went from 3.0 to 3.2)

tobias-mcnulty · 30 August 2022 22:33

I’m a new MAAS user and don’t work on the platform, but I’ll go out on a limb and say a gentler tone might be appreciated. No one intentionally broke anything, and as far as I understand, this is a forum for free support from volunteers.

With regards to the issue you raise, I am not sure this is a MAAS issue. MAAS can clearly be run without HTTPS, so if you wish to terminate SSL with haproxy, why bother with TLS settings in MAAS at all?

If you need to change the MAAS URL, there is a config setting for that:

sudo maas config --maas-url=http://1.2.3.4:5240/MAAS

dandruczyk · 31 August 2022 02:03

MaaS is already properly configured with the url but 3.2 still doesn’t honor it like 3.0 did. It REFUSES to work in an SSL/TLS termination at the balancer with non-ssl backend nodes unless you ALSO setup tls on their region controllers via their way only as well.

This is something that should have been caught by their QA team.

rafise · 4 September 2022 22:36

I had no issues SSL/TLS maas 3.2 and haproxy.

dandruczyk · 5 September 2022 23:22

How many region controllers do you have? Are they behind ssl terminating haproxy as per maas docs (or similar). Is yours a fresh install or an upgrade? (If so from what version) did you also setup tls in your region controllers or leave it disabled?

troyanov · 7 March 2023 08:34

@dandruczyk you are not forced to use MAAS TLS feature on the region controller if you want to have TLS termination on HAProxy.

Can you please share your HAProxy config and what exactly doesn’t work for you?

Also redirects that you’ve mentioned are not related to TLS. It is there to provide backward compatibility while UI was moving from Angular to React.