Question about enabling maas native tls

hypeitnow · 2 March 2023 15:59

Hi all,

I am trying to enable maas native tls on HA environment. I generated a self signed certificate using my own csr.
Do I need to run the command maas enable-tls on every node and use the same certificate and key file or only on one node?

After all I assume that the command only does some change to maas DB.

In the documentation I can only see some information regarding subject alternative name in the csr which makes me believe that running enable tls needs to be run in one machine only?

@billwear maybe you can share some of your expertise on that?

Kind regards

Mateusz

troyanov · 28 February 2023 16:52

Hi @hypeitnow

enable-tls will put the provided key/cert files to the database and change MAAS config parameter. There is a PostgreSQL Trigger function, that will detect that change and fire PostgreSQL NOTIFY event, which will be captured by all MAAS Region Controllers, leading to a restart of the HTTP Reverse proxy service and generation of a correct nginx config file.

hypeitnow · 1 March 2023 05:50

Thank you very much for your response. Now it’s clear.
So now when I have tls enabled do I have to change the haproxy backend settings to point to my desired tls port(in my case 5443)? Or should the rewrite work by default on region controller level?
Maybe you happen to have an example haproxy config for maas with tls enabled?

@billwear @troyanov would it be possible to add such example to documentation?

Thank you

troyanov · 1 March 2023 07:48

You can configure HAProxy with mode tcp (IIRC that needs to be provided both for the backend and frontend blocks), so it simply proxies the traffic to MAAS nginx instance, and hence the TLS termination will be done by nginx.

hypeitnow · 1 March 2023 14:21

@troyanov thanks for quick response, before implementing ssl I was able to loadbalance using simple configuration, now for some reason it does not work anymore, now I use

global
    maxconn 100
    tune.ssl.default-dh-param 2048
    #log 127.0.0.1:514  local0 

defaults
    log global
    mode http
    retries 2
    timeout client 1m
    timeout connect 4s
    timeout server 1m
    timeout check 5s
    #option forwardfor if-none
    option http-server-close
    #option httplog

frontend maas_region_controller-v4
    bind :5240
    bind :5443 ssl crt /etc/ssl/private/maas_tls.pem
    default_backend maas_region_controllers
    use_backend maas_region_controllers

backend maas_region_controllers
    option redispatch 2
    balance roundrobin
    timeout server 90s
    #option forwardfor if-none
    #http-request add-header X-Forwarded-Port 5443
    #http-request add-header X-Forwarded-Proto https
    hash-type consistent
        server maas-ha-1 10.10.10.101:5240
        server maas-ha-2 10.10.10.102:5240

which proviously was

global
    maxconn 100

defaults
    log global
    mode tcp
    retries 2
    timeout client 30m
    timeout connect 4s
    timeout server 30m
    timeout check 5s

frontend maas_region_controller-v4
    bind 10.10.10.10:5240
    mode tcp
    use_backend maas_region_controllers

backend maas_region_controllers
    balance roundrobin
        server maas-ha-1 10.10.10.101:5240
        server maas-ha-2 10.10.10.102:5240

The requests look like(10.10.10.104 is my haproxy) :

url -i -L -X GET http://10.10.10.104:5240/MAAS
HTTP/1.1 301 Moved Permanently
server: nginx/1.18.0 (Ubuntu)
date: Wed, 01 Mar 2023 13:06:16 GMT
content-type: text/html
content-length: 178
location: https://10.10.10.104:5443/MAAS

curl: (28) Failed to connect to 10.10.10.104 port 5443 after 21079 ms: Timed out

What is wrong in this config?

The funny fact is that requests sent directly to one of the hosts(both http://10.10.10.10101:5240/MAAS which gets redirected to the latter and https://10.10.10.101:5443/MAAS) work just fine.

Sorry for trouble and thank you very much for the patience

Mateusz

troyanov · 2 March 2023 09:35

If I understand correctly, you visit {HAProxy_IP}:{HAProxy_Port_5240}, and since MAAS is configured with TLS, it will redirect 5240 to 5443, which will become {HAProxy_IP}:{5443}, but there is no 5443 listener on HAProxy (you listen only 5240)

I believe that might be related to this bug and it was fixed.
Which version of MAAS you are using?

hypeitnow · 2 March 2023 10:27

The version of maas I am using is latest edge snap version which currently evaluates to the 3.4 if I am not mistaken.

If you have a look at the current configuration of mine it has 2 listeners 5443 and 5240.

So if I understand the problem described in bug correctly once you have to configure haproxy like:
Frontend name
Listen 5420
Listen 5443

Backend name
Server maas1 ip1:5443 ssl
Server maas2 ip2:5443 ssl

Thank you

troyanov · 2 March 2023 10:39

Ah, now I see that you indeed have two listeners (5240 and 5443).

I was checking some docs and found a config for HAProxy + MAAS native TLS that worked for me when I was doing some testing.

frontend maas_tls
    bind    *:443
    retries 3
    option  redispatch
    option  http-server-close
    default_backend maas_tls
 
backend maas_tls
    timeout server 900s
    balance source
    hash-type consistent
    server maas-0 172.21.0.1:5443 check
    server maas-1 172.21.0.2:5443 check
    server maas-2 172.21.0.3:5443 check

hypeitnow · 2 March 2023 10:45

Okay, what about?

sudo maas config --maas-url=https://VIP:5443/MAAS

troyanov · 2 March 2023 10:54

IIRC that option is to tell MAAS where it is reachable from the outside (when it is behind the proxy)

hypeitnow · 2 March 2023 14:40

I ended up with

global
    maxconn 100
    tune.ssl.default-dh-param 2048
    #log 127.0.0.1:514  local0 

defaults
    mode http
    retries 2
    timeout client 1m
    timeout connect 4s
    timeout server 1m
    timeout check 5s
    option http-server-close
    option httplog

frontend maas_region_controller-v4
    bind 0.0.0.0:5240
    bind 0.0.0.0:5443 ssl crt /etc/ssl/private/maas_tls.pem
    default_backend maas_region_controllers

backend maas_region_controllers
    option redispatch 2
    balance source
    timeout server 90s
    option forwardfor if-none
    hash-type consistent
        server maas-ha-1 10.10.10.101:5443 ssl verify none
        server maas-ha-2 10.10.10.102:5443 ssl verify none
        server maas-ha-3 10.10.10.103:5443 ssl verify none

It is working now
The initial cause was the lack of iptables INPUT chain rule but then I had to do some trial and error stuff with HAproxy backend too.

@troyanov thank you very much for your help

system · 4 March 2023 14:10

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.