Hi, Is there anyone using BIG-IP to load balance client side connections to multiple puppet masters? I''m looking for advice on a configuration, specifically: * How to handle SSL. Should I try to decrypt client side traffic at the BIG-IP? If so, should LB <-> BIG-IP traffic be unencrypted via HTTP? I have seen this scenario described in Pro Puppet. I would think I would run into problems verifying clients at the PM if I decrypt at the load balancers. * How are you deploying health monitors for the PM''s? Thanks, Josh -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Josh, It would depend on whether an F5 can be made to write the necessary information into an HTTP header. What I would do to is look at how Apache populates the SSL_CLIENT_S_DN and SSL_CLIENT_VERIFY headers when you use it as a Puppet Master front end and see if you can replicate that on an F5. F5 iRules are quite powerful so I''d say it might be possible but probably not straight out of the box. As for a health monitor I''m not sure... Puppet Masters are RESTful so you might be able to come up with something tricky with that. -Luke On 23/04/12 16:53, Josh wrote:> Hi, > > Is there anyone using BIG-IP to load balance client side connections > to multiple puppet masters? I''m looking for advice on a > configuration, specifically: > > * How to handle SSL. Should I try to decrypt client side traffic at > the BIG-IP? If so, should LB<-> BIG-IP traffic be unencrypted via > HTTP? I have seen this scenario described in Pro Puppet. I would > think I would run into problems verifying clients at the PM if I > decrypt at the load balancers. > > * How are you deploying health monitors for the PM''s? > > Thanks, > > Josh >-- Luke Bigum Information Systems Ph: +44 (0) 20 3192 2520 luke.bigum@lmax.com | http://www.lmax.com LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. The information in this email is not directed at residents of the United States of America or any other jurisdiction where trading in CFDs and/or FX is restricted or prohibited by local laws or regulations. The information in this email and any attachment is confidential and is intended only for the named recipient(s). The email may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not the intended recipient please notify the sender immediately and delete any copies of this message. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. LMAX operates a multilateral trading facility. Authorised and regulated by the Financial Services Authority (firm registration number 509778) and is registered in England and Wales (number 06505809). Our registered address is Yellow Building, 1A Nicholas Road, London, W11 4AN. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks, Luke. I''m going to pipe HTTPS straight thru the BIG-IP''s to the PM''s for now. Josh On Apr 23, 12:19 pm, Luke Bigum <Luke.Bi...@lmax.com> wrote:> Hi Josh, > > It would depend on whether an F5 can be made to write the necessary > information into an HTTP header. What I would do to is look at how > Apache populates the SSL_CLIENT_S_DN and SSL_CLIENT_VERIFY headers when > you use it as a Puppet Master front end and see if you can replicate > that on an F5. F5 iRules are quite powerful so I''d say it might be > possible but probably not straight out of the box. > > As for a health monitor I''m not sure... Puppet Masters are RESTful so > you might be able to come up with something tricky with that. > > -Luke > > On 23/04/12 16:53, Josh wrote: > > > > > > > > > > > Hi, > > > Is there anyone using BIG-IP to load balance client side connections > > to multiple puppet masters? I''m looking for advice on a > > configuration, specifically: > > > * How to handle SSL. Should I try to decrypt client side traffic at > > the BIG-IP? If so, should LB<-> BIG-IP traffic be unencrypted via > > HTTP? I have seen this scenario described in Pro Puppet. I would > > think I would run into problems verifying clients at the PM if I > > decrypt at the load balancers. > > > * How are you deploying health monitors for the PM''s? > > > Thanks, > > > Josh > > -- > Luke Bigum > > Information Systems > Ph: +44 (0) 20 3192 2520 > luke.bi...@lmax.com |http://www.lmax.com > LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN > > FX and CFDs are leveraged products that can result in losses exceeding > your deposit. They are not suitable for everyone so please ensure you > fully understand the risks involved. The information in this email is not > directed at residents of the United States of America or any other > jurisdiction where trading in CFDs and/or FX is restricted or prohibited > by local laws or regulations. > > The information in this email and any attachment is confidential and is > intended only for the named recipient(s). The email may not be disclosed > or used by any person other than the addressee, nor may it be copied in > any way. If you are not the intended recipient please notify the sender > immediately and delete any copies of this message. Any unauthorised > copying, disclosure or distribution of the material in this e-mail is > strictly forbidden. > > LMAX operates a multilateral trading facility. Authorised and regulated > by the Financial Services Authority (firm registration number 509778) and > is registered in England and Wales (number 06505809). > Our registered address is Yellow Building, 1A Nicholas Road, London, W11 > 4AN.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.