FAQ
Hi,

Is there anyone using BIG-IP to load balance client side connections
to multiple puppet masters? I'm looking for advice on a
configuration, specifically:

* How to handle SSL. Should I try to decrypt client side traffic at
the BIG-IP? If so, should LB <-> BIG-IP traffic be unencrypted via
HTTP? I have seen this scenario described in Pro Puppet. I would
think I would run into problems verifying clients at the PM if I
decrypt at the load balancers.

* How are you deploying health monitors for the PM's?

Thanks,

Josh

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Luke Bigum at Apr 23, 2012 at 4:20 pm
    Hi Josh,

    It would depend on whether an F5 can be made to write the necessary
    information into an HTTP header. What I would do to is look at how
    Apache populates the SSL_CLIENT_S_DN and SSL_CLIENT_VERIFY headers when
    you use it as a Puppet Master front end and see if you can replicate
    that on an F5. F5 iRules are quite powerful so I'd say it might be
    possible but probably not straight out of the box.

    As for a health monitor I'm not sure... Puppet Masters are RESTful so
    you might be able to come up with something tricky with that.

    -Luke
    On 23/04/12 16:53, Josh wrote:
    Hi,

    Is there anyone using BIG-IP to load balance client side connections
    to multiple puppet masters? I'm looking for advice on a
    configuration, specifically:

    * How to handle SSL. Should I try to decrypt client side traffic at
    the BIG-IP? If so, should LB<-> BIG-IP traffic be unencrypted via
    HTTP? I have seen this scenario described in Pro Puppet. I would
    think I would run into problems verifying clients at the PM if I
    decrypt at the load balancers.

    * How are you deploying health monitors for the PM's?

    Thanks,

    Josh

    --
    Luke Bigum

    Information Systems
    Ph: +44 (0) 20 3192 2520
    luke.bigum@lmax.com | http://www.lmax.com
    LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN


    FX and CFDs are leveraged products that can result in losses exceeding
    your deposit. They are not suitable for everyone so please ensure you
    fully understand the risks involved. The information in this email is not
    directed at residents of the United States of America or any other
    jurisdiction where trading in CFDs and/or FX is restricted or prohibited
    by local laws or regulations.

    The information in this email and any attachment is confidential and is
    intended only for the named recipient(s). The email may not be disclosed
    or used by any person other than the addressee, nor may it be copied in
    any way. If you are not the intended recipient please notify the sender
    immediately and delete any copies of this message. Any unauthorised
    copying, disclosure or distribution of the material in this e-mail is
    strictly forbidden.

    LMAX operates a multilateral trading facility. Authorised and regulated
    by the Financial Services Authority (firm registration number 509778) and
    is registered in England and Wales (number 06505809).
    Our registered address is Yellow Building, 1A Nicholas Road, London, W11
    4AN.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Josh at Apr 23, 2012 at 8:37 pm
    Thanks, Luke. I'm going to pipe HTTPS straight thru the BIG-IP's to
    the PM's for now.

    Josh
    On Apr 23, 12:19 pm, Luke Bigum wrote:
    Hi Josh,

    It would depend on whether an F5 can be made to write the necessary
    information into an HTTP header. What I would do to is look at how
    Apache populates the SSL_CLIENT_S_DN and SSL_CLIENT_VERIFY headers when
    you use it as a Puppet Master front end and see if you can replicate
    that on an F5. F5 iRules are quite powerful so I'd say it might be
    possible but probably not straight out of the box.

    As for a health monitor I'm not sure... Puppet Masters are RESTful so
    you might be able to come up with something tricky with that.

    -Luke

    On 23/04/12 16:53, Josh wrote:








    Hi,
    Is there anyone using BIG-IP to load balance client side connections
    to multiple puppet masters?  I'm looking for advice on a
    configuration, specifically:
    * How to handle SSL.  Should I try to decrypt client side traffic at
    the BIG-IP?  If so, should LB<->  BIG-IP traffic be unencrypted via
    HTTP?  I have seen this scenario described in Pro Puppet.  I would
    think I would run into problems verifying clients at the PM if I
    decrypt at the load balancers.
    * How are you deploying health monitors for the PM's?
    Thanks,
    Josh
    --
    Luke Bigum

    Information Systems
    Ph: +44 (0) 20 3192 2520
    luke.bi...@lmax.com |http://www.lmax.com
    LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN

    FX and CFDs are leveraged products that can result in losses exceeding
    your deposit.  They are not suitable for everyone so please ensure you
    fully understand the risks involved.  The information in this email is not
    directed at residents of the United States of America or any other
    jurisdiction where trading in CFDs and/or FX is restricted or prohibited
    by local laws or regulations.

    The information in this email and any attachment is confidential and is
    intended only for the named recipient(s). The email may not be disclosed
    or used by any person other than the addressee, nor may it be copied in
    any way. If you are not the intended recipient please notify the sender
    immediately and delete any copies of this message. Any unauthorised
    copying, disclosure or distribution of the material in this e-mail is
    strictly forbidden.

    LMAX operates a multilateral trading facility.  Authorised and regulated
    by the Financial Services Authority (firm registration number 509778) and
    is registered in England and Wales (number 06505809).
    Our registered address is Yellow Building, 1A Nicholas Road, London, W11
    4AN.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedApr 23, '12 at 3:53p
activeApr 23, '12 at 8:37p
posts3
users2
websitepuppetlabs.com

2 users in discussion

Josh: 2 posts Luke Bigum: 1 post

People

Translate

site design / logo © 2022 Grokbase