| Contents |
Overview
RPM Install
Building and installing from source
Setting up the SSL bridge service
SSL certificates
Self-signed SSL certificates
SSL encryption protocol
Remaining work on this project
Support and Bug Tracking
| Overview |
The DRLB SSL bridge is used to decrypt incoming SSL traffic on TCP
port 443 and send encrypted or unencrypted traffic to back-end web
servers.
Load balancing SSL connections cannot forward IP address information
HTTP headers unless the SSL traffic is decrypted and re-encrypted with
the connection information inserted into the HTTP headers. The DRLB
SSL bridge has options to load balance front-end connections as an
HTTPS server and distribute web traffic to back-end HTTP or HTTPS
servers.
Decrypting front-end SSL traffic and re-encrypting allows you to
forward IP address information to back-end HTTPS servers. Both the
front-end and back-end web traffing remains encrypted during
transport.
Sending decrypted SSL to back-end web servers over TCP port 80 allows
you to use existing back-end HTTP web services. The load balanced
front-end remains encrypted. The back-end web services can utilize
existing web configurations with having to be reconfigured to run
SSL.
DRLB source code is distributed as an open source project under
the GNU general public license and can used by freely by commercial,
Government, and academic institutions.
| RPM Install |
Latest pre-built RPMs are available for download:
RHEL9:
https://github.com/datareel/ssl-bridge/releases/download/1.59/drlb_ssl_server-1.59-1.el9.x86_64.x86_64.rpm
sha256sum: 23e47a7c7a5bbf0e8229210f04c2f4553493cbf668d83c64ff5c68a3edee66e5
RHEL8:
https://github.com/datareel/ssl-bridge/releases/download/1.59/drlb_ssl_server-1.59-1.el8.x86_64.x86_64.rpm
sha256sum: b42cb993fd911113f424db3d3254935a351febab37788d775b2d43f712f90a8d
RHEL7/CENTOS7:
https://github.com/datareel/ssl-bridge/releases/download/1.58/drlb_ssl_server-1.58-1.el7.x86_64.x86_64.rpm
sha256sum: 506fb9588bdf677ab42a3b070101d50bc7244cdde807dcf81f6e64a3e84439ff
RHEL6/CENTOS6:
https://github.com/datareel/ssl-bridge/releases/download/1.58/drlb_ssl_server-1.58-1.el6.x86_64.x86_64.rpm
sha256sum: ae3ee28f20cb5bde34a226ba2075cceee4fbd02cc0b5e8717420723d9ac4f145
Follow the instructions below to build an RPM from latest source for distribution:
$ cd $HOME; mkdir -pv git; cd $HOME/git
$ git clone https://github.com/datareel/ssl-bridge
$ cd ${HOME}/git/ssl-bridge/rpm_builder
RHEL9:
$ ./make_ssl_rpm_package.sh rhel9
$ sudo su root -c "yum -y install ${HOME}/rpmbuild/RPMS/x86_64/drlb_ssl_server-1.59-1.el9.x86_64.x86_64.rpm"
RHEL8:
$ ./make_ssl_rpm_package.sh rhel8
$ sudo su root -c "yum -y install ${HOME}/rpmbuild/RPMS/x86_64/drlb_ssl_server-1.59-1.el8.x86_64.x86_64.rpm"
RHEL7/CENTOS7:
$ ./make_ssl_rpm_package.sh rhel7
$ sudo su root -c "yum -y install ${HOME}/rpmbuild/RPMS/x86_64/drlb_ssl_server-1.59-1.el7.x86_64.x86_64.rpm"
RHEL6/CENTOS6:
$ ./make_ssl_rpm_package.sh rhel6
$ sudo su root -c "yum -y install ${HOME}/rpmbuild/RPMS/x86_64/drlb_ssl_server-1.59-1.el6.x86_64.x86_64.rpm"
Useful RPM command to verify package contents:
List package: rpm -qf /usr/sbin/drlb_ssl_server
List files: rpm -ql drlb_ssl_server
List configs: rpm -qc drlb_ssl_server
List docs: rpm -qd drlb_ssl_server
To remove package:
$ sudo su root -c "yum -y remove drlb_ssl_server"
| Building and installing from source |
Follow the instructions below to build and install the DRLB SSL bridge from latest source code:
$ cd $HOME $ mkdir -pv git $ cd $HOME/git $ git clone https://github.com/datareel/ssl-bridge $ source $HOME/git/ssl-bridge/env/gnu_env.sh $ cd $HOME/git/ssl-bridge/ssl_bridge $ make $ sudo su root -c 'make install_root'
| Setting up the SSL bridge service |
The default LB configuration file for the SSL bridge is:
/etc/drlb/ssl_bridge.cfg
In the LB configuration file, refer to the following section for all
settings specific to the SSL config:
[SSLCONFIG] # Default SSL proto is set to SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 ssl_protocol = SSLv23 ssl_key_file = /etc/drlb/ssl/private/ca.key ssl_cert_file = /etc/drlb/ssl/certs/ca.crt #ssl_use_dhparms = 0 #ssl_dhparms_file = /etc/drlb/ssl/certs/dhparams.pem #ssl_encrypt_backend = 0 #ssl_backend_hostname = www.example.com #ssl_verify_backend_cert = 0 #ssl_backend_ca_list_file = /etc/pki/tls/certs/ca-bundle.crtBy default back-end traffic is set to unencrypted, HTTP. If you encrypt back-end traffic for HTTPS you have the option to verify the back-end SSL certificates. The ssl_backend_hostname setting must match the CN name of the issuer’s certificate. You must also provide a trusted CA list using the ssl_backend_ca_list_file setting.
For all other DRLB setting please refer to the DRLB README file:
# more /usr/share/doc/drlb/README.txt
or online:
http://datareel.com/drlb
The default LB scheme used with the SSL bridge is round robin.
After setting up your LB and SSL config, start the service:
RHEL 7/CENTOS 7:
# systemctl start drlb_ssl_server # systemctl status drlb_ssl_serverRHEL 6/CENTOS 6:
# service drlb_ssl_server start # service drlb_ssl_server statusTo watch the log file:
# tail -f /var/log/drlb/ssl_bridge.logTo watch LB stats:
# tail -n 25 -f /var/log/drlb/ssl_bridge_stats.logTo make the LB service persistent:
RHEL 7/CENTOS 7:
# systemctl enable drlb_ssl_serverRHEL 6/CENTOS 6:
# chkconfig drlb_ssl_server on
| SSL certificates |
Before starting the SSL bridge you must install or set the location to
your private key and certificate file:
# vi /etc/drlb/ssl_bridge.cfg
[SSLCONFIG] ... ssl_key_file = /etc/drlb/ssl/private/ca.key ssl_cert_file = /etc/drlb/ssl/certs/ca.crtIf you do not have an SSL certificate issued and verified by a trusted Certificate Authority you can use a self-signed certificate for non-production or internal HTTPS services.
| Self-signed SSL certificates |
Follow the instructions below to create a self-signed certificate for non-production or internal HTTPS services:
# mkdir -pv /etc/drlb/ssl/private /etc/drlb/ssl/certs # openssl dhparam -out /etc/drlb/ssl/certs/dhparams.pem 2048 # openssl genrsa -out /etc/drlb/ssl/private/ca.key 2048 # chmod 600 /etc/drlb/ssl/private/ca.key # openssl req -new -key /etc/drlb/ssl/private/ca.key -out /etc/drlb/ssl/certs/ca.csr Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: # openssl x509 -req -days 365 -in /etc/drlb/ssl/certs/ca.csr -signkey /etc/drlb/ssl/private/ca.key -out /etc/drlb/ssl/certs/ca.crt # vi /etc/drlb/ssl_bridge.cfg [SSLCONFIG] ... ssl_key_file = /etc/drlb/ssl/private/ca.key ssl_cert_file = /etc/drlb/ssl/certs/ca.crt
| SSL encryption protocol |
The SSL encryption protocol is set by the ssl_protocol setting in the SSLCONFIG section in the LB configuration file:
[SSLCONFIG] ... ssl_protocol = SSLv23The SSLv23 default setting uses SSL protocols SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Other protocol options are:
SSLv2 - SSL version 2
SSLv3 - SSL version 3
TLSv1 - TLS version 1
TLSv1_1 - TLS version 1.1
TLSv1_2 - TLS version 1.2
| Remaining work on this project |
| Support and Bug Tracking |
https://github.com/datareel/ssl-bridge/issues