The purpose of this post is to show how you can enable SSL termination on an existing cloud load balancer through the API. Using the API will allow you to script deployments so you can avoid having to use the control panel. This also provides you the building blocks for understanding deployment automation.
This guide will show you how to enable SSL termination on an existing cloud load balancer as described in my previous post: Rackspace Cloud API – Create cloud load balancers
Feel free to review http://docs.rackspace.com for learning about all the possible operations that can be done through the API.
In this example, we are going to enable SSL termination on an existing cloud load balancer called lb.example.com. The domain we are load balancing is www.example.com. Please note that enabling SSL termination on a Rackspace cloud load balancer costs more then a regular cloud load balancer!
SPECIAL NOTE: I advise against using SSL termination if you are passing any PII (personally identifiable information) or other sensitive data through the cloud load balancer to the Cloud server. The transmission will only be encrypted from the clients browser to the load balancer. From there, the cloud load balancer will send the request in clear text through the rackspace network to your cloud server.
When working with the API, I like to use a tool called httpie to simplify things a bit. You can install this by:
yum install httpie
Now that we have httpie installed, lets get an auth token from the API:
echo '{"auth": {"RAX-KSKEY:apiKeyCredentials": {"username": "YOUR_USERNAME","apiKey":"YOUR_API_KEY"}}}' | http post https://identity.api.rackspacecloud.com/v2.0/tokens
The token you need will be listed next to “id” field as shown below
"token": { "expires": "2013-07-09T23:17:08.634-05:00", "id": "2334aasdf5555j3hfhd22245dhsr", "tenant": { "id": "123456", "name": "123456"
To simplify things moving forward, we will set some local variables that we’ll use when communicating with the API:
export token="YOUR_API_TOKEN_RECEIVED_ABOVE" export account="YOUR_RACKSPACE_CLOUD_ACCOUNT_NUMBER" export lb_endpoint="https://ord.loadbalancers.api.rackspacecloud.com/v1.0"
NOTE: Change the endpoints region accordingly (ord or dfw).
For the purposes of this guide, we will be creating a self signed SSL certificate. In production environments, you will want to purchase a SSL certificate through a CA.
We will create our self signed SSL certificate by using the openssl command:
openssl req -x509 -nodes -newkey rsa:2048 -keyout example.com.tmp.key -out example.com.cert -days 1825 Generating a 2048 bit RSA private key ........+++ .....................................+++ writing new private key to 'example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []: Los Angeles Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company LLC Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:*.example.com Email Address []:
Now we must covert the key so the API will be able to use it:
openssl rsa -in example.com.tmp.key -out example.com.key rm -f example.com.tmp.key
Format the key and cert so it is more friendly for the API. Be sure to save the output as we will need it for the next step:
while read line; do echo -n "$line\n"; done < example.com.key while read line; do echo -n "$line\n"; done < example.com.cert
Now, lets setup the json file that contains our certificate information:
cat << EOF > example.com.cert.json { "certificate":"-----BEGIN CERTIFICATE-----\nMIIblahblahblahblah\n-----END CERTIFICATE-----", "enabled":true, "secureTrafficOnly":false, "privatekey":"-----BEGIN RSA PRIVATE KEY-----\nMIICWblahblahblahblah\n-----END RSA PRIVATE KEY-----", "intermediateCertificate":"", "securePort":443} EOF
Finally, lets execute the json file to enable SSL on your pre-existing cloud load balancer:
http put $lb_endpoint/$account/loadbalancers/YOUR_CLOUD_LOAD_BALANCER_ID/ssltermination X-Auth-Token:$token @example.com.cert.json
SSL termination on your existing load balancer has now been enabled.