HAProxy
Product description
HAProxy is free, open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers.
For TKU November 2021 support for TLS Certificates discovery was added. (DRDC1-16963)
TLS Certificate Detail node will be linked to related Load Balancer Service node.
Architecture
HAProxy uses the following conceptual model:
- Frontend instance (n) <-> (n) Backend instance <-> (n) Server
or - Listen instance (n) <-> (n) Server
This model translates into the BMC Discovery load balancer model:
- Frontend instance -> Load Balancer Service
- Listen instance -> Load Balancer Service and Load Balancer Pool
- Backend instance -> Load Balancer Pool
- Server -> Load Balancer Member
Load Balancer Model
The HAProxy_LoadBalancer pattern builds the BMC Discovery load balancer model based on additional details obtained via ssh.
All the information about configured elements is obtained from the main configuration file haproxy.cfg (location is obtained from the main process arguments)
The HAProxy software loadbalancer is modeled as a Software Instance linked to a Load Balancer Instance.
Triggers
| Pattern | Trigger Node | Attribute | Condition | Argument |
|---|---|---|---|---|
| HAProxy_LoadBalancer | DiscoveredProcess | cmd | matches | unix_cmd "haproxy" |
Versioning
Active
HAProxy_LoadBalancer pattern will run "haproxy -v" command
Package
HAProxy_LoadBalancer pattern will look for the package matching regex "haproxy$"
Modeled Components
Software Instance
The pattern creates a Software Instance with the following attributes:
| Attributes | Value |
|---|---|
| key | A hash of the host key and load balancer type. |
| type | A software instance type. |
| name | A %si_name% %product_version% on %host.name%. |
| version | A version of the software instance. |
Load Balancer Instance
The pattern creates a Load Balancer Instance with the following attributes:
| Attributes | Value |
|---|---|
| key | A hash of the device key and load balancer type. |
| type | A load balancer type. |
| name | A %LB_TYPE% on %host.name%. |
| version | A version of the software instance. |
The pattern models a network service relationship between the Software Instance and the Load Balancer Instance.
Load Balancer Service
The pattern creates a Load Balancer Service with the following attributes:
| Attributes | Value |
|---|---|
| key | A hash of the front end or listen node name , ip address, and port. |
| name | A front end or listen node name. |
| ip_addr | A front end or listen node IP address. |
| port | A front end or listen node port. |
| protocol | A front end or listen node protocol type. |
| state | A front end or listen node state. |
| dns_names | A dns name of a front end or listen node IP address. |
| _config_hash | Contains a hash of the front end or listen node name, IP address, port, ,protocol. |
The pattern models a containment relationship between the Load Balancer Instance and a Load Balancer Service.
The pattern also models a containment relationship between the Load Balancer Service and a Load Balancer Pool.
Load Balancer Pool
The pattern creates a Load Balancer Pool with the following attributes:
| Attributes | Value |
|---|---|
| key | A hash of the backend or listen name and host key. |
| name | A pool name. |
| protocol | A protocol used. |
| algorithm | A algorithm used. |
| _config_hash | Contains a hash of the pool name, state mode and algorithm. |
The pattern models a containment relationship between the Load Balancer Instance and a Load Balancer Pool.
Load Balancer Member
The pattern creates a Load Balancer Member for every server and populates the following attributes:
| Attributes | Value |
|---|---|
| key | A hash name, IP address and port of the real server. |
| ip_addr | A server IP address. |
| port | A server port. |
| name | A server name. |
The pattern models a containment relationship between the Load Balancer Pool and a Load Balancer Member.
TLS Certificates
HAProxy_LoadBalancer pattern will read haproxy.cfg file to get ssl_tcp_socket to pass to the command:
which openssl > /dev/null 2>&1 && echo | openssl s_client -connect %listen_ssl_tcp_socket% | openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -textIn case multiple .pem files per one socket detected, those files will be passed to the following command:
which openssl > /dev/null 2>&1 && echo | PRIV_RUNCMD openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in %esc_pem_file%If certificate files failed to be read then the related socket will be passed to the first command and only one TLS Certificate per socket will be modeled.
Please note that second command won't reveal certificate keys and will be executed with sudo option hence Discovery user should be added into sudoers file with sufficient privileges.
To avoid any unwanted insecure execution of the second command the following code may be added to your sudoers file:
Cmnd_Alias LSCERT=\
/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /*,\
!/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /* *,\
!/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /..
DiscoveryUser ALL=(root) NOPASSWD: LSCERTModeled TLS Certificate Detail node will be linked to related LB Service node.
Related topics:
TLS Certificates Discovery for Unix
Comments
Log in or register to comment.