Centos/Redhat Load Balancer - Securing your Piranha Gui

Way back in 2010 I wrote a post on setting up a CentOS/Redhat load balancer using piranha and the Linux Virtual Server project to provide a load-balancing solution for your critical applications and infrastructure.  These days we mainly use Ubuntu for its up-to-date packages, cloud ubiquity and ease of version upgrade and management; but we still get clients running CentOS and piranha gui for load-balancing.

Linux Load Balancer

Setting up the load-balancer gui is documented in my previous post but one thing that always bothered me was that the piranha-gui is server up over http instead of over https. There is no encryption of traffic to and from the gui front-end and it uses basic authentication, Basically your login credentials are sent over the wire in clear text. Well, Ok, its base 64 encoded but that's not encryption.

Considering that load-balancers are often deployed at remote data-centres, where critical applications are housesd, and administrators access these high-availability devices from an office, over the internet, the risk of a security compromise is just to great to allow this default configuration to be used.

Securing Your Centos/RedHat Load Balancer

Luckily securing piranha is not hard. It is a simple php application that is hosted in an Apache server so configuring it to support SSL is the same as what one would do to secure your Apache HTTP server.

  1. First we need to generate some SSL certificates. We will use self-signed SSL certificates in this exercise as the main purpose is to encrypt traffic between the browser and the remote server. If you want to ensure authenticity of the destination host then get the cert signed by a certificate authority or setup your own and add the CA cert to your list of trusted CAs.

    "openssl req -new -x509 -out /etc/sysconfig/ha/conf/piranha.crt -keyout /etc/sysconfig/ha/conf/piranha.key -nodes"
  2. The piranha.crt is your public key and piranha,key is your super secret private key. Make sure your private key is only readable by the piranha user and is owned by them too.

    "chmod -o-r /etc/sysconfig/ha/conf/piranha.key; chown piranha:piranha /etc/sysconfig/ha/conf/piranha.key"

  3. Now we need to edit the piranha configuration file via "vi /etc/sysconfig/ha/conf/httpd.conf". Add the following lines to the file :

    71 DocumentRoot "/etc/sysconfig/ha/web"  ==> this line already exists. I just put the directives after this.
    72 SSLEngine  on 
    <== Add this line!
    73 SSLCertificateFile /etc/sysconfig/ha/conf/piranha.crt <== Add this line!
    74 SSLCertificateKeyFile /etc/sysconfig/ha/conf/piranha.key <== Add this line!
        85    <Directory />
        86        Options FollowSymLinks
        87        AllowOverride None
        88        SSLRequireSSL <== Add this line!
        89    </Directory>
  4. You will also need to install the mod_ssl package via

    "yum install mod_ssl"

  5. Restart the piranha-gui with "service piranha-gui restart" and enjoy secure administration of your load-balancer :)