How can I connect with Neptune by Haproxy?

2
votes

In local development environment, I want to connect with endpoint of AWS Neptune. However, in ap-north-east2, I must use ssl. so, I try to set Haproxy on my bastion server. (reference: https://docs.aws.amazon.com/neptune/latest/userguide/security-ssl.html)

But, I don't now How can i use Amazon root CA cert to Haproxy. (AmazonRootCA1.pem: https://www.amazontrust.com/repository/AmazonRootCA1.pem)

This code is my haproxy.cfg.

frontend neptune
  bind :59999 ssl crt ca-file /usr/local/etc/haproxy/SFSRootCAG2.pem verify required.
  reqadd X-Forwarded-Proto:\ https
  mode http
  timeout client 60m
  default_backend neptune

backend neptune
  mode http
  option forwardfor
  option httpclose
  timeout server 60m
  balance roundrobin
  server neptune my-alpha.cluster-abcdefg.ap-northeast-2.neptune.amazonaws.com:8183 weight 1 check inter 10000

I don't understand this

"If you are using a load balancer or a proxy server (such as HAProxy), you must use SSL termination and have your own SSL certificate on the proxy server.

SSL passthrough doesn't work because the provided SSL certificates don't match the proxy server hostname."

(https://docs.aws.amazon.com/neptune/latest/userguide/security-ssl.html)

what i need to do?

this is error log

[ALERT] 215/115034 (6) : parsing [/usr/local/etc/haproxy/haproxy.cfg:7] : 'bind :59999' : unable to load SSL private key from PEM file '/usr/local/etc/haproxy/SFSRootCAG2.pem'.
[ALERT] 215/115034 (6) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] 215/115034 (6) : Fatal errors found in configuration.
1
amazon-web-servicesssl-certificatehaproxycaamazon-neptune
The error you're getting is that HAProxy expect the public and private key to be appended in one .pem file (cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt). Since amazon controls that private key and only gives access to the public key, I don't think you'll be able to use the pem file like this. However, taking a step back, it's not clear to me what your end goal is here. Do you want to connect to AWS Neptune with http using HAProxy? Or do you want to use a different endpoint other than the endpoints given by amazon to connect via https?mweiss
I appreciate for your comment. I want to connect to AWS Neptune with http using HAProxy. because AWS Neptune endpoint is only available for request from the same VPC, I can't connect to neptune in my local development env.ZZERJAE
I can request like this in bastion server. curl -X POST -d '{"gremlin":"g.V().limit(1)"}' https://my-neptune-endpoint.abcdefg.ap-northeast-1.neptune.amazonaws.com:8188/gremlin I want to request like this in my local env. (13.164.123.411 -> my haproxy server ip) curl -X POST -d '{"gremlin":"g.V().limit(1)"}' http://13.164.123.411:59999/gremlinZZERJAE
@ZZERJAE Is this for a dev setup or are you trying to build this for a production setup (ie Talking to Neptune from outside the VPC)? If it is purely for connecting your devbox, you can just use an ALB backed by the IPs of your DB endpoint. However, this is extremely caveated, as the IP addressed of your instance can change.The-Big-K

1 Answers

2
votes

Although I don't fully understand the context, it sounds like you want an http -> https proxy to the neptune server. To do this, you would need to do something like:

frontend neptune
  bind *:59999 
  mode http
  # your options here...
  default_backend neptune

backend neptune
  mode http
  # your options here...
  server neptune my-alpha.cluster-abcdefg.ap-northeast-2.neptune.amazonaws.com:8183 ssl ca-file /usr/local/etc/haproxy/SFSRootCAG2.pem verify required weight 1 check inter 10000

If this is just a development environment though, you can perhaps simplify your proxy, omit the ca-file and use verify none, e.g:

server neptune my-alpha.cluster-abcdefg.ap-northeast-2.neptune.amazonaws.com:8183 ssl verify none weight 1 check inter 10000