Dynamic SSL allocation in GCP HTTP(s) Layer 7 Load balancer

0
votes

i m exploring GCP and i love the way it lets the developer play with such costly infrastructure. till now i have learnt a lot many things. i m no more a beginner and i have this case which i m unable to find docs or example for or i might be thinking in wrong direction.

I want to build an auto-scaling hosting solution where users can :

  1. Create Account
  2. Create multiple websites [these websites are basically tempaltes where user can define certain fields and the website is rendered in a specific manner | users are not allowed to upload file instead just some data entries]
  3. In a website user can connect domain [put 'A' record DNS entry in their domain]
  4. After that an SSl is provisioned automatically by the platform and the website is up and running. [somewhat like firebase]

I could easily create such a project on one server with the following configuration[skipped simple steps like user auth etc.]:

  1. I use ubunutu 16.04 as my machine type with 4GB ram and 10GB persistance disk
  2. Then i install nvm [a package to manage node.js]
  3. after that i install specific version of node.js using nvm
  4. i have written a simple javascript package in which i use express server to respond to the client requests with some html
  5. for managing ssl i use letsencrypt's certbot package
  6. i use pm2 to run the javascipt file as service in background

after being able to accomplish this thing i could see everything works the way i want it to.

then i started exploring GCP's load balancers there i learnt about the 4 layer and 7 layer LBs and i implemented some hello world tests [using startup scripts] in all possible configuration like

  • 7 layer http
  • 7 layer https
  • 4 layer internal tcp
  • 4 layer internal ssl

Here is the main problem i m facing : I can't find a way to dynamically allocate an SSL to an incoming request to the load balancer

In my case requests might be coming from any domain so GCP load balacer must have some sort of configuration to provision SSL for specific domain [i have read that it can alloccate an SSL for upto 100 domains but how could i automate things] or could there be a way that instead of requests being proxied[LB generates a new requeest to the internal servers], requests are just being redirected so that the internal servers can handle the SSL management themseleves

I might be wrong somewhere in my understanding of the concepts. Please help me solve the problem. i want to build firebase-hosting clone at my own. anykind of response is welcomed ????????????

1
google-cloud-platformload-balancinggcp-load-balancer

1 Answers

2
votes

One way to do it would be to update your JS script to generate Google-managed certificate for each new domain via gcloud:

gcloud compute ssl-certificates create CERTIFICATE_NAME \
    --description=DESCRIPTION \
    --domains=DOMAIN_LIST \
    --global

and then apply it to the load balancer:

gcloud compute target-https-proxies update TARGET_PROXY_NAME \
    --ssl-certificates SSL_CERTIFICATE_LIST \
    --global-ssl-certificates \
    --global

Please be aware that it may take anywhere from 5 to 20 minutes for the Load Balancer to start using new certificates.

You can find more information here.