Search code examples
amazon-web-servicesssl-certificatehaproxycaamazon-neptune

How can I connect with Neptune by Haproxy?

In local development environment, I want to connect with endpoint of AWS Neptune. However, in ap-north-east2, I must use ssl. so, I try to set Haproxy on my bastion server. (reference: https://docs.aws.amazon.com/neptune/latest/userguide/security-ssl.html)

But, I don't now How can i use Amazon root CA cert to Haproxy. (AmazonRootCA1.pem: https://www.amazontrust.com/repository/AmazonRootCA1.pem)

This code is my haproxy.cfg.

frontend neptune
  bind :59999 ssl crt ca-file /usr/local/etc/haproxy/SFSRootCAG2.pem verify required.
  reqadd X-Forwarded-Proto:\ https
  mode http
  timeout client 60m
  default_backend neptune

backend neptune
  mode http
  option forwardfor
  option httpclose
  timeout server 60m
  balance roundrobin
  server neptune my-alpha.cluster-abcdefg.ap-northeast-2.neptune.amazonaws.com:8183 weight 1 check inter 10000

I don't understand this

"If you are using a load balancer or a proxy server (such as HAProxy), you must use SSL termination and have your own SSL certificate on the proxy server.

SSL passthrough doesn't work because the provided SSL certificates don't match the proxy server hostname."

(https://docs.aws.amazon.com/neptune/latest/userguide/security-ssl.html)

what i need to do?

this is error log

[ALERT] 215/115034 (6) : parsing [/usr/local/etc/haproxy/haproxy.cfg:7] : 'bind :59999' : unable to load SSL private key from PEM file '/usr/local/etc/haproxy/SFSRootCAG2.pem'.
[ALERT] 215/115034 (6) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] 215/115034 (6) : Fatal errors found in configuration.
Solution

  • Although I don't fully understand the context, it sounds like you want an http -> https proxy to the neptune server. To do this, you would need to do something like:

    frontend neptune
  bind *:59999 
  mode http
  # your options here...
  default_backend neptune

backend neptune
  mode http
  # your options here...
  server neptune my-alpha.cluster-abcdefg.ap-northeast-2.neptune.amazonaws.com:8183 ssl ca-file /usr/local/etc/haproxy/SFSRootCAG2.pem verify required weight 1 check inter 10000

    If this is just a development environment though, you can perhaps simplify your proxy, omit the ca-file and use verify none, e.g:

    server neptune my-alpha.cluster-abcdefg.ap-northeast-2.neptune.amazonaws.com:8183 ssl verify none weight 1 check inter 10000