Jump to content
Welcome to our new Citrix community!
  • SSL Offloading using Terraform


    Guest
    • Validation Status: Work In Progress
      Has Video?: No

    NetScaler can be configured for SSL offloading with end-to-end encryption, in which the NetScaler will re-encrypt the clear text data and use secure SSL sessions to communicate with the back-end web servers.

     

    Configure the back-end SSL transactions so that  the appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers. It helps in avoiding CPU-intensive key exchange (full handshake) operations and also reduces the overall number of SSL sessions on the server. As a result, it accelerates the SSL transaction while maintaining end-to-end security.

    Following are the steps to configure an end-to-end encryption deployment :

    • Create SSL services
    • Create an SSL virtual server
    • Add a certificate-key pair
    • Bind the certificate-key pair to the SSL virtual server
    • Bind the services to the SSL virtual server
    NetScaler comes with prebuilt SSL profile that can helps you to achieve A+ SSL configurations.

    Above procedural steps can be reduced to a single declarative file containing the desired state of NetScaler.

    Below is a terraform resource file that can configure end to end SSL offloading.

    resource "citrixadc_service" "service1" {  servicetype = var.service1_servicetype  name        = var.service1_name  ipaddress   = var.service1_ip  ip          = var.service1_ip  port        = var.service1_port}resource "citrixadc_service" "service2" {  servicetype = var.service2_servicetype  name        = var.service2_name  ipaddress   = var.service2_ip  ip          = var.service2_ip  port        = var.service1_port}resource "citrixadc_lbvserver" "production_lb" {  depends_on  = [citrixadc_sslparameter.defaultprofile]  name        = var.production_lb_name  ipv46       = var.production_lb_ip  port        = "443"  servicetype = "SSL"  ciphers     = ["DEFAULT"]  sslprofile  = "ns_default_ssl_profile_secure_frontend"}resource "citrixadc_systemfile" "sslcert_copy" {  filename     = "sslcert.pem"  filelocation = "/var/tmp"  filecontent  = file(var.ssl_certificate_path)}resource "citrixadc_systemfile" "sslkey_copy" {  filename     = "sslkey.ky"  filelocation = "/var/tmp"  filecontent  = file(var.ssl_key_path)}resource "citrixadc_sslcertkey" "sslcertkey1" {  depends_on      = [citrixadc_sslcertkey.sslcacert]  certkey         = var.ssl_certkey_name  cert            = format("%s/%s", citrixadc_systemfile.sslcert_copy.filelocation, citrixadc_systemfile.sslcert_copy.filename)  key             = format("%s/%s", citrixadc_systemfile.sslkey_copy.filelocation, citrixadc_systemfile.sslkey_copy.filename)  linkcertkeyname = var.ssl_cacert_name}resource "citrixadc_sslvserver_sslcertkey_binding" "sslvserver_sslcertkey_bind" {  vservername = citrixadc_lbvserver.production_lb.name  certkeyname = citrixadc_sslcertkey.sslcertkey1.certkey}resource "citrixadc_lbvserver_service_binding" "lbvserver_sslservice1_bind" {  name        = citrixadc_lbvserver.production_lb.name  servicename = citrixadc_service.service1.name}resource "citrixadc_lbvserver_service_binding" "lbvserver_sslservice2_bind" {  name        = citrixadc_lbvserver.production_lb.name  servicename = citrixadc_service.service2.name}resource "citrixadc_sslparameter" "defaultprofile" {  defaultprofile = "ENABLED"}resource "citrixadc_systemfile" "ssl_cacert_copy" {  filename     = "cacert.crt"  filelocation = "/var/tmp"  filecontent  = file(var.ssl_cacert_path)}resource "citrixadc_sslcertkey" "sslcacert" {  certkey = var.ssl_cacert_name  cert    = format("%s/%s", citrixadc_systemfile.ssl_cacert_copy.filelocation, citrixadc_systemfile.ssl_cacert_copy.filename)}

    You just need to provide values in tfvars file as here and run

    terraform-apply 

    to configure end to end.

    Post configuration, you can send HTTPS request at VIP to validate SSL traffic. Additionally, you provide the domain name in Qualys and ensure that your backend servers are A+ certified.  

    Learn more above SSL offloading capabilities in NetScaler here and you can find Terraform example here

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...