Any one configured Jira/Bitbucket Data Center to work with A10 load balancer?

@Dave Theodore [Coyote Creek Consulting] Thank you very much for the info. Do you have any KB for configuring Data center with SSL on nodes, instead of terminating SSL at Load balancer? were there any challenges that we need to be aware of?? 

Ah, I think I may have misunderstood what you were asking.  Are you suggesting having the LB only serve as a load balancer and terminating the SSL on each application node? I understood the problem to be that you would terminate SSL on your LB and also do SSL to each node.  Why wouldn't you want to terminate SSL on the load balancer if it can do it? It's much better to manage certificates in one place than in many.

Another thing that I forgot to mention is that you will need the ability to load balance TCP and HTTP(S) traffic for Bitbucket. A normal HTTP only load balancer will not be able to proxy the SSH traffic. You could have your users use HTTP for their git traffic, though.

Security team has concerns of leaving connectivity between LB and Nodes on http, so we had to have SSL terminate at node, so that connection between LB and Node are on HTTPS. We did mention about the challenges of having nodes handle SSL but they are not ready to buy any of those arguments. Here is the current ask:

A10 load balancer handles all https request and forwards the same to nodes and nodes handle decryption and encryption before sending response back to LB. We have communicated the need of TCP and SSH requirement to A10 team and they are aware of that requirement. 

I hope my question is clear now? How do we handle certs now and are you aware any precautions we need to take to make sure this configuration works. 

Got it. So it is as I originally understood things.  

The biggest problem with doing SSL in between the LB and nodes is that you need to manage the certificates when they expire. If you have the Atlassian tools terminate SSL, you need to import the cert in to Java on as many application nodes as you have. This also means you need to bounce each application. This is a headache.

If you set up an SSL reverse proxy server, such as Apache, on each node, you can reduce the cert management hassles a bit. Apache "graceful" restart will reread the certificates and all new child processes will use the new configuration, allowing the existing connections to drain off and the child process using the old config to die. You are able to update the cert without needing to take the application down, but this still needs to be done on as many nodes as you have. This could, of course, be scripted or done with configuration management. If security really wants to be picky, you can configure the Atlassian application to only listen on localhost and then terminate the reverse proxy config to localhost. I'd go this route, personally. Don't forget to set your reverse proxy to auto start on reboot. 

In either case, I would expect SSH encryption should satisfy your security team and they will allow the load balanced SSH sessions to go directly to 7999 on the Bitbucket servers. If not, you might want to use HAproxy for all the nodes, so you can  keep your configuration consistent among the nodes. HAproxy can do HTTP and TCP proxying.

Got that thanks you @Dave Theodore [Coyote Creek Consulting] are there any port level changes we need to configure at Load Balancer due to this https setup between LB and node ?? 

current JIRA is listening on 8080 and BB on 7990 and at server level we are redirecting them to listen on 443 for https. 

As far as certs are concerned, as we are not terminating SSL at LB, do we need to still import certs into LB for trusting ?

If you terminate SSL on the load balancer and have your pool of servers configured  with SSL, the rules should be no different to if you were doing HTTP connections to the application nodes. If you're not using commercial certs, the load balancer might want you to import the certs so that it can trust them. Your LB admins should know is that is required or not.