| Info |
|---|
The following steps are for RHEL/CentOS 7.x specifically. |
To configure haproxy The following configuration steps are needed to configure HAProxy as an SSL offloader for Content Gateway, you will need the following configuration steps.
Step-by-step guide
- First make sure
Verify Content Gateway is listening on port 8080 for SCSP , 8090 for S3 and 8091 for Service Proxy
| Code Block | theme | RDark
|---|
/etc/caringo/cloudgateway/gateway.cfg [scsp] enabled = true bindAddress = 0.0.0.0 bindPort = 8080 externalHTTPPort = 80 externalHTTPSPort = 443 [s3] enabled = true bindAddress = 0.0.0.0 bindPort = 8090 [cluster_admin] enabled = true bindAddress = 0.0.0.0 bindPort = 8091 externalHTTPSPort = 91 |
| Info |
|---|
Note: In this example i want to still provideHTTP access to those personalities , if you however wish to harden your security and force https , you will need to change the bind addressis provided. The bind address needs to be modified to 127.0.0.1 for all 3 personalities if security hardening is desired and https needs to be forced. |
Setup and install
haproxy ( thisHAProxy. This package is part of the EPEL
repo )repository.
Use the following configuration for /etc/haproxy/haproxy.cfg
| Code Block | theme | RDark
|---|
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/pki/tls/certs
crt-base /etc/pki/tls/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
maxconn 2048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
# Do not use "option http-server-close", it causes S3 PUT incompatibility with some clients including FileFly!
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend www-http
bind 0.0.0.0:80
http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https-svc
bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 91
default_backend www-backend-svc
backend www-backend-scsp
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1:8080 check
backend www-backend-s3
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1:8090 check
backend www-backend-svc
# This rule rewrites CORS header to add the port number used on frontend
http-request replace-value Access-Control-Allow-Origin (.*) \1:91
redirect scheme https if !{ ssl_fc }
server gw1 127.0.0.1:8091 check |
Start haproxy
,systemctl restart haproxy- Make
Create a Self-Signed SSL Certificate
...
Execute the following to create a self signed certificate for
...
the domain
...
:
| Code Block |
|---|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $DOMAIN.key -out $DOMAIN.crt |
Concatenate the DOMAIN.crt (first) and the DOMAIN.key (second) into a DOMAIN.pem file.
Copy the DOMAIN.pem to /etc/pki/tls/certs/DOMAIN.pem
...
Best practice for S3 is to create a wildcard SSL certificate
...
, so repeat the same steps as above and when prompted for the "Common Name" use "*.DOMAIN"
...
copy the new CRT file to /etc/pki/tls/certs/DOMAIN-wildcard.pem
To add the new certificate to /etc/haproxy/haproxy.cfg change
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcer.pem
to
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/DOMAIN.pem crt /etc/pki/tls/certs/DOMAIN-wildcard.pem
| Info |
|---|
| Do Perform this for all bind statements that havewith the ssl keyword configured. ToRestart haproxy to activate restart haproxy: systemctl restart haproxy |
NOTE: If the content gateway is going to be used as the destination for a remote replication feed, the The following setting must appear and be set properly in the /etc/caringo/cloudgateway/gateway.cfg file if the content gateway is going to be used as the destination for a remote replication feed:
| Code Block |
|---|
[scsp] ... ... allowSwarmAdminIP=172.30 |
In the example above, replicate "172.30" with the IP addresses (or prefix) of clients that will be sending administrative requests to the gateway. The most common example is the IP addresses (or prefix) of the nodes in a cluster that is using a remote replication feed with the gateway as its the destination.
| Info |
|---|
Be aware that for Swarm UI in the configuration example above you will need to use host: The host <contentgatewayIP>:8091 needs to be used in the login page to connect for Swarm UI in the configuration example above. |
| Info |
|---|
| If you want to test out the new certificate from a CentOS 7.x client , make sure to copy both your Copy both crt files to /etc/pki/ca-trust/source/anchors and run update-ca-trust . Once the command completed, you will then be able to use curlto test the new certificate from a CentOS 7.x client. curl may then used to test the certificate validation once the command completes. |
| Filter by label (Content by label) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
...
|
| Page Properties | ||
|---|---|---|
| ||
|