| Info |
|---|
The following steps are for RHEL/CentOS 7.x specifically. |
The following configuration steps are needed to configure HAProxy as an SSL offloader for Content Gateway.
...
Verify Content Gateway is listening on port 8080 for SCSP, 8090 for S3 and 8091 for Service Proxy:
| Code Block |
|---|
/etc/caringo/cloudgateway/gateway.cfg [scsp] enabled = true bindAddress = 0.0.0.0 bindPort = 8080 externalHTTPPort = 80 externalHTTPSPort = 443 [s3] enabled = true bindAddress = 0.0.0.0 bindPort = 8090 [cluster_admin] enabled = true bindAddress = 0.0.0.0 bindPort = 8091 externalHTTPSPort = 91 |
...
Setup and install HAProxy. This package is part of the EPEL repository.
Use the following configuration for
/etc/haproxy/haproxy.cfg
| Code Block |
|---|
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/pki/tls/certs
crt-base /etc/pki/tls/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
maxconn 2048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
# Do not use "option http-server-close", it causes S3 PUT incompatibility with some clients including FileFly!
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
# This timeout should always be larger than gateway.cfg's [storage_cluster] indexerSocketTimeout.
timeout server 130000
frontend www-http
bind 0.0.0.0:80
http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https-svc
bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 91
default_backend www-backend-svc
backend www-backend-scsp
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1:8080 check
backend www-backend-s3
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1:8090 check
backend www-backend-svc
# This rule rewrites CORS header to add the port number used on frontend
http-request replace-value Access-Control-Allow-Origin (.*) \1:91
redirect scheme https if !{ ssl_fc }
server gw1 127.0.0.1:8091 check |
Start haproxy:
systemctl restart haproxyCreate a Self-Signed SSL Certificate
Execute the following to create a self signed certificate for the domain:
...
Concatenate the DOMAIN.crt (first) and the DOMAIN.key (second) into a DOMAIN.pem file.
Copy the DOMAIN.pem to
/etc/pki/tls/certs/DOMAIN.pemBest practice for S3 is to create a wildcard SSL certificate, so repeat the same steps as above and when prompted for the "Common Name" use "*.DOMAIN" copy the new CRT file to
/etc/pki/tls/certs/DOMAIN-wildcard.pemTo add the new certificate to /etc/haproxy/haproxy.cfg change
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcer.pem
to
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/DOMAIN.pem crt /etc/pki/tls/certs/DOMAIN-wildcard.pem
...
NOTE: The following setting must appear and be set properly in the /etc/caringo/cloudgateway/gateway.cfg file if the content gateway is going to be used as the destination for a remote replication feed:
...
| Info |
|---|
Copy both crt files to |
...