...
| Code Block |
|---|
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/pki/tls/certs
crt-base /etc/pki/tls/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
maxconn 2048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
# Do not use "option http-server-close", it causes S3 PUT incompatibility with some clients including FileFly!
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
# This timeout should always be larger than gateway.cfg's [storage_cluster] indexerSocketTimeout.
timeout server 130000
frontend www-http
bind 0.0.0.0:80
http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https-svc
bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 91
default_backend www-backend-svc
backend www-backend-scsp
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1:8080 check
backend www-backend-s3
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1:8090 check
backend www-backend-svc
# This rule rewrites CORS header to add the port number used on frontend
http-request replace-value Access-Control-Allow-Origin (.*) \1:91
redirect scheme https if !{ ssl_fc }
server gw1 127.0.0.1:8091 check |
...
| Code Block |
|---|
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout $DOMAINYOUR_DOMAIN.key -out $DOMAINYOUR_DOMAIN.crt |
Concatenate the YOUR_DOMAIN.crt (first) and the YOUR_DOMAIN.key (second) into a YOUR_DOMAIN.pem file.
Copy the YOUR_DOMAIN.pem to
/etc/pki/tls/certs/YOUR_DOMAIN.pem
| Info |
|---|
Best |
...
Practice for S3 is to create a wildcard SSL certificate, so repeat the same steps as above and when prompted for the "Common Name" use "*.YOUR_DOMAIN" copy the new CRT file to |
To add the new wildcard certificate to
/etc/haproxy/haproxy.cfg change
| Panel | ||
|---|---|---|
| ||
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcer.pem |
to
| Panel | ||
|---|---|---|
| ||
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/YOUR_DOMAIN.pem crt /etc/pki/tls/certs/YOUR_DOMAIN-wildcard.pem |
Note: You can also use a directory to store your pem files and just pass it to the bind command: example:
| Panel | ||
|---|---|---|
| ||
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/mycerts/ |
| Info |
|---|
Perform this for all bind statements with the ssl keyword configured. Restart HAProxy to activate: |
...
| Filter by label (Content by label) | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Page Properties | ||
|---|---|---|
| ||
|
...