| Info |
|---|
The following steps are for RHEL/CentOS 7.x specifically.CentOS 8 / RHEL 8 / RockyLinux 8 : yum install haproxy CentOS 7/RHEL 7 follow instructions provided here https://www.linux.org/threads/centos-announce-announcing-release-of-haproxy-1-8-on-centos-7-x86_64.18168/ |
Haproxy is already pre-installed on the SCI and VMware bundle provided Gateway VM
The following configuration steps are needed to configure HAProxy as an SSL offloader for Content Gateway.
Step-by-step guide
Verify Content Gateway is listening on port 8080 for SCSP, 8090 for S3 and 8091 for Service Proxy:
...
| Code Block |
|---|
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/pki/tls/certs
crt-base /etc/pki/tls/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
maxconn 2048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
# Do not use "option http-server-close", it causes S3 PUT incompatibility with some clients including FileFly!
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
# This timeout should always be larger than gateway.cfg's [storage_cluster] indexerSocketTimeout.
timeout server 130000
frontend www-http
bind 0.0.0.0:80
http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https-svc
bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 91
default_backend www-backend-svc
backend www-backend-scsp
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1 YOUR_GATEWAY1_IP:8080 check
server gw2 YOUR_GATEWAY2_IP:8080 check
backend www-backend-s3
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1YOUR_GATEWAY1_IP:8090 check
server gw2 YOUR_GATEWAY2_IP:8080 check
backend www-backend-svc
# This rule rewrites CORS header to add the port number used on frontend
http-request replace-value Access-Control-Allow-Origin (.*) \1:91
redirect#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 127.0.0.1:8091YOUR_GATEWAY1_IP:8091 check
server gw2 YOUR_GATEWAY2_IP:8080 check |
Start HAProxy:
systemctl restart haproxy
| Note |
|---|
If when restarting HAProxy this error is thrown “Starting frontend www-https-svc: cannot bind socket [0.0.0.0:91]”, either disable SELinux or run this command:
|
Create a Self-Signed SSL Certificate
A new more modern approach is to make an openssl.conf file first, here is an example:
...
| Info |
|---|
Copy both crt files to |
Replication Feed configuration
The following setting must appear and be set properly in the /etc/caringo/cloudgateway/gateway.cfg file if the content gateway is going to be used as the destination for a remote replication feed:
...