Versions Compared

Old Version 31

changes.mady.by.user Abraham Felsenstein

Saved on

compared with

New Version 32

changes.mady.by.user Abraham Felsenstein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
global
    log 127.0.0.1 local2
    chroot /var/lib/haproxy
    stats socket /var/lib/haproxy/stats mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    ca-base /etc/pki/tls/certs
    crt-base /etc/pki/tls/private

    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    maxconn 2048
    tune.ssl.default-dh-param 2048

defaults
    log     global
    mode    http
    option  forwardfor
    # Do not use "option  http-server-close", it causes S3 PUT incompatibility with some clients including FileFly!
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    # This timeout should always be larger than gateway.cfg's [storage_cluster] indexerSocketTimeout.
    timeout server  130000

frontend www-http
    bind 0.0.0.0:80
    http-request set-header X-Forwarded-Proto http
    http-request set-header X-Forwarded-Port 80
    default_backend www-backend-scsp
    acl iss3 hdr_sub(Authorization) AWS
    acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
    use_backend www-backend-s3 if iss3

frontend www-https
    bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/YOUR_DOMAIN.pem
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Port 443
    default_backend www-backend-scsp
    acl iss3 hdr_sub(Authorization) AWS
    acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
    use_backend www-backend-s3 if iss3

frontend www-https-svc
    bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/YOUR_DOMAIN.pem
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Port 91
    default_backend www-backend-svc

backend www-backend-scsp
    #redirect scheme https if !{ ssl_fc }   <--- Uncomment this line if you want to force HTTPS
    server gw1 YOUR_GATEWAY1_IP:8080 check
    server gw2 YOUR_GATEWAY2_IP:8080 check

backend www-backend-s3
    #redirect scheme https if !{ ssl_fc }    <--- Uncomment this line if you want to force HTTPS
    server gw1 YOUR_GATEWAY1_IP:8090 check
    server gw2 YOUR_GATEWAY2_IP:8080 check

backend www-backend-svc
    # This rule rewrites CORS header to add the port number used on frontend
    http-request replace-value Access-Control-Allow-Origin (.*) \1:91
    #redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
    server gw1 YOUR_GATEWAY1_IP:8091 check
    server gw2 YOUR_GATEWAY2_IP:8080 check

...

Code Block
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = v3_req
default_md = sha256

[ server_distinguished_name ]
commonName = *.swarm.example.com
stateOrProvinceName = Texas
countryName = US
emailAddress = admin@example.com
organizationName = Example Inc.
localityName = Austin

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = criticalnonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage =critical, serverAuth,clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1=swarm.example.com
DNS.2=*.swarm.example.com

...

Code Block
openssl req -new -x509 -nodes -days 365 -sha256 -key selfsignCA.key -out selfsignCA.crt -batchsubj "/C=US/O=_DEV CA/CN=SelfSigned certificates"

Generate wildcard custom domain certificate

...

Code Block
cat YOUR_DOMAIN.crt YOUR_DOMAIN.key > YOUR_DOMAIN.pem

Place the YOUR_DOMAIN.pem file where you configured it in haproxy.cfg example here put it in /etc/pki/tls/certs

Code Block
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/YOUR_DOMAIN.pem

The host <contentgatewayIP>:8091 needs to be used in the login page to connect for Swarm UI in the configuration example above.

...

Copy the selfsignCA.crt

...

to /etc/pki/ca-trust/source/anchors and run update-ca-trust

...

to tell CentOS to trust your self-signed root certificate.

Note

This is an important step for haproxy as by default it is configured to look for trusted certificates in the /etc/pki/tls/certs folder. ( see ca-base parameter )

Restart haproxy to activate the changes.

Now you can copy the selfsignCA.crt file to your clients and follow the browser specific procedures to install and accept it.

The host <contentgatewayIP>:8091 needs to be used in the login page to connect for Swarm UI in the configuration example above.

Replication Feed configuration

...