Table of Contents | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
...
Check the Content Gateway configuration and note which ports are being used for SCSP and S3. These ports must match in the offloader's setup.
/etc/caringo/cloudgateway/gateway.cfg
Code Block language bash [scsp] enabled = true bindAddress = 0.0.0.0 bindPort = 8080 externalHTTPport = 443 [s3] enabled = true bindAddress = 0.0.0.0 bindPort = 8090 [cluster_admin] enabled = true bindAddress = 0.0.0.0 bindPort = 91 externalHTTPSport = 91
Info title Forcing HTTPS This configuration still provides HTTP access; to harden security and force HTTPS, change all of the bindAddress
settings to 127.0.0.1.Setup and install haproxy. This package is part of the EPEL repo.
Use the following haproxy configuration:
/etc/haproxy/haproxy.cfg
Code Block language bash global log 127.0.0.1 local2 chroot /var/lib/haproxy stats socket /var/lib/haproxy/stats mode 660 level admin stats timeout 30s user haproxy group haproxy daemon ca-base /etc/pki/tls/certs crt-base /etc/pki/tls/private ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 maxconn 2048 tune.ssl.default-dh-param 2048 defaults log global mode http option forwardfor option http-server-close option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend www-http bind 0.0.0.0:80 reqadd X-Forwarded-Proto:\ http reqadd X-Forwarded-Port:\ 80 default_backend www-backend-scsp acl iss3 hdr_sub(Authorization) AWS acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)= use_backend www-backend-s3 if iss3 frontend www-https bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 443 default_backend www-backend-scsp acl iss3 hdr_sub(Authorization) AWS acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)= use_backend www-backend-s3 if iss3 frontend www-https-svc bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 91 default_backend www-backend-svc backend www-backend-scsp #redirect scheme https if !{ ssl_fc } <--- Uncomment to force HTTPS server gw1 127.0.0.1:8080 check backend www-backend-s3 #redirect scheme https if !{ ssl_fc } <--- Uncomment to force HTTPS server gw1 127.0.0.1:8090 check backend www-backend-svc # This rule rewrites CORS header to add the port number used on frontend http-request replace-value Access-Control-Allow-Origin (.*) \1:91 redirect scheme https if !{ ssl_fc } server gw1 127.0.0.1:8091 check
Start haproxy.
Code Block language bash systemctl restart haproxy
Edit the existing feed to enable SSL and point to the new endpoint (see next).
Configuring the Feed
Configure the Swarm replication feed to use the SSL server once it is configured.
In the Swarm UI, navigate to Cluster > Feeds.
Edit the affected replication feed.
Scroll to the Target Remote Cluster settings.
Update the Proxy or Host(s) and Port to point to the offloader.
Select Replicate via direct POST if the feed was configured to use the bidirectional GET mode.
Enable Require trusted SSL for SSL Server; Allow untrusted SSL is available but not intended for production systems.
Select None for Local Cluster Forward Proxy, unless using one (See Forward Proxy, below).
See Managing Feeds.
Forward Proxy
Drawio | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
Selecting a Forward Proxy Server
HAProxy works with a fixed back-end server list consisting of the distant Gateway front-end although it is not optimized to be a general purpose forward proxy.
...