Versions Compared

Old Version 8

changes.mady.by.user Bala Harish A(AC)

Saved on

compared with

New Version Current

changes.mady.by.user Bala Harish A(AC)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
typelist
printablefalse

...

  1. Check the Content Gateway configuration and note which ports are being used for SCSP and S3. These ports must match in the offloader's setup.

    /etc/caringo/cloudgateway/gateway.cfg

    Code Block
    languagebash
    [scsp]
enabled = true
bindAddress = 0.0.0.0
bindPort = 8080
externalHTTPport = 443

[s3]
enabled = true
bindAddress = 0.0.0.0
bindPort = 8090

[cluster_admin]
enabled = true
bindAddress = 0.0.0.0
bindPort = 91
externalHTTPSport = 91
    Info
    titleForcing HTTPS
    This configuration still provides HTTP access; to harden security and force HTTPS, change all of the bindAddress settings to 127.0.0.1.

  2. Setup and install haproxy. This package is part of the EPEL repo.

  3. Use the following haproxy configuration:

    /etc/haproxy/haproxy.cfg

    Code Block
    languagebash
    global
    log 127.0.0.1 local2
    chroot /var/lib/haproxy
    stats socket /var/lib/haproxy/stats mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
 
    ca-base /etc/pki/tls/certs
    crt-base /etc/pki/tls/private
 
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    maxconn 2048
    tune.ssl.default-dh-param 2048
 
defaults
    log     global
    mode    http
    option  forwardfor
    option  http-server-close
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
 
frontend www-http
    bind 0.0.0.0:80
    reqadd X-Forwarded-Proto:\ http
    reqadd X-Forwarded-Port:\ 80
    default_backend www-backend-scsp
    acl iss3 hdr_sub(Authorization) AWS
    acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
    use_backend www-backend-s3 if iss3
 
frontend www-https
    bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 443
    default_backend www-backend-scsp
    acl iss3 hdr_sub(Authorization) AWS
    acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
    use_backend www-backend-s3 if iss3
 
frontend www-https-svc
    bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 91
    default_backend www-backend-svc
 
backend www-backend-scsp
    #redirect scheme https if !{ ssl_fc }   <--- Uncomment to force HTTPS
    server gw1 127.0.0.1:8080 check
 
backend www-backend-s3
    #redirect scheme https if !{ ssl_fc }    <--- Uncomment to force HTTPS
    server gw1 127.0.0.1:8090 check
 
backend www-backend-svc
    # This rule rewrites CORS header to add the port number used on frontend
    http-request replace-value Access-Control-Allow-Origin (.*) \1:91
    redirect scheme https if !{ ssl_fc }
    server gw1 127.0.0.1:8091 check

  4. Start haproxy.

    Code Block
    languagebash
    systemctl restart haproxy

  5. Edit the existing feed to enable SSL and point to the new endpoint (see next).

Configuring the Feed

Configure the Swarm replication feed to use the SSL server once it is configured.

  1. In the Swarm UI, navigate to Cluster > Feeds.

  2. Edit the affected replication feed.

  3. Scroll to the Target Remote Cluster settings.

  4. Update the Proxy or Host(s) and Port to point to the offloader.

  5. Select Replicate via direct POST if the feed was configured to use the bidirectional GET mode.

  6. Enable Require trusted SSL for SSL ServerAllow untrusted SSL is available but not intended for production systems.

  7. Select None for Local Cluster Forward Proxy, unless using one (See Forward Proxy, below).

See Managing Feeds.

Forward Proxy

Drawio
zoom1
simple0
inComment0
pageId461504537
custContentId1040908326
lbox1
diagramDisplayNameProxy-to-Proxy.drawio
contentVer1
revision1
baseUrlhttps://caringo.atlassian.net/wiki
diagramNameProxy-to-Proxy.drawio
pCenter0
width465
links
tbstyle
height167

...

Selecting a Forward Proxy Server

HAProxy works with a fixed back-end server list consisting of the distant Gateway front-end although it is not optimized to be a general purpose forward proxy.

...