CentOS 8 / RHEL 8 / RockyLinux 8 : yum install haproxy
CentOS 7/RHEL 7 follow instructions provided here https://www.linux.org/threads/centos-announce-announcing-release-of-haproxy-1-8-on-centos-7-x86_64.18168/
Note: On CentOS7/RHEL7 the active haproxy.cfg will be in '/etc/opt/rh/rh-haproxy18/haproxy'
Haproxy is already pre-installed on the Swarm Cluster Installer provisioned - and VMware bundle provided Gateway VM
The following configuration steps are needed to configure HAProxy as an SSL offloader for Content Gateway.
Step-by-step guide
Verify Content Gateway is listening on port 8080 for SCSP, 8090 for S3 and 8091 for Service Proxy:
The example below are not the default gateway ports, this is done on purpose to avoid port conflicts.
/etc/caringo/cloudgateway/gateway.cfg [scsp] enabled = true bindAddress = 0.0.0.0 bindPort = 8080 externalHTTPPort = 80 externalHTTPSPort = 443 [s3] enabled = true bindAddress = 0.0.0.0 bindPort = 8090 [cluster_admin] enabled = true bindAddress = 0.0.0.0 bindPort = 8091 externalHTTPSPort = 91
Note: In this example HTTP access to those personalities is provided. The bind address needs to be modified to 127.0.0.1 for all 3 personalities if security hardening is desired and HTTPS needs to be forced.
Setup and install HAProxy. This package is part of the EPEL repository.
HAproxy is pre-installed on the SwarmContentGateway VM and SCI deployed gateway VM’s.
Use the following example configuration for
/etc/haproxy/haproxy.cfg
or on CentOS7 with haproxy1.8 /etc/opt/rh/rh-haproxy18-haproxy/haproxy.cfg
global log 127.0.0.1 local2 chroot /var/lib/haproxy stats socket /var/lib/haproxy/stats mode 660 level admin stats timeout 30s user haproxy group haproxy daemon ca-base /etc/pki/tls/certs crt-base /etc/pki/tls/private ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 maxconn 2048 tune.ssl.default-dh-param 2048 defaults log global mode http option forwardfor # Do not use "option http-server-close", it causes S3 PUT incompatibility with some clients including FileFly! option httplog option dontlognull timeout connect 5000 timeout client 50000 # This timeout should always be larger than gateway.cfg's [storage_cluster] indexerSocketTimeout. timeout server 130000 frontend www-http bind 0.0.0.0:80 http-request set-header X-Forwarded-Proto http http-request set-header X-Forwarded-Port 80 default_backend www-backend-scsp acl iss3 hdr_sub(Authorization) AWS acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)= use_backend www-backend-s3 if iss3 frontend www-https bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Port 443 default_backend www-backend-scsp acl iss3 hdr_sub(Authorization) AWS acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)= use_backend www-backend-s3 if iss3 frontend www-https-svc bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Port 91 default_backend www-backend-svc backend www-backend-scsp #redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS server gw1 YOUR_GATEWAY1_IP:8080 check server gw2 YOUR_GATEWAY2_IP:8080 check backend www-backend-s3 #redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS server gw1 YOUR_GATEWAY1_IP:8090 check server gw2 YOUR_GATEWAY2_IP:8080 check backend www-backend-svc # This rule rewrites CORS header to add the port number used on frontend http-request replace-value Access-Control-Allow-Origin (.*) \1:91 #redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS server gw1 YOUR_GATEWAY1_IP:8091 check server gw2 YOUR_GATEWAY2_IP:8080 check
Start HAProxy:
systemctl restart haproxy
If when restarting HAProxy this error is thrown “Starting frontend www-https-svc: cannot bind socket [0.0.0.0:91]”, either disable SELinux or run this command:
setsebool -P haproxy_connect_any=1
Create a Self-Signed SSL Certificate
A new more modern approach is to make an openssl.conf file first, here is an example:
[ req ] prompt = no distinguished_name = server_distinguished_name req_extensions = v3_req default_md = sha256 [ server_distinguished_name ] commonName = *.swarm.example.com stateOrProvinceName = Texas countryName = US emailAddress = admin@example.com organizationName = Example Inc. localityName = Austin [ v3_req ] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage=critical,serverAuth,clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1=swarm.example.com DNS.2=*.swarm.example.com
Generate the self-signed CA private key
openssl genrsa -out selfsignCA.key 4096
Generate the self-signed CA root certificate
openssl req -new -x509 -days 365 -key selfsignCA.key -out selfsignCA.crt -batch
Generate wildcard custom domain certificate
openssl genrsa -out YOUR_DOMAIN.key 4096
Generate certificate signing request for your domain
openssl req -new -nodes -key YOUR_DOMAIN.key -config openssl.conf -out YOUR_DOMAIN.csr
Generate the final domain certificate
openssl x509 -req -in YOUR_DOMAIN.csr -CA selfsignCA.crt -CAkey selfsignCA.key -CAcreateserial -out YOUR_DOMAIN.crt -days 365 -sha256 -extfile openssl.conf -extensions v3_req
Generate the certificate pem file.
cat YOUR_DOMAIN.crt YOUR_DOMAIN.key > YOUR_DOMAIN.pem
Place the pem file where you configured it in haproxy.cfg example here put it in /etc/pki/tls/certs
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/YOUR_DOMAIN.pem
The host <contentgatewayIP>:8091 needs to be used in the login page to connect for Swarm UI in the configuration example above.
Copy your selfsignCA.crt file to /etc/pki/ca-trust/source/anchors
and run update-ca-trust
to test the new certificate from a CentOS 7.x client. curl may then used to test the certificate validation once the command completes.
Replication Feed configuration
The following setting must appear and be set properly in the /etc/caringo/cloudgateway/gateway.cfg
file if the content gateway is going to be used as the destination for a remote replication feed:
[scsp] ... allowSwarmAdminIP=172.30
In the example above, replicate "172.30" with the IP addresses (or prefix) of clients sending administrative requests to the gateway.
The most common example is the IP addresses (or prefix) of the nodes in a cluster using a remote replication feed with the gateway as the destination.