Replication Feeds over Untrusted Networks

Owned by Rumena Zlatkova (Deactivated)
Last updated: Dec 07, 2023 by Bala Harish A(AC)
4 min read

With Content Gateway 5.4 and higher, you can create replication feeds using direct POST replication, with Gateway proxying the target cluster.

Note

Gateway's cluster.proxyIPList setting is for use with legacy bidirectional GET replication. See https://perifery.atlassian.net/wiki/spaces/public/pages/2443814122.

Add a trusted certificate and a third-party proxy to handle redirects if the source cluster needs to replicate feeds over an untrusted network securely with SSL/TLS encryption.

See https://perifery.atlassian.net/wiki/spaces/public/pages/2443815713 for more on creating a self-signed SSL certificate.

Load Balancer (Offloader)

Configure the source Swarm cluster and load balancer to use a trusted connection if using a load balancer for SSL/TLS offload (which is a type of reverse proxy):

Setting Up an Offloader

Important

The ports specified in the proxy configuration must match the bind ports specified in the https://perifery.atlassian.net/wiki/spaces/public/pages/2443810201.

This example shows how to configure haproxy as an SSL offloader for Content Gateway on RHEL/CentOS 7.

  1. Check the Content Gateway configuration and note which ports are being used for SCSP and S3. These ports must match in the offloader's setup.

    /etc/caringo/cloudgateway/gateway.cfg

    [scsp] enabled = true bindAddress = 0.0.0.0 bindPort = 8080 externalHTTPport = 443 [s3] enabled = true bindAddress = 0.0.0.0 bindPort = 8090 [cluster_admin] enabled = true bindAddress = 0.0.0.0 bindPort = 91 externalHTTPSport = 91

  2. Setup and install haproxy. This package is part of the EPEL repo.

  3. Use the following haproxy configuration:

    /etc/haproxy/haproxy.cfg

    global log 127.0.0.1 local2 chroot /var/lib/haproxy stats socket /var/lib/haproxy/stats mode 660 level admin stats timeout 30s user haproxy group haproxy daemon ca-base /etc/pki/tls/certs crt-base /etc/pki/tls/private ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 maxconn 2048 tune.ssl.default-dh-param 2048 defaults log global mode http option forwardfor option http-server-close option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend www-http bind 0.0.0.0:80 reqadd X-Forwarded-Proto:\ http reqadd X-Forwarded-Port:\ 80 default_backend www-backend-scsp acl iss3 hdr_sub(Authorization) AWS acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)= use_backend www-backend-s3 if iss3 frontend www-https bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 443 default_backend www-backend-scsp acl iss3 hdr_sub(Authorization) AWS acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)= use_backend www-backend-s3 if iss3 frontend www-https-svc bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 91 default_backend www-backend-svc backend www-backend-scsp #redirect scheme https if !{ ssl_fc } <--- Uncomment to force HTTPS server gw1 127.0.0.1:8080 check backend www-backend-s3 #redirect scheme https if !{ ssl_fc } <--- Uncomment to force HTTPS server gw1 127.0.0.1:8090 check backend www-backend-svc # This rule rewrites CORS header to add the port number used on frontend http-request replace-value Access-Control-Allow-Origin (.*) \1:91 redirect scheme https if !{ ssl_fc } server gw1 127.0.0.1:8091 check

  4. Start haproxy.

    systemctl restart haproxy

  5. Edit the existing feed to enable SSL and point to the new endpoint (see next).

Configuring the Feed

Configure the Swarm replication feed to use the SSL server once it is configured.

  1. In the Swarm UI, navigate to Cluster > Feeds.

  2. Edit the affected replication feed.

  3. Scroll to the Target Remote Cluster settings.

  4. Update the Proxy or Host(s) and Port to point to the offloader.

  5. Select Replicate via direct POST if the feed was configured to use the bidirectional GET mode.

  6. Enable Require trusted SSL for SSL ServerAllow untrusted SSL is available but not intended for production systems.

  7. Select None for Local Cluster Forward Proxy, unless using one (See Forward Proxy, below).

See .

Forward Proxy

Selecting a Forward Proxy Server

HAProxy works with a fixed back-end server list consisting of the distant Gateway front-end although it is not optimized to be a general purpose forward proxy.

Other alternatives:

  • stunnel - for fixed endpoints

  • Squid - for a general purpose forward proxy

With this server configuration, the forward proxy receives an HTTP request from the Swarm node and then tunnels a Swarm HTTPS request over the Internet to the other cluster, hitting the SSL/TLS offloader in front of Gateway. The data is encrypted by Swarm, and passes blindly through the forward proxy.

Re-Configuring the Feed

Configure the Swarm replication feed to use the new outbound proxy once a forward proxy server is configured.

  1. In the Swarm UI, navigate to Cluster > Feeds.

  2. Edit the replication feed already configured to use an SSL Server.

  3. Select Use proxy for Local Cluster Forward Proxy.

  4. Enter the Host (a fully qualified domain name or IP address) and the Port for the proxy.

  5. Enter the Username and Password for the forward proxy.

See .

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.