Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The following steps are for RHEL/CentOS 7.x specifically.

To configure haproxy as an SSL offloader for Content Gateway , you will need the following configuration steps.

Step-by-step guide

  • First make sure Content Gateway is listening on port 8080 for SCSP , 8090 for S3 and 8091 for Service Proxy


/etc/caringo/cloudgateway/gateway.cfg

[scsp]
enabled = true
bindAddress = 0.0.0.0
bindPort = 8080

[s3]
enabled = true
bindAddress = 0.0.0.0
bindPort = 8090

[cluster_admin]
enabled = true
bindAddress = 0.0.0.0
bindPort = 8091
Note: In this example i want to still provide HTTP access to those personalities, if you however wish to harden your security and force https , you will need to change the bind address to 127.0.0.1 for all 3 personalities.
  • Setup and install haproxy ( this package is part of the EPEL repo )
  • Use the following configuration for /etc/haproxy/haproxy.cfg
global
    log 127.0.0.1 local2
    chroot /var/lib/haproxy
    stats socket /var/lib/haproxy/stats mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    ca-base /etc/pki/tls/certs
    crt-base /etc/pki/tls/private

    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    maxconn 2048
    tune.ssl.default-dh-param 2048

defaults
    log     global
    mode    http
    option  forwardfor
    option  http-server-close
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

frontend www-http
    bind 0.0.0.0:80
    reqadd X-Forwarded-Proto:\ http
    reqadd X-Forwarded-Port:\ 80
    default_backend www-backend-scsp
    acl iss3 hdr_sub(Authorization) AWS
    acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
    use_backend www-backend-s3 if iss3

frontend www-https
    bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 443
    default_backend www-backend-scsp
    acl iss3 hdr_sub(Authorization) AWS
    acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
    use_backend www-backend-s3 if iss3

frontend www-https-svc
    bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 91
    default_backend www-backend-svc

backend www-backend-scsp
    #redirect scheme https if !{ ssl_fc }   <--- Uncomment this line if you want to force HTTPS
    server gw1 127.0.0.1:8080 check

backend www-backend-s3
    #redirect scheme https if !{ ssl_fc }    <--- Uncomment this line if you want to force HTTPS
    server gw1 127.0.0.1:8090 check

backend www-backend-svc
    # This rule rewrites CORS header to add the port number used on frontend
    http-request replace-value Access-Control-Allow-Origin (.*) \1:91
    redirect scheme https if !{ ssl_fc }
    server gw1 127.0.0.1:8091 check
  • Start haproxy , systemctl restart haproxy
  • Make a Self-Signed SSL Certificate

To make a self signed certificate for your domain execute:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $DOMAIN.key -out $DOMAIN.crt

copy the DOMAIN.crt to /etc/pki/tls/certs/selfsignedcert.pem

For S3 as a general rule its a good idea to make a wildcard SSL certificate too, so repeat the same step as above and when prompted for the "Common Name" use "*.DOMAIN" , then copy the new CRT file to /etc/pki/tls/certs/selfsignedcert-wildcard.pem

To add the new certificate to /etc/haproxy/haproxy.cfg change

bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem

to

bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem crt /etc/pki/tls/certs/selfsignedcert-wildcard.pem

Do this for all bind statements that have the ssl keyword configured. To activate restart haproxy:  systemctl restart haproxy

Be aware that for Swarm UI in the configuration example above you will need to use host: <contentgatewayIP>:8091 in the login page to connect.

If you want to test out the new certificate from a CentOS 7.x client , make sure to copy both your crt files to /etc/pki/ca-trust/source/anchors and run update-ca-trust. Once the command completed, you will then be able to use curl to test the certificate validation.



  • No labels

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.