Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »


The following steps are for RHEL/CentOS 7.x specifically.

To configure haproxy as an SSL offloader for Content Gateway, you will need the following configuration steps.

Step-by-step guide

  • First make sure Content Gateway is listening on port 8080 for SCSP , 8090 for S3 and 8091 for Service Proxy


/etc/caringo/cloudgateway/gateway.cfg

[scsp]
enabled = true
bindAddress = 0.0.0.0
bindPort = 8080
externalHTTPPort = 80
externalHTTPSPort = 443

[s3]
enabled = true
bindAddress = 0.0.0.0
bindPort = 8090

[cluster_admin]
enabled = true
bindAddress = 0.0.0.0
bindPort = 8091
externalHTTPSPort = 91
Note: In this example i want to still provide HTTP access to those personalities, if you however wish to harden your security and force https , you will need to change the bind address to 127.0.0.1 for all 3 personalities.
  • Setup and install haproxy ( this package is part of the EPEL repo )
  • Use the following configuration for /etc/haproxy/haproxy.cfg
global
    log 127.0.0.1 local2
    chroot /var/lib/haproxy
    stats socket /var/lib/haproxy/stats mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    ca-base /etc/pki/tls/certs
    crt-base /etc/pki/tls/private

    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    maxconn 2048
    tune.ssl.default-dh-param 2048

defaults
    log     global
    mode    http
    option  forwardfor
    # Do not use "option  http-server-close", it causes S3 PUT incompatibility with some clients including FileFly!
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

frontend www-http
    bind 0.0.0.0:80
    http-request set-header X-Forwarded-Proto http
    http-request set-header X-Forwarded-Port 80
    default_backend www-backend-scsp
    acl iss3 hdr_sub(Authorization) AWS
    acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
    use_backend www-backend-s3 if iss3

frontend www-https
    bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Port 443
    default_backend www-backend-scsp
    acl iss3 hdr_sub(Authorization) AWS
    acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
    use_backend www-backend-s3 if iss3

frontend www-https-svc
    bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/selfsignedcert.pem
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Port 91
    default_backend www-backend-svc

backend www-backend-scsp
    #redirect scheme https if !{ ssl_fc }   <--- Uncomment this line if you want to force HTTPS
    server gw1 127.0.0.1:8080 check

backend www-backend-s3
    #redirect scheme https if !{ ssl_fc }    <--- Uncomment this line if you want to force HTTPS
    server gw1 127.0.0.1:8090 check

backend www-backend-svc
    # This rule rewrites CORS header to add the port number used on frontend
    http-request replace-value Access-Control-Allow-Origin (.*) \1:91
    redirect scheme https if !{ ssl_fc }
    server gw1 127.0.0.1:8091 check
  • Start haproxy , systemctl restart haproxy
  • Make a Self-Signed SSL Certificate

To make a self signed certificate for your domain execute:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $DOMAIN.key -out $DOMAIN.crt

Concatenate the DOMAIN.crt (first) and the DOMAIN.key (second) into a DOMAIN.pem file.

Copy the DOMAIN.pem to /etc/pki/tls/certs/DOMAIN.pem

For S3 as a general rule its a good idea to make a wildcard SSL certificate too, so repeat the same steps as above and when prompted for the "Common Name" use "*.DOMAIN" , then copy the new CRT file to /etc/pki/tls/certs/DOMAIN-wildcard.pem

To add the new certificate to /etc/haproxy/haproxy.cfg change

bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcer.pem

to

bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/DOMAIN.pem crt /etc/pki/tls/certs/DOMAIN-wildcard.pem

Do this for all bind statements that have the ssl keyword configured. To activate restart haproxy:  systemctl restart haproxy

NOTE: If the content gateway is going to be used as the destination for a remote replication feed, the following setting must appear and be set properly in the /etc/caringo/cloudgateway/gateway.cfg file:

[scsp]
...
...
allowSwarmAdminIP=172.30

In the example above, replicate "172.30" with the IP addresses (or prefix) of clients that will be sending administrative requests to the gateway. The most common example is the IP addresses (or prefix) of the nodes in a cluster that is using a remote replication feed with the gateway as its destination.

Be aware that for Swarm UI in the configuration example above you will need to use host: <contentgatewayIP>:8091 in the login page to connect.

If you want to test out the new certificate from a CentOS 7.x client , make sure to copy both your crt files to /etc/pki/ca-trust/source/anchors and run update-ca-trust. Once the command completed, you will then be able to use curl to test the certificate validation.




  • No labels

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.