RE: Docker Swarm configuration
Actually items 2 and 3 below are what I want: If hostname "ucp.mydomain.com" then "reencrypt" i.e. https -> https else normal SSL termination - "edge" i.e. https -> http. -Original Message- From: Aleksandar Lazic Sent: Thursday, August 23, 2018 4:30 PM To: Norman Branitsky ; haproxy@formilux.org; haproxy Subject: RE: Docker Swarm configuration yes it looks complicated but you only need the edge one as I understood your requirement. TCP -> HTTP only if some name -> else go further with TCP And it's great that this is possible with this software ;-))) Regards Aleks Ursprüngliche Nachricht Von: Norman Branitsky Gesendet: 23. August 2018 21:59:03 MESZ An: Aleksandar Lazic , "haproxy@formilux.org" , haproxy Betreff: RE: Docker Swarm configuration Looking at the openshift router definition, I can see it implements what I want: 2. If termination is type 'edge': This is https -> http. Create a be_edge_http: backend. Incoming https traffic is terminated and sent as http to the pods. 3. If termination is type 'reencrypt': This is https -> https. Create a be_secure: backend. Incoming https traffic is terminated and then sent as https to the pods. BUT wow! Is this implementation complicated! -Original Message- From: Aleksandar Lazic Sent: Thursday, August 23, 2018 3:25 PM To: haproxy@formilux.org; Norman Branitsky ; haproxy Subject: Re: Docker Swarm configuration Hi. How about to use the following setup. frontend tcp mode tcp bind 443 use_backend default backend default mode http bind 444 ... You can take a look into the openshift router for a more detailed solution. https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L183 Regards Aleks Ursprüngliche Nachricht Von: Norman Branitsky Gesendet: 23. August 2018 20:56:31 MESZ An: haproxy Betreff: Docker Swarm configuration My plan was to by default terminate SSL and send http traffic to the worker servers on port 88 while traffic with a "ucp.mydomain.com" header would be passed thru as https to the UCP management servers on port 8443. Docker Enterprise Manager nodes insist on seeing incoming commands as https and require an SSL certificate and key to configure correctly. Problem is, the only way I know to pass thru https traffic without terminating the SSL is to use mode tcp. But mode tcp can only listen on specific ports - it can't see http headers to detect the "ucp" hostname, so how do I select the correct backend? I could make the ucp frontend listen on a different port e.g. 444 and direct to 8443 but that seems klutzy.
RE: Docker Swarm configuration
yes it looks complicated but you only need the edge one as I understood your requirement. TCP -> HTTP only if some name -> else go further with TCP And it's great that this is possible with this software ;-))) Regards Aleks Ursprüngliche Nachricht Von: Norman Branitsky Gesendet: 23. August 2018 21:59:03 MESZ An: Aleksandar Lazic , "haproxy@formilux.org" , haproxy Betreff: RE: Docker Swarm configuration Looking at the openshift router definition, I can see it implements what I want: 2. If termination is type 'edge': This is https -> http. Create a be_edge_http: backend. Incoming https traffic is terminated and sent as http to the pods. 3. If termination is type 'reencrypt': This is https -> https. Create a be_secure: backend. Incoming https traffic is terminated and then sent as https to the pods. BUT wow! Is this implementation complicated! -Original Message- From: Aleksandar Lazic Sent: Thursday, August 23, 2018 3:25 PM To: haproxy@formilux.org; Norman Branitsky ; haproxy Subject: Re: Docker Swarm configuration Hi. How about to use the following setup. frontend tcp mode tcp bind 443 use_backend default backend default mode http bind 444 ... You can take a look into the openshift router for a more detailed solution. https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L183 Regards Aleks Ursprüngliche Nachricht Von: Norman Branitsky Gesendet: 23. August 2018 20:56:31 MESZ An: haproxy Betreff: Docker Swarm configuration My plan was to by default terminate SSL and send http traffic to the worker servers on port 88 while traffic with a "ucp.mydomain.com" header would be passed thru as https to the UCP management servers on port 8443. Docker Enterprise Manager nodes insist on seeing incoming commands as https and require an SSL certificate and key to configure correctly. Problem is, the only way I know to pass thru https traffic without terminating the SSL is to use mode tcp. But mode tcp can only listen on specific ports - it can't see http headers to detect the "ucp" hostname, so how do I select the correct backend? I could make the ucp frontend listen on a different port e.g. 444 and direct to 8443 but that seems klutzy.
RE: Docker Swarm configuration
Looking at the openshift router definition, I can see it implements what I want: 2. If termination is type 'edge': This is https -> http. Create a be_edge_http: backend. Incoming https traffic is terminated and sent as http to the pods. 3. If termination is type 'reencrypt': This is https -> https. Create a be_secure: backend. Incoming https traffic is terminated and then sent as https to the pods. BUT wow! Is this implementation complicated! -Original Message- From: Aleksandar Lazic Sent: Thursday, August 23, 2018 3:25 PM To: haproxy@formilux.org; Norman Branitsky ; haproxy Subject: Re: Docker Swarm configuration Hi. How about to use the following setup. frontend tcp mode tcp bind 443 use_backend default backend default mode http bind 444 ... You can take a look into the openshift router for a more detailed solution. https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L183 Regards Aleks Ursprüngliche Nachricht Von: Norman Branitsky Gesendet: 23. August 2018 20:56:31 MESZ An: haproxy Betreff: Docker Swarm configuration My plan was to by default terminate SSL and send http traffic to the worker servers on port 88 while traffic with a "ucp.mydomain.com" header would be passed thru as https to the UCP management servers on port 8443. Docker Enterprise Manager nodes insist on seeing incoming commands as https and require an SSL certificate and key to configure correctly. Problem is, the only way I know to pass thru https traffic without terminating the SSL is to use mode tcp. But mode tcp can only listen on specific ports - it can't see http headers to detect the "ucp" hostname, so how do I select the correct backend? I could make the ucp frontend listen on a different port e.g. 444 and direct to 8443 but that seems klutzy.
Re: Docker Swarm configuration
Hi. How about to use the following setup. frontend tcp mode tcp bind 443 use_backend default backend default mode http bind 444 ... You can take a look into the openshift router for a more detailed solution. https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L183 Regards Aleks Ursprüngliche Nachricht Von: Norman Branitsky Gesendet: 23. August 2018 20:56:31 MESZ An: haproxy Betreff: Docker Swarm configuration My plan was to by default terminate SSL and send http traffic to the worker servers on port 88 while traffic with a "ucp.mydomain.com" header would be passed thru as https to the UCP management servers on port 8443. Docker Enterprise Manager nodes insist on seeing incoming commands as https and require an SSL certificate and key to configure correctly. Problem is, the only way I know to pass thru https traffic without terminating the SSL is to use mode tcp. But mode tcp can only listen on specific ports - it can't see http headers to detect the "ucp" hostname, so how do I select the correct backend? I could make the ucp frontend listen on a different port e.g. 444 and direct to 8443 but that seems klutzy.
Docker Swarm configuration
My plan was to by default terminate SSL and send http traffic to the worker servers on port 88 while traffic with a "ucp.mydomain.com" header would be passed thru as https to the UCP management servers on port 8443. Docker Enterprise Manager nodes insist on seeing incoming commands as https and require an SSL certificate and key to configure correctly. Problem is, the only way I know to pass thru https traffic without terminating the SSL is to use mode tcp. But mode tcp can only listen on specific ports - it can't see http headers to detect the "ucp" hostname, so how do I select the correct backend? I could make the ucp frontend listen on a different port e.g. 444 and direct to 8443 but that seems klutzy.
