在 Admin Router 前配置 HAProxy

使用 HAProxy 为 DC/OS Admin Router 设置 HTTP 代理

您可以使用 HAProxy 在 DC/OS Admin Router 前设置 HTTP 代理。例如,如果您想向通过 HTTPS 连接到群集的用户代理程序提供自定义服务器证书,这可能非常有用。DC/OS 当前不支持将您自己的证书直接添加到 Admin Router 中。

HTTP 代理必须执行即时 HTTP 请求和响应标头修改,因为 DC/OS 不知道用户代理程序用于寻址 HTTP 代理的自定义主机名和端口。

以下说明提供了经测试的 HAProxy 配置示例,其处理命名请求/响应重写。此示例确保 HAProxy 和 DC/OS Admin Router 之间的通信是 TLS 加密的。

  1. 安装 HAProxy 1.6.9
  2. 为 DC/OS 创建 HAProxy 配置。本示例适用于 AWS 上的 DC/OS 群集。有关 HAProxy 配置参数的更多信息,请参阅文档。 您可以使用代理 IP 地址 DNS 条目找到您的任务 IP。
    1. <taskname>.<framework_name>.agentip.dcos.thisdcos.directory
    其中:
    • taskname:任务名称。
    • framework_name:框架名称,如果您不确定,可能 marathon
    1. global
    2. daemon
    3. log 127.0.0.1 local0
    4. log 127.0.0.1 local1 notice
    5. maxconn 20000
    6. pidfile /var/run/haproxy.pid
    7. defaults
    8. log global
    9. option dontlog-normal
    10. mode http
    11. retries 3
    12. maxconn 20000
    13. timeout connect 5000
    14. timeout client 50000
    15. timeout server 50000
    16. frontend http
    17. # Bind on port 9090. HAProxy will listen on port 9090 on each
    18. # available network for new HTTP connections.
    19. bind 0.0.0.0:9090
    20. # Specify your own server certificate chain and associated private key.
    21. # See https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt
    22. # bind :9091 ssl crt /path/to/browser-trusted.crt
    23. #
    24. # Name of backend configuration for DC/OS.
    25. default_backend dcos
    26. # Store request Host header temporarily in transaction scope
    27. # so that its value is accessible during response processing.
    28. # Note: RFC 7230 requires clients to send the Host header and
    29. # specifies it to contain both, host and port information.
    30. http-request set-var(txn.request_host_header) req.hdr(Host)
    31. # Overwrite Host header to 'dcoshost'. This makes the Location
    32. # header in DC/OS Admin Router upstream responses contain a
    33. # predictable hostname (NGINX uses this header value when
    34. # constructing absolute redirect URLs). That value is used
    35. # in the response Location header rewrite logic (see regular
    36. # expression-based rewrite in the backend section below).
    37. http-request set-header Host dcoshost
    38. backend dcos
    39. # Option 1: use TLS-encrypted communication with DC/OS Admin Router and
    40. # perform server certificate verification (including hostname verification).
    41. # If you are using the community-supported version of DC/OS, you must
    42. # configure Admin Router with a custom TLS server certificate, see
    43. # /2.0/administering-clusters/. This step
    44. # is not required for DC/OS Enterprise.
    45. #
    46. # Explanation for the parameters in the following server definition line:
    47. #
    48. # 1.2.3.4:443
    49. #
    50. # IP address and port that HAProxy uses to connect to DC/OS Admin
    51. # Router. This needs to be adjusted to your setup.
    52. #
    53. #
    54. # ssl verify required
    55. #
    56. # Instruct HAProxy to use TLS, and to error out if server certificate
    57. # verification fails.
    58. #
    59. # ca-file dcos-ca.crt
    60. #
    61. # The local file dcos-ca.crt is expected to contain the CA certificate
    62. # that Admin Router's certificate will be verified against. It must be
    63. # retrieved out-of-band (on Mesosphere DC/OS Enterprise this can be
    64. # obtained via https://dcoshost/ca/dcos-ca.crt)
    65. #
    66. # verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
    67. #
    68. # When verifying the TLS certificate presented by DC/OS Admin Router,
    69. # perform hostname verification using the hostname specified here
    70. # (expect the server certificate to contain a DNSName SAN that is
    71. # equivalent to the hostname defined here). The hostname shown here is
    72. # just an example and needs to be adjusted to your setup.
    73. server dcos-1 1.2.3.4:443 ssl verify required ca-file dcos-ca.crt verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
    74. # Option 2: use TLS-encrypted communication with DC/OS Admin Router, but do
    75. # not perform server certificate verification (warning: this is insecure, and
    76. # we hope that you know what you are doing).
    77. # server dcos-1 1.2.3.4:443 ssl verify none
    78. #
    79. # Rewrite response Location header if it contains an absolute URL
    80. # pointing to the 'dcoshost' host: replace 'dcoshost' with original
    81. # request Host header (containing hostname and port).
    82. http-response replace-header Location https?://dcoshost((/.)?) "http://%[var(txn.request_host_header)]\1&#34;
  3. 使用这些设置启动 HAProxy。