HAProxy and Admin Router

Configuring HAProxy in front of an Admin Router

You can set up secure HTTPS communication using a custom server certificate with your DC/OS cluster by setting up a proxy between the Admin Router and user agent requests coming from outside of the cluster. The HTTP Proxy must perform on-the-fly HTTP request and response header modification, because DC/OS is not aware of the custom hostname and port that is being used by user agents to address the HTTP proxy.

Configuring HAProxy in front of Admin Router

Use HAProxy to set up an HTTP proxy in front of the DC/OS Admin Router. This can be useful if you want to present a custom server certificate to user agents connecting to the cluster via HTTPS. DC/OS does not currently support adding your own certificates directly into Admin Router.

The following instructions provide a tested HAProxy configuration example that handles the named request/response rewriting. This example ensures that the communication between HAProxy and DC/OS Admin Router is TLS-encrypted.

  1. Install HAProxy 1.6.9.

  2. Create an HAProxy configuration for DC/OS. This example is for a DC/OS cluster on AWS. For more information on HAProxy configuration parameters, see the documentation.

NOTE: You can find your task IP by using the agent IP address DNS entry.

  1. <taskname>.<framework_name>.agentip.dcos.thisdcos.directory

Where:

  • taskname: The name of the task.

  • framework_name: The name of the framework; if you are unsure, it is probably marathon.

    1. global
    2.   daemon
    3.   log 127.0.0.1 local0
    4.   log 127.0.0.1 local1 notice
    5.   maxconn 20000
    6.   pidfile /var/run/haproxy.pid
    7. defaults
    8.   log            global
    9.   option         dontlog-normal
    10.   mode         http
    11.   retries             3
    12.   maxconn          20000
    13.   timeout connect  5000
    14.   timeout client  50000
    15.   timeout server  50000
    17. frontend http
    18.   # Bind on port 9090. HAProxy will listen on port 9090 on each
    19.   # available network for new HTTP connections.
    20.   bind 0.0.0.0:9090
    21.   # Specify your own server certificate chain and associated private key.
    22.   # See https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt
    23.   # bind *:9091 ssl crt /path/to/browser-trusted.crt
    24.   #
    25.   # Name of backend configuration for DC/OS.
    26.   default_backend dcos
    28.   # Store request Host header temporarily in transaction scope
    29.   # so that its value is accessible during response processing.
    30.   # Note: RFC 7230 requires clients to send the Host header and
    31.   # specifies it to contain both, host and port information.
    32.   http-request set-var(txn.request_host_header) req.hdr(Host)
    34.   # Overwrite Host header to 'dcoshost'. This makes the Location
    35.   # header in DC/OS Admin Router upstream responses contain a
    36.   # predictable hostname (NGINX uses this header value when
    37.   # constructing absolute redirect URLs). That value is used
    38.   # in the response Location header rewrite logic (see regular
    39.   # expression-based rewrite in the backend section below).
    40.   http-request set-header Host dcoshost
    42. backend dcos
    43.   # Option 1: use TLS-encrypted communication with DC/OS Admin Router and
    44.   # perform server certificate verification (including hostname verification).
    45.   # If you are using the community-supported version of DC/OS, you must
    46.   # configure Admin Router with a custom TLS server certificate, see
    47.   # /mesosphere/dcos/2.1/administering-clusters/. This step
    48.   # is not required for DC/OS Enterprise.
    49.   #
    50.   # Explanation for the parameters in the following `server` definition line:
    51.   #
    52.   # 1.2.3.4:443
    53.   #
    54.   #   IP address and port that HAProxy uses to connect to DC/OS Admin
    55.   #   Router. This needs to be adjusted to your setup.
    56.   #
    57.   #
    58.   # ssl verify required
    59.   #
    60.   #   Instruct HAProxy to use TLS, and to error out if server certificate
    61.   #   verification fails.
    62.   #
    63.   # ca-file dcos-ca.crt
    64.   #
    65.   #   The local file `dcos-ca.crt` is expected to contain the CA certificate
    66.   #   that Admin Router's certificate will be verified against. It must be
    67.   #   retrieved out-of-band (on Mesosphere DC/OS Enterprise this can be
    68.   #   obtained via https://dcoshost/ca/dcos-ca.crt)
    69.   #
    70.   # verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
    71.   #
    72.   #   When verifying the TLS certificate presented by DC/OS Admin Router,
    73.   #   perform hostname verification using the hostname specified here
    74.   #   (expect the server certificate to contain a DNSName SAN that is
    75.   #   equivalent to the hostname defined here). The hostname shown here is
    76.   #   just an example and needs to be adjusted to your setup.
    78.   server dcos-1 1.2.3.4:443 ssl verify required ca-file dcos-ca.crt verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
    80.   # Option 2: use TLS-encrypted communication with DC/OS Admin Router, but do
    81.   # not perform server certificate verification (warning: this is insecure, and
    82.   # we hope that you know what you are doing).
    83.   # server dcos-1 1.2.3.4:443 ssl verify none
    84.   #
    85.   # Rewrite response Location header if it contains an absolute URL
    86.   # pointing to the 'dcoshost' host: replace 'dcoshost' with original
    87.   # request Host header (containing hostname and port).
    88.   http-response replace-header Location https?://dcoshost((/.*)?) "http://%[var(txn.request_host_header)]\1"
  1. Start HAProxy with these settings.