HAProxy 和 Admin Router

在 Admin Router 前配置 HAProxy

通过在 Admin Router 和来自集群外部的用户代理程序请求之间设置代理,您可以使用自定义服务器证书与 DC/OS 集群建立安全的 HTTPS 通信。HTTP 代理必须执行即时 HTTP 请求和响应报文头修改,因为 DC/OS 不知道用户代理程序用于寻址 HTTP 代理的自定义主机名和端口。

在 Admin Router 前配置 HAProxy

使用 HAProxy 在 DC/OS Admin Router 前设置 HTTP 代理。如果您想向通过 HTTPS 连接到集群的用户代理程序提供自定义服务器证书,这可能非常有用。DC/OS 当前不支持将您自己的证书直接添加到 Admin Router 中。

以下说明提供了经测试的 HAProxy 配置示例,其处理命名请求/响应重写。此示例确保 HAProxy 和 DC/OS Admin Router 之间的通信是 TLS 加密的。

  1. 安装 HAProxy 1.6.9

  2. 为 DC/OS 创建 HAProxy 配置。本示例适用于 AWS 上的 DC/OS 集群。有关 HAProxy 配置参数的更多信息,请参阅文档

    注意: 您可以使用代理程序 IP 地址 DNS 条目来查找任务 IP。

    1. <taskname>.<framework_name>.agentip.dcos.thisdcos.directory

    其中:

    • taskname:任务名称。

    • framework_name:框架名称,如果您不确定,可能 marathon

      1. global
      2.   daemon
      3.   log 127.0.0.1 local0
      4.   log 127.0.0.1 local1 notice
      5.   maxconn 20000
      6.   pidfile /var/run/haproxy.pid
      7. defaults
      8.   log            global
      9.   option         dontlog-normal
      10.   mode         http
      11.   retries             3
      12.   maxconn          20000
      13.   timeout connect  5000
      14.   timeout client  50000
      15.   timeout server  50000
      17. frontend http
      18.   # Bind on port 9090. HAProxy will listen on port 9090 on each
      19.   # available network for new HTTP connections.
      20.   bind 0.0.0.0:9090
      21.   # Specify your own server certificate chain and associated private key.
      22.   # See https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt
      23.   # bind *:9091 ssl crt /path/to/browser-trusted.crt
      24.   #
      25.   # Name of backend configuration for DC/OS.
      26.   default_backend dcos
      28.   # Store request Host header temporarily in transaction scope
      29.   # so that its value is accessible during response processing.
      30.   # Note: RFC 7230 requires clients to send the Host header and
      31.   # specifies it to contain both, host and port information.
      32.   http-request set-var(txn.request_host_header) req.hdr(Host)
      34.   # Overwrite Host header to 'dcoshost'. This makes the Location
      35.   # header in DC/OS Admin Router upstream responses contain a
      36.   # predictable hostname (NGINX uses this header value when
      37.   # constructing absolute redirect URLs). That value is used
      38.   # in the response Location header rewrite logic (see regular
      39.   # expression-based rewrite in the backend section below).
      40.   http-request set-header Host dcoshost
      42. backend dcos
      43.   # Option 1: use TLS-encrypted communication with DC/OS Admin Router and
      44.   # perform server certificate verification (including hostname verification).
      45.   # If you are using the community-supported version of DC/OS, you must
      46.   # configure Admin Router with a custom TLS server certificate, see
      47.   #/cn/1.11/administering-clusters/. This step
      48.   # is not required for DC/OS Enterprise.
      49.   #
      50.   # Explanation for the parameters in the following `server` definition line:
      51.   #
      52.   # 1.2.3.4:443
      53.   #
      54.   #   IP address and port that HAProxy uses to connect to DC/OS Admin
      55.   #   Router. This needs to be adjusted to your setup.
      56.   #   
      57.   #
      58.   # ssl verify required
      59.   #
      60.   #   Instruct HAProxy to use TLS, and to error out if server certificate
      61.   #   verification fails.
      62.   #
      63.   # ca-file dcos-ca.crt
      64.   #
      65.   #   The local file `dcos-ca.crt` is expected to contain the CA certificate
      66.   #   that Admin Router's certificate will be verified against. It must be
      67.   #   retrieved out-of-band (on Mesosphere DC/OS Enterprise this can be
      68.   #   obtained via https://dcoshost/ca/dcos-ca.crt)
      69.   #
      70.   # verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
      71.   #
      72.   #   When verifying the TLS certificate presented by DC/OS Admin Router,
      73.   #   perform hostname verification using the hostname specified here
      74.   #   (expect the server certificate to contain a DNSName SAN that is
      75.   #   equivalent to the hostname defined here). The hostname shown here is
      76.   #   just an example and needs to be adjusted to your setup.
      78.   server dcos-1 1.2.3.4:443 ssl verify required ca-file dcos-ca.crt verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
      80.   # Option 2: use TLS-encrypted communication with DC/OS Admin Router, but do
      81.   # not perform server certificate verification (warning: this is insecure, and
      82.   # we hope that you know what you are doing).
      83.   # server dcos-1 1.2.3.4:443 ssl verify none
      84.   #
      85.   # Rewrite response Location header if it contains an absolute URL
      86.   # pointing to the 'dcoshost' host: replace 'dcoshost' with original
      87.   # request Host header (containing hostname and port).
      88.   http-response replace-header Location https?://dcoshost((/.*)?) "http://%[var(txn.request_host_header)]\1"

  3. 使用这些设置启动 HAProxy。