Skip to content
This repository has been archived by the owner on Dec 4, 2024. It is now read-only.

SSL VHosting

Jason Kölker edited this page May 31, 2019 · 2 revisions

Create SSL certs

HAProxy expects pem encoded certificate and keys in the same file. Either obtain these from your CA or generate some self signed ones:

openssl req -x509 -newkey rsa:4096 -keyout key0.pem -out cert0.pem -days 365 -subj '/CN=*' -nodes
openssl req -x509 -newkey rsa:4096 -keyout key1.pem -out cert1.pem -days 365 -subj '/CN=www.example.com' -nodes

cat cert0.pem key0.pem > haproxy0.pem
cat cert1.pem key1.pem > haproxy1.pem

Store as secrets (Enterprise Only)

The certs can be stored in the dcos secrets service via:

dcos security secrets create --value="$(cat haproxy0.pem)" marathon-lb/cert0
dcos security secrets create --value="$(cat haproxy1.pem)" marathon-lb/cert1

Create the MLB deployment

If running Enterprise DCOS and you are using the secret store, you can then reference the secrets in the HAPROXY_SSL_CERT{n}:

{
  "id": "marathon-lb",
  ...
  "secrets": {
    "cert0": {
      "source": "marathon-lb/cert0"
    },
    "cert1": {
      "source": "marathon-lb/cert1"
    }
  },
  "env": {
    "HAPROXY_SSL_CERT": {
        "secret": "cert0"
    },
    "HAPROXY_SSL_CERT0": {
        "secret": "cert0"
    },
    "HAPROXY_SSL_CERT1": {
        "secret": "cert1"
    }
  }
}

If running Opensource DCOS, instead of referencing the secret include the full contents of the pem file (abbreviated below):

{
  "id": "marathon-lb",
  ...
  "env": {
    "HAPROXY_SSL_CERT": "-----BEGIN CERTIFICATE-----
MIIElDCCAnwCCQDvpF7eX4savTANBgkqhkiG9w0BAQsFADAMMQowCAYDVQQDDAEq
...
IXGm+Zo4hCU8dpM/aE7xXey53ZM1
-----END PRIVATE KEY-----",
    "HAPROXY_SSL_CERT0": "-----BEGIN CERTIFICATE-----
MIIElDCCAnwCCQDvpF7eX4savTANBgkqhkiG9w0BAQsFADAMMQowCAYDVQQDDAEq
...
IXGm+Zo4hCU8dpM/aE7xXey53ZM1
-----END PRIVATE KEY-----",
    "HAPROXY_SSL_CERT1": "-----BEGIN CERTIFICATE-----
MIIEqDCCApACCQDEXZy+k9EJ3TANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtl
...
+1waeDztJGiWc+kcZBfcE9jQDCMyePD6
-----END PRIVATE KEY-----"
  }
}

Note that the same cert is being used for HAPROXY_SSL_CERT and HAPROXY_SSL_CERT0 in both examples. HAPROXY_SSL_CERT will become the default cert and will be written out to /etc/ssl/cert.pem, the following HAPROXY_SSL_CERT{0-100} will be written out to /etc/ssl/cert{1-100}.pem.

Reference the cert in a deployment

Once deployed marathon-lb will write out the HAPROXY_SSL_CERT files to /etc/ssl/cert*.pem and those files can then be referenced by the deployments:

{
  "id": "/nginx2",
  "labels": {
      "HAPROXY_GROUP": "external",
      "HAPROXY_0_VHOST": "www.example.com",
      "HAPROXY_0_SSL_CERT": "/etc/ssl/cert1.pem",
      "HAPROXY_0_REDIRECT_TO_HTTPS": "true"
  },
  "container": {
    "network": "BRIDGE",
      "portMappings": [
        {
          "containerPort": 80,
          "hostPort": 0,
          "servicePort": 80,
          "protocol": "tcp",
          "name": "http"
        }
      ],
    "type": "DOCKER",
    "docker": {"image": "nginx"}
  },
  "healthChecks": [
    {
      "portIndex": 0,
      "path": "/",
      "protocol": "MESOS_HTTP"
    }
  ],
  "cpus": 0.1,
  "instances": 1,
  "mem": 128,
  "networks": [{"mode": "container/bridge"}]
}

To test this without updating DNS or editing the local computer's hostfile, use the --resolve option to curl:

curl --resolve www.example.com:443:${MLB_IP_ADDRESS} https://www.example.com

If using self signed certs the --insecure option will also be needed.