-
Notifications
You must be signed in to change notification settings - Fork 300
SSL VHosting
HAProxy expects pem encoded certificate and keys in the same file. Either obtain these from your CA or generate some self signed ones:
openssl req -x509 -newkey rsa:4096 -keyout key0.pem -out cert0.pem -days 365 -subj '/CN=*' -nodes
openssl req -x509 -newkey rsa:4096 -keyout key1.pem -out cert1.pem -days 365 -subj '/CN=www.example.com' -nodes
cat cert0.pem key0.pem > haproxy0.pem
cat cert1.pem key1.pem > haproxy1.pem
The certs can be stored in the dcos secrets service via:
dcos security secrets create --value="$(cat haproxy0.pem)" marathon-lb/cert0
dcos security secrets create --value="$(cat haproxy1.pem)" marathon-lb/cert1
If running Enterprise DCOS and you are using the secret store, you can then reference the secrets in the HAPROXY_SSL_CERT{n}
:
{
"id": "marathon-lb",
...
"secrets": {
"cert0": {
"source": "marathon-lb/cert0"
},
"cert1": {
"source": "marathon-lb/cert1"
}
},
"env": {
"HAPROXY_SSL_CERT": {
"secret": "cert0"
},
"HAPROXY_SSL_CERT0": {
"secret": "cert0"
},
"HAPROXY_SSL_CERT1": {
"secret": "cert1"
}
}
}
If running Opensource DCOS, instead of referencing the secret include the full contents of the pem file (abbreviated below):
{
"id": "marathon-lb",
...
"env": {
"HAPROXY_SSL_CERT": "-----BEGIN CERTIFICATE-----
MIIElDCCAnwCCQDvpF7eX4savTANBgkqhkiG9w0BAQsFADAMMQowCAYDVQQDDAEq
...
IXGm+Zo4hCU8dpM/aE7xXey53ZM1
-----END PRIVATE KEY-----",
"HAPROXY_SSL_CERT0": "-----BEGIN CERTIFICATE-----
MIIElDCCAnwCCQDvpF7eX4savTANBgkqhkiG9w0BAQsFADAMMQowCAYDVQQDDAEq
...
IXGm+Zo4hCU8dpM/aE7xXey53ZM1
-----END PRIVATE KEY-----",
"HAPROXY_SSL_CERT1": "-----BEGIN CERTIFICATE-----
MIIEqDCCApACCQDEXZy+k9EJ3TANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtl
...
+1waeDztJGiWc+kcZBfcE9jQDCMyePD6
-----END PRIVATE KEY-----"
}
}
Not that the same cert is being used for HAPROXY_SSL_CERT
and HAPROXY_SSL_CERT0
in both examples. HAPROXY_SSL_CERT
will become the default cert and will be written out to /etc/ssl/cert.pem
, the following HAPROXY_SSL_CERT{0-100}
will be written out to /etc/ssl/cert{1-100}.pem
.
Once deployed marathon-lb
will write out the HAPROXY_SSL_CERT
files to /etc/ssl/cert*.pem
and those files can then be referenced by the deployments:
{
"id": "/nginx2",
"labels": {
"HAPROXY_GROUP": "external",
"HAPROXY_0_VHOST": "www.example.com",
"HAPROXY_0_SSL_CERT": "/etc/ssl/cert1.pem",
"HAPROXY_0_REDIRECT_TO_HTTPS": "true"
},
"container": {
"network": "BRIDGE",
"portMappings": [
{
"containerPort": 80,
"hostPort": 0,
"servicePort": 80,
"protocol": "tcp",
"name": "http"
}
],
"type": "DOCKER",
"docker": {"image": "nginx"}
},
"healthChecks": [
{
"portIndex": 0,
"path": "/",
"protocol": "MESOS_HTTP"
}
],
"cpus": 0.1,
"instances": 1,
"mem": 128,
"networks": [{"mode": "container/bridge"}]
}
To test this without updating DNS or editing the local computer's hostfile, use the --resolve
option to curl:
curl --resolve www.example.com:443:${MLB_IP_ADDRESS} https://www.example.com
If using self signed certs the --insecure
option will also be needed.