Using SSL with HAProxy for docker containers

AstJ · June 9, 2016, 11:46pm

Thanks Lukas!

Unfortunately the script requires 1.6

You need to be rolling HAProxy version 1.6.0 or later with Lua support enabled.

Mine is

Package haproxy-1.5.14-3.el7.x86_64 already installed and latest version

Should I try it anyway? Or look at this instead… How To Secure HAProxy with Let's Encrypt on CentOS 7 | DigitalOcean ?

Btw, do you know how I can get version info on Centos? haproxy -vv does not work. Is systemctl status haproxy the equivalent?

lukastribus · June 10, 2016, 7:55am

I don’t know about docker or centos, but haproxy -vv should always work. The acme validation plugin needs haproxy 1.6 with Lua, there is no point in trying with 1.5.

AstJ · June 14, 2016, 5:42pm

Hey @lukastribus just coming back to report this has now all be set up - massive thanks for your help! I have also edited the first post with a summary - hopefully it will help others without them having to read the whole thread.

Just one last question, what would be the best way to force https on my some of my sites? (Some of those defined under ‘Define hosts’ and some that use the default_backed.)

Here is a reminder of what I have:

frontend http-in
        bind *:80
        default_backend main_apache_sites

        # Define hosts
	      redirect prefix http://discourse-forum-1.com code 301 if { hdr(host) -i www.discourse-forum-1.com }
        acl host_discourse hdr(host) -i discourse-forum-1.com
	      redirect prefix http://discourse-forum-2.com code 301 if { hdr(host) -i www.discourse-forum-2.com }
        acl host_discourse_2 hdr(host) -i discourse-forum-2.com		
	      redirect prefix http://discourse-forum-3.com code 301 if { hdr(host) -i www.discourse-forum-3.com }
        acl host_discourse_3 hdr(host) -i discourse-forum-3.com
		
        # which one to use
        use_backend discourse_docker if host_discourse
        use_backend discourse_docker_2 if host_discourse_2
        use_backend discourse_docker_3 if host_discourse_3	


backend main_apache_sites
    	server server1 127.0.0.1:8080 cookie A check
	    cookie JSESSIONID prefix nocache

backend discourse_docker
    	server server2 127.0.0.1:8888 cookie A check
	    cookie JSESSIONID prefix nocache

backend discourse_docker_2
    	server server2 127.0.0.1:8889 cookie A check
	    cookie JSESSIONID prefix nocache

backend discourse_docker_3
    	server server2 127.0.0.1:8890 cookie A check
	    cookie JSESSIONID prefix no cache

Do I just need lots of these?

redirect scheme https if { hdr(Host) -i www.mydomain.com } !{ ssl_fc }

(Where do they go? Under Define hosts?)

lukastribus · June 14, 2016, 8:28pm

Yes, but in that case I would suggest to use a dedicated (named) ACL to define the list of hosts that need the HTTPS redirect, otherwise the configuration gets messy.

Note that there is no indentation in haproxy really. “redirect” and “acl” can start at the same place as can server and cookie in the backend.

AstJ · June 14, 2016, 10:57pm

Do you mean something like this?

# Define hosts
  redirect prefix http://myforum.com code 301 if { hdr(host) -i www.myforum.com }
  redirect scheme https if { hdr(Host) -i myforum.com } !{ ssl_fc }
  acl host_discourse_3 hdr(host) -i myforum.com

Or is there a better way?

lukastribus · June 15, 2016, 6:57am

Yes, but I would also use an ACL for this, so you only have to add a Host to the ssl_redirect_hosts ACL, not touch the actual redirect directive:

# Define hosts
redirect prefix http://myforum.com code 301 if { hdr(host) -i www.myforum.com }
acl host_discourse_3 hdr(host) -i myforum.com
acl ssl_redirect_hosts hdr(Host) -i myforum.com
acl ssl_redirect_hosts hdr(Host) -i myforum2.com
acl ssl_redirect_hosts hdr(Host) -i myforum3.com
redirect scheme https if ssl_redirect_hosts !{ ssl_fc }

AstJ · June 16, 2016, 12:21pm

Awesome, thanks Lukas!

Is there any way to do the same for removing the www’s? Or better still combine it all into one statement? No probs if not.

lukastribus · June 16, 2016, 5:51pm

I’m sure it is, you can find specifics in the documentation:
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4-redirect

AstJ · October 21, 2016, 10:37pm

Hi Lukas, sorry to bother you again, but would you know how I can enable secure cookies for the hosts we defined previously?

Would I need to add this to the bottom?

rspirep ^(set-cookie:.*) \1;\ Secure if https !secured_cookie

Edit: Just an update to say I seemed to have fixed my issue by simply adding the following to frontend http-in

reqadd X-Forwarded-Proto:\ https if { ssl_fc }

Does this look ok?

lukastribus · October 23, 2016, 9:17am

Yes, telling the application that the connection to the client is secured via X-Forwarded-Proto header is the proper thing to do in this case, instead of rewriting response headers at the proxy layer.

AstJ · October 23, 2016, 2:41pm

Thanks Lukas - you’re a

Mike · December 2, 2016, 9:07pm

Hi AstJ!

I’m working a very similar project right now. I was wondering if you could share your final config?

thanks,
Mike

AstJ · December 4, 2016, 1:04am

Hey @Mike, have you seen my guide on Discourse? It should have configs and further instruction

Mike · December 6, 2016, 5:09pm

@AstJ

Thanks!

Topic		Replies	Views
HAProxy SSL offloading/termination Help!	1	1463	March 31, 2017
Need some guidance on how to setup HAProxy with SSL port 6443 and serving as a browser proxy Help!	1	714	August 11, 2020
Unable to access my container services via haproxy Help!	6	110	July 26, 2024
Serving static content in /var/www/html Help!	1	2228	June 19, 2018
Help with getting HTTPS working through PHPIPAM/Docker using HAProxy Help!	2	4020	May 23, 2021

Using SSL with HAProxy for docker containers

Related topics