Catch22 when trying to enable Rancher SSL

We’re trying to enable SSL for rancher, because we’re using Local Auth, and it is required if we want to be able to use kubectl remotely.

With the haproxy config below, I can goto our rancher UI from http only. If I try to use https://rancher-ui, it says my session is timed out and I can’t login.

However, kubectl works fine. So as it stands, I have local auth working and kubectl, which is great. But I am trying to understand why I can’t login to the rancher UI via https?

With this config below, I can login to the rancher UI with http://rancher-ui, using local auth. Also, I can use kubectl with https://rancher-ui/blah/r/projects/1a7/kubernetes:6443.

How can I make it all work… All of the above plus allow me to login to the rancher UI via https without the “your session timed out” loop.

global
  maxconn 4096
  ssl-server-verify none
  tune.ssl.default-dh-param 2048

defaults
  mode http
  balance roundrobin
  option redispatch
  option forwardfor

  timeout connect 5s
  timeout queue 5s
  timeout client 36000s
  timeout server 36000s

frontend http-in
  bind *:80;
  bind *:443 ssl crt /usr/local/etc/haproxy/cert.pem
  mode http
  default_backend rancher_servers

  ## Add headers for SSL offloading
#  http-request set-header X-Forwarded-Proto https if { ssl_fc }
#  http-request set-header X-Forwarded-Ssl on if { ssl_fc }

  ## Redirect https if not
#  redirect scheme https if !{ ssl_fc }

  acl is_websocket hdr(Upgrade) -i WebSocket
  acl is_websocket hdr_beg(Host) -i ws
  use_backend rancher_servers if is_websocket

backend rancher_servers
  option httpchk HEAD /v2-beta HTTP/1.1
  http-check expect status 200
  default-server inter 5s fall 3 rise 2
  server web1 rancher1:8080 weight 1 maxconn 1024
  server web2 rancher2:8080 weight 1 maxconn 1024
  server web3 rancher3:8080 weight 1 maxconn 1024

works. Will route http to https and kubectl works fine using https.

Not an haproxy expert so something might be unnecessary. Why not just support SSL on the rancher server instead of all this jumping through hoops?

global
  maxconn 4096
  ssl-server-verify none
  tune.ssl.default-dh-param 2048

defaults
  mode http
  balance roundrobin
  option redispatch
  option forwardfor

  timeout connect 5s
  timeout queue 5s
  timeout client 36000s
  timeout server 36000s

frontend http-in
  bind *:80
  bind *:443 ssl crt /usr/local/etc/haproxy/mycert.pem
  capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

  mode http
  default_backend rancher_servers
  rspadd Content-Security-Policy:\ upgrade-insecure-requests

  ## Add headers for SSL offloading
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Ssl on if { ssl_fc }

  ## Redirect https if not
  #  redirect scheme https if !{ ssl_fc }

  acl is_websocket hdr(Upgrade) -i WebSocket
  acl is_websocket hdr_beg(Host) -i ws
  use_backend rancher_servers if is_websocket

backend rancher_servers
  option httpchk HEAD /v2-beta HTTP/1.1
  http-check expect status 200
  default-server inter 5s fall 3 rise 2
  server web1 rancher1:8080 weight 1 maxconn 1024
  server web2 rancher2:8080 weight 1 maxconn 1024
  server web3 rancher3:8080 weight 1 maxconn 1024

Different users have different needs, LetsEncrypt didn’t exist 4 years ago and self-signed certs have various complications. 2.0 requires SSL, generates a cert by default and supports LetsEncrypt or your own termination.

1 Like