We’re trying to enable SSL for rancher, because we’re using Local Auth, and it is required if we want to be able to use kubectl remotely.
With the haproxy config below, I can goto our rancher UI from http only. If I try to use https://rancher-ui, it says my session is timed out and I can’t login.
However, kubectl works fine. So as it stands, I have local auth working and kubectl, which is great. But I am trying to understand why I can’t login to the rancher UI via https?
With this config below, I can login to the rancher UI with http://rancher-ui, using local auth. Also, I can use kubectl with https://rancher-ui/blah/r/projects/1a7/kubernetes:6443.
How can I make it all work… All of the above plus allow me to login to the rancher UI via https without the “your session timed out” loop.
global
maxconn 4096
ssl-server-verify none
tune.ssl.default-dh-param 2048
defaults
mode http
balance roundrobin
option redispatch
option forwardfor
timeout connect 5s
timeout queue 5s
timeout client 36000s
timeout server 36000s
frontend http-in
bind *:80;
bind *:443 ssl crt /usr/local/etc/haproxy/cert.pem
mode http
default_backend rancher_servers
## Add headers for SSL offloading
# http-request set-header X-Forwarded-Proto https if { ssl_fc }
# http-request set-header X-Forwarded-Ssl on if { ssl_fc }
## Redirect https if not
# redirect scheme https if !{ ssl_fc }
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend rancher_servers if is_websocket
backend rancher_servers
option httpchk HEAD /v2-beta HTTP/1.1
http-check expect status 200
default-server inter 5s fall 3 rise 2
server web1 rancher1:8080 weight 1 maxconn 1024
server web2 rancher2:8080 weight 1 maxconn 1024
server web3 rancher3:8080 weight 1 maxconn 1024
works. Will route http to https and kubectl works fine using https.
Not an haproxy expert so something might be unnecessary. Why not just support SSL on the rancher server instead of all this jumping through hoops?
global
maxconn 4096
ssl-server-verify none
tune.ssl.default-dh-param 2048
defaults
mode http
balance roundrobin
option redispatch
option forwardfor
timeout connect 5s
timeout queue 5s
timeout client 36000s
timeout server 36000s
frontend http-in
bind *:80
bind *:443 ssl crt /usr/local/etc/haproxy/mycert.pem
capture request header origin len 128
http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Credentials:\ true if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization if { capture.req.hdr(0) -m found }
mode http
default_backend rancher_servers
rspadd Content-Security-Policy:\ upgrade-insecure-requests
## Add headers for SSL offloading
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
## Redirect https if not
# redirect scheme https if !{ ssl_fc }
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend rancher_servers if is_websocket
backend rancher_servers
option httpchk HEAD /v2-beta HTTP/1.1
http-check expect status 200
default-server inter 5s fall 3 rise 2
server web1 rancher1:8080 weight 1 maxconn 1024
server web2 rancher2:8080 weight 1 maxconn 1024
server web3 rancher3:8080 weight 1 maxconn 1024
Different users have different needs, LetsEncrypt didn’t exist 4 years ago and self-signed certs have various complications. 2.0 requires SSL, generates a cert by default and supports LetsEncrypt or your own termination.
1 Like