I’m trying to setup Rancher with SSL encryption since sending sensitive info like my Amazon cridentials over http dosen’t sound like a good idea.
However I’ve run into trouble. I followed this guide https://thepracticalsysadmin.com/setup-ssl-for-rancher-server/ to setup encryption behind NGINX. It works fine over ports 443 and 80 on the host. But when I run it through ports 8080 and 8081 on the host I can’t access the rancher catalogue or the settings page to have github authentication. There are a number of other things that won’t work too. Does anyone know if this is expected behavior? I have a single node setup and will probably use my rancher-server server as a host.
If anyone knows another way secure Rancher Server I’m not at all set on NGINX.
Thanks.
You can’t run NGINX listening on ports 8080 and 8081 as well as Rancher itself, which also listens on the same ports - on the same host. I’m amazed anything works. What’s wrong with 443? Either way, I’d suggest you pick some unique ports.
I use HAProxy for the same purpose (as well as exposing the cAdvisor statistics interface), it works pretty well, using 443.
You’ll find examples for HAProxy and Apache here: http://docs.rancher.com/rancher/v1.2/en/installing-rancher/installing-server/basic-ssl-config/
Thanks. I’ve read that page. What I mean is running nginx as a proxy on ports 8080 and 8081 and then passing the request on to Rancher. When I run the configuration with nginx on 80 and 443 everything works fine and I have Rancher access behind SSL. But when I run it over 8080 and 8081 I have Rancher access behind SSL but a number of ranchers features don’t work. By “don’t work” I mean that the pages will throw an error rather than load. I can’t even access the setting page to setup github authentication. I was setting Rancher up this way to experiment with it. I wanted to run other services on port 80, 443. But as of right now I’m considering going with Docker Swarm as Rancher is overkill for my projects.
Fair enough, but I’ll state again, you can’t run NGINX and Rancher on the same host if they are both listening on port 8080 (on the host network stack). It seems 8081 isn’t exposed externally so that is OK. Again, I’m amazed NGINX even starts.
I could be misunderstanding the docs but the link you posted, and the one I was using for reference shows passing to upstream rancher-server:8080 in the nginx configuration. It’s my understanding that this takes place in the docker network, so rancher-server is not listening on the host port 8080. It’s just exposing 8080 in the rancher-server container and docker is helping nginx pass requests on to it through the rancher network. It sounds like you’re agreeing with what I’ve written thus far, but adding that rancher-server additionally needs to listen on port 8080 on the host as well? That part I don’t understand because I ran the nginx configuration from the docs on port 80 and 443 passing to upstream rancher-server:8080 and everything worked fine even without exposing rancher-server to listen on host 8080. Can you further explain what you’re referring too?
Perhaps I’ve misunderstood. Have you not mapped port 8080 on the host to the container when starting Rancher server (in other words, not used -p 8080:8080
)?
I’ve clarified my prior post for the sake of others.
Hello,
No, I didn’t use -p 8080:8080
. I used nginx to forward the request to rancher-server:8080.
Ah, I see, sorry for all the confusion. I’m not too familiar with NGINX but don’t have any issues using HAProxy although I remember having some initially. I think (but my memory is sketchy) adding a HSTS header helped. Try adding this to your config:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";