Configuring configuration for SSL enabled repository access¶
To enable an HTTPS-only repository the following are needed:
- Datacenter’s repoURLRoot must hold a url that starts with
https:// - The datacenter agent’s haproxy configuration on the datacenter machine must be configured with the repository server’s SSL certificates
- the CN of the SSL certificate must match the url specified in the repoURLRoot
Create new /opt/agents/haproxy.cfg file:
global
chroot /var/lib/haproxy
user root
group root
daemon
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
defaults
mode http
log global
retries 3
timeout connect 10s
timeout client 100m
timeout server 30m
timeout check 10s
timeout http-keep-alive 10s
timeout queue 10m
timeout http-request 30m
timeout tunnel 480m
maxconn 3000
option httpclose
option forwardfor except 127.0.0.0/8
option redispatch
option abortonclose
option httplog
option dontlognull
option http-server-close
frontend ft_local_apache_80
mode http
bind :80
bind 127.0.0.1:80
acl host_ws path_beg -i /api-ws
acl host_dhcpe path_beg -i /dhcpe
acl host_tftp path_beg -i /tftp8069
acl host_repo hdr_dom(Host) -i repo.poc.metalsoft.io
acl host_repo hdr_dom(Host) -i repo.bigstepcloud.com
use_backend bk_local_apache_8080 if host_ws
use_backend bk_fullmetal_dhcpe_8067 if host_dhcpe
use_backend bk_fullmetal_tftpe_8069 if host_tftp
use_backend bk_repo_443 if host_repo
use_backend bk_repo_443 if host_repo
default_backend bk_local_apache_81
frontend ft_local_apache_443
mode http
bind :443 ssl crt /etc/ssl/certs/poc.metalsoft.io.pem
acl host_ws path_beg -i /api-ws
acl host_dhcpe path_beg -i /dhcpe
acl host_tftp path_beg -i /tftp8069
acl host_repo hdr_dom(Host) -i repo.poc.metalsoft.io
acl host_repo hdr_dom(Host) -i repo.bigstepcloud.com
http-response add-header Strict-Transport-Security max-age=157680001
use_backend bk_local_apache_8080 if host_ws
use_backend bk_fullmetal_dhcpe_8067 if host_dhcpe
use_backend bk_fullmetal_tftpe_8069 if host_tftp
use_backend bk_repo_443 if host_repo
use_backend bk_repo_443 if host_repo
default_backend bk_local_apache_81
backend bk_fullmetal_dhcpe_8067
server localhost 127.0.0.1:8067
http-request set-header X-HAPROXY-OUTSIDE-SAFE %[src]
option forwardfor header X-HAPROXY-OUTSIDE-IP
backend bk_fullmetal_tftpe_8069
server localhost 127.0.0.1:8069
http-request set-header X-HAPROXY-OUTSIDE-SAFE %[src]
option forwardfor header X-HAPROXY-OUTSIDE-IP
backend bk_local_apache_81
server localhost 127.0.0.1:81
http-request set-header X-HAPROXY-OUTSIDE-SAFE %[src]
option forwardfor header X-HAPROXY-OUTSIDE-IP
backend bk_local_apache_8080
server localhost 127.0.0.1:8080
http-request set-header X-HAPROXY-OUTSIDE-SAFE %[src]
option forwardfor header X-HAPROXY-OUTSIDE-IP
backend bk_repo_443
server repo.poc.metalsoft.io 127.0.0.1:9080
Update the docker-compose file to map the file inside the container:
haproxy:
network_mode: host
container_name: dc-haproxy
image: registry.metalsoft.dev/datacenter-agents/dc-haproxy:latest
restart: always
privileged: true
volumes:
- /opt/agents/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
environment:
- TZ=Etc/UTC
hostname: dc-haproxy