Configuring HAProxy in Front of Admin Router

Using the HAProxy to set up an HTTP proxy for the DC/OS Admin Router

You can use HAProxy to set up an HTTP proxy in front of the DC/OS Admin Router. This was previously useful to allow Admin Router to present a custom server certificate to user agents connecting to the cluster via HTTPS. From DC/OS 2.1 this can be achieved more directly using custom external certificates.

The HTTP Proxy must perform on-the-fly HTTP request and response header modification, because DC/OS is not aware of the custom hostname and port that is being used by user agents to address the HTTP proxy.

The following instructions provide a tested HAProxy configuration example that handles the named request/response rewriting. This example ensures that the communication between HAProxy and DC/OS Admin Router is TLS-encrypted.

  1. Install HAProxy 1.6.9.

  2. Create an HAProxy configuration for DC/OS. This example is for a DC/OS cluster on AWS. For more information on HAProxy configuration parameters, see the documentation.

    You can find your task IP by using the agent IP address DNS entry.

    1. <taskname>.<framework_name>.agentip.dcos.thisdcos.directory

    Where:

    • taskname: The name of the task.
    • framework_name: The name of the framework, if you are unsure, it is likely marathon.
    1. global
    2. daemon
    3. log 127.0.0.1 local0
    4. log 127.0.0.1 local1 notice
    5. maxconn 20000
    6. pidfile /var/run/haproxy.pid
    7. defaults
    8. log global
    9. option dontlog-normal
    10. mode http
    11. retries 3
    12. maxconn 20000
    13. timeout connect 5000
    14. timeout client 50000
    15. timeout server 50000
    16. frontend http
    17. # Bind on port 9090. HAProxy will listen on port 9090 on each
    18. # available network for new HTTP connections.
    19. bind 0.0.0.0:9090
    20. # Specify your own server certificate chain and associated private key.
    21. # See https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt
    22. # bind *:9091 ssl crt /path/to/browser-trusted.crt
    23. #
    24. # Name of backend configuration for DC/OS.
    25. default_backend dcos
    26. # Store request Host header temporarily in transaction scope
    27. # so that its value is accessible during response processing.
    28. # Note: RFC 7230 requires clients to send the Host header and
    29. # specifies it to contain both, host and port information.
    30. http-request set-var(txn.request_host_header) req.hdr(Host)
    31. # Overwrite Host header to 'dcoshost'. This makes the Location
    32. # header in DC/OS Admin Router upstream responses contain a
    33. # predictable hostname (NGINX uses this header value when
    34. # constructing absolute redirect URLs). That value is used
    35. # in the response Location header rewrite logic (see regular
    36. # expression-based rewrite in the backend section below).
    37. http-request set-header Host dcoshost
    38. backend dcos
    39. # Option 1: use TLS-encrypted communication with DC/OS Admin Router and
    40. # perform server certificate verification (including hostname verification).
    41. # If you are using the community-supported version of DC/OS, you must
    42. # configure Admin Router with a custom TLS server certificate, see
    43. # /mesosphere/dcos/2.1/administering-clusters/. This step
    44. # is not required for DC/OS Enterprise.
    45. #
    46. # Explanation for the parameters in the following `server` definition line:
    47. #
    48. # 1.2.3.4:443
    49. #
    50. # IP address and port that HAProxy uses to connect to DC/OS Admin
    51. # Router. This needs to be adjusted to your setup.
    52. #
    53. #
    54. # ssl verify required
    55. #
    56. # Instruct HAProxy to use TLS, and to error out if server certificate
    57. # verification fails.
    58. #
    59. # ca-file dcos-ca.crt
    60. #
    61. # The local file `dcos-ca.crt` is expected to contain the CA certificate
    62. # that Admin Router's certificate will be verified against. It must be
    63. # retrieved out-of-band (on Mesosphere DC/OS Enterprise this can be
    64. # obtained via https://dcoshost/ca/dcos-ca.crt)
    65. #
    66. # verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
    67. #
    68. # When verifying the TLS certificate presented by DC/OS Admin Router,
    69. # perform hostname verification using the hostname specified here
    70. # (expect the server certificate to contain a DNSName SAN that is
    71. # equivalent to the hostname defined here). The hostname shown here is
    72. # just an example and needs to be adjusted to your setup.
    73. server dcos-1 1.2.3.4:443 ssl verify required ca-file dcos-ca.crt verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
    74. # Option 2: use TLS-encrypted communication with DC/OS Admin Router, but do
    75. # not perform server certificate verification (warning: this is insecure, and
    76. # we hope that you know what you are doing).
    77. # server dcos-1 1.2.3.4:443 ssl verify none
    78. #
    79. # Rewrite response Location header if it contains an absolute URL
    80. # pointing to the 'dcoshost' host: replace 'dcoshost' with original
    81. # request Host header (containing hostname and port).
    82. http-response replace-header Location https?://dcoshost((/.*)?) "http://%[var(txn.request_host_header)]\1"
  3. Start HAProxy with these settings.