Looking at the openshift router definition, I can see it implements what I want:
2. If termination is type 'edge': This is https -> http. Create a
be_edge_http:<service> backend.
Incoming https traffic is terminated and sent as http to the pods.
3. If termination is type 'reencrypt': This is https -> https. Create a
be_secure:<service> backend.
Incoming https traffic is terminated and then sent as https to the pods.
BUT wow! Is this implementation complicated!
-----Original Message-----
From: Aleksandar Lazic <[email protected]>
Sent: Thursday, August 23, 2018 3:25 PM
To: [email protected]; Norman Branitsky <[email protected]>;
haproxy <[email protected]>
Subject: Re: Docker Swarm configuration
Hi.
How about to use the following setup.
frontend tcp
mode tcp
bind 443
use_backend default
backend default
mode http
bind 444
...
You can take a look into the openshift router for a more detailed solution.
https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L183
Regards
Aleks
-------- Ursprüngliche Nachricht --------
Von: Norman Branitsky <[email protected]>
Gesendet: 23. August 2018 20:56:31 MESZ
An: haproxy <[email protected]>
Betreff: Docker Swarm configuration
My plan was to by default terminate SSL and send http traffic to the worker
servers on port 88 while traffic with a "ucp.mydomain.com" header would be
passed thru as https to the UCP management servers on port 8443.
Docker Enterprise Manager nodes insist on seeing incoming commands as https and
require an SSL certificate and key to configure correctly.
Problem is, the only way I know to pass thru https traffic without terminating
the SSL is to use mode tcp.
But mode tcp can only listen on specific ports - it can't see http headers to
detect the "ucp" hostname, so how do I select the correct backend?
I could make the ucp frontend listen on a different port e.g. 444 and direct to
8443 but that seems klutzy.
