Re: HAProxy in front of Docker Enterprise problem
> Em 12 de fev de 2019, à(s) 21:21, Norman Branitsky > escreveu: > > Do I have to make HAProxy listen on 8443 and just do a tcp frontend/backend > for the Manager nodes? You can bind on another port, you can also bind on another IP address (change *:443 to some.ip.addr:443). But if you want or you need to share the same IP and port, a possible configuration is to create a tcp mode frontend which inspect sni extension and make a triage: manager hostname? Use a tcp mode backend and the manager nodes as servers - no data would be changed. This blog post[1] is of some help. In the triage, if the request isn't to a maanger node, use another tcp backend whose only server is a unix socket. Use also send-proxy-v2 in the server declaration. Create another http mode frontend, binding that unix socket and accept-proxy keyword to do the ssl offload of your worker nodes. hth. [1] https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
Re: HAProxy in front of Docker Enterprise problem
Hi. Am 13.02.2019 um 00:21 schrieb Norman Branitsky: > I have an HAProxy 1.7 server sitting in front of a number of Docker Enterprise > Manager nodes and Worker nodes. > > The Worker nodes don’t appear to have any problem with HAProxy terminating the > SSL and connecting to them via HTTP. > > The Manager nodes are the problem. > > They insist on installing their own certificates (either self-signed or CA > signed). > > They will only listen to HTTPS traffic. > > So my generic frontend_main-ssl says: > > bind :443 ssl crt /etc/CONFIG/haproxy-1.7/certs/cert.pem > > > > The backend has the following server statement: > > server xxx 10.240.12.248:443 ssl verify none > > > > But apparently this doesn’t work – the client gets the SSL certificate > provided > by the HAProxy server > > instead of the certificate provided by the Manager node. This causes the > Manager > node to barf. Do you have added the manger certificates in the cert.pem? > Do I have to make HAProxy listen on 8443 and just do a tcp frontend/backend > for > the Manager nodes? It's one possibility. This way makes the setup easier and I don't think that you want to intercept some http layer stuff for the docker registry. > Norman Branitsky Regards aleks
HAProxy in front of Docker Enterprise problem
I have an HAProxy 1.7 server sitting in front of a number of Docker Enterprise Manager nodes and Worker nodes. The Worker nodes don't appear to have any problem with HAProxy terminating the SSL and connecting to them via HTTP. The Manager nodes are the problem. They insist on installing their own certificates (either self-signed or CA signed). They will only listen to HTTPS traffic. So my generic frontend_main-ssl says: bind :443 ssl crt /etc/CONFIG/haproxy-1.7/certs/cert.pem The backend has the following server statement: server xxx 10.240.12.248:443 ssl verify none But apparently this doesn't work - the client gets the SSL certificate provided by the HAProxy server instead of the certificate provided by the Manager node. This causes the Manager node to barf. Do I have to make HAProxy listen on 8443 and just do a tcp frontend/backend for the Manager nodes? Norman Branitsky