-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #514 from caiyixiang/haproxy_multi_tls
add example for haproxy multi tsl
- Loading branch information
Showing
4 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # HAProxy Multi TLS certificate termination | ||
|
|
||
| This examples uses 2 different certificates to terminate SSL for 2 hostnames. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| This document has the following prerequisites: | ||
|
|
||
| * Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should end up with controller, a sample web app and default TLS secret | ||
| * Create [*two* secrets](/examples/PREREQUISITES.md#tls-certificates) named `foobar-ssl` with subject `'/CN=foo.bar'` and `barfoo-ssl` with subject `'/CN=bar.foo'` | ||
|
|
||
| As mentioned in the deployment instructions, you MUST turn down any existing | ||
| ingress controllers before running HAProxy Ingress. | ||
|
|
||
| ## Using a new TLS certificate | ||
|
|
||
| Update ingress resource in order to add TLS termination to two hosts: | ||
|
|
||
| ```console | ||
| $ kubectl replace -f ingress-multi-tls.yaml | ||
| ``` | ||
|
|
||
| Trying without host: | ||
|
|
||
| ```console | ||
| $ curl -iL 10.129.51.55:30221 | ||
| HTTP/1.1 404 Not Found | ||
| Date: Tue, 28 Mar 2017 07:32:34 GMT | ||
| Content-Length: 21 | ||
| Content-Type: text/plain; charset=utf-8 | ||
|
|
||
| default backend - 404 | ||
| ``` | ||
|
|
||
| Telling the controller we are `foo.bar` or `bar.foo`: | ||
|
|
||
| ```console | ||
| $ curl -iL 10.129.51.55:36462 -H 'Host: foo.bar' | ||
| HTTP/1.1 302 Found | ||
| Cache-Control: no-cache | ||
| Content-length: 0 | ||
| Location: https://foo.bar/ | ||
| Connection: close | ||
| $ curl -iL 10.129.51.55:36462 -H 'Host: bar.foo' | ||
| HTTP/1.1 302 Found | ||
| Cache-Control: no-cache | ||
| Content-length: 0 | ||
| Location: https://bar.foo/ | ||
| Connection: close | ||
| ^C | ||
| ``` | ||
|
|
||
| Note the `Location` header - this would redirect us to the correct server. | ||
|
|
||
| Checking the certificate - change below `31578` to the TLS port: | ||
|
|
||
| ```console | ||
| $ openssl s_client -connect 10.129.51.55:31578 -servername foo.bar | ||
| ... | ||
| subject=/CN=foo.bar | ||
| issuer=/CN=foo.bar | ||
| --- | ||
| ``` | ||
|
|
||
| ... and `bar.foo` certificate: | ||
|
|
||
| ```console | ||
| $ openssl s_client -connect 10.129.51.55:31578 -servername bar.foo | ||
| ... | ||
| subject=/CN=bar.foo | ||
| issuer=/CN=bar.foo | ||
| --- | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| apiVersion: extensions/v1beta1 | ||
| kind: Ingress | ||
| metadata: | ||
| name: app | ||
| spec: | ||
| tls: | ||
| - hosts: | ||
| - foo.bar | ||
| secretName: foobar-ssl | ||
| - hosts: | ||
| - bar.foo | ||
| secretName: barfoo-ssl | ||
| rules: | ||
| - host: foo.bar | ||
| http: | ||
| paths: | ||
| - path: / | ||
| backend: | ||
| serviceName: back-svc1 | ||
| servicePort: 8080 | ||
| - host: bar.foo | ||
| http: | ||
| paths: | ||
| - path: / | ||
| backend: | ||
| serviceName: back-svc2 | ||
| servicePort: 8080 |
File renamed without changes.
File renamed without changes.