haproxy configuration for contrail webui
Integrate contrail-webui with haproxy
The haproxy configuration for contrail-webui can be demonstrated using below example,
We can have 3 servers, say node1 (1.1.1.1), node2 (2.2.2.2) and node3 (3.3.3.3). contrail-webui is installed in all the servers. Haproxy (versioned 1.5.4) is running in node1.
Below are the three configurations:
1a. Config for handling http request (Access UI By http://node1:8080)
haproxy Config(/etc/haproxy/haproxy.cfg)
frontend unsecured *:8080
timeout client 86400000
default_backend www_backend
backend www_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
timeout server 30000
timeout connect 4000
server server1 1.1.1.1:19090 cookie server1 weight 1 maxconn 1024 check
server server2 2.2.2.2:19090 cookie server2 weight 1 maxconn 1024 check
server server3 3.3.3.3:19090 cookie server3 weight 1 maxconn 1024 check
Web-UI Config (/etc/contrail/config.global.js) changes
/* Is insecure access to WebUI?
* If set as false, then all http request will be redirected
* to https, if set true, then no https request will be processed, but only http
* request
*/
config.insecure_access = true;
// HTTP port for NodeJS Server.
config.http_port = '19090';
1b. Config for handling https request (Access UI by https://node1:8143)
This will translate the request to http request to all backend webui servers
haproxy Config(/etc/haproxy/haproxy.cfg) for SSL Offloading
frontend www-https
bind *:8143 ssl crt /root/<file_name>.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
backend www-backend
redirect scheme https if !{ ssl_fc }
balance roundrobin
cookie SERVERID insert indirect nocache
server server1 1.1.1.1:19090 cookie server1 weight 1 maxconn 1024 check
server server2 2.2.2.2:19090 cookie server2 weight 1 maxconn 1024 check
server server3 3.3.3.3:19090 cookie server3 weight 1 maxconn 1024 check
Web-UI Config (/etc/contrail/config.global.js) changes
/* Is insecure access to WebUI?
* If set as false, then all http request will be redirected
* to https, if set true, then no https request will be processed, but only http
* request
*/
config.insecure_access = true;
// HTTP port for NodeJS Server.
config.http_port = '19090';
// HTTPS port for NodeJS Server.
config.https_port = '19091';
1c. Config to redirect UI http request to https (Access by http://node1:8080)
This will redirect the request to https://node1:8143
haproxy Config(/etc/haproxy/haproxy.cfg) for redirecting http -> https
frontend www-http
bind *:8080
redirect location https://node1:8143
frontend www-https
bind *:8143 ssl crt /root/<file_name>.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
backend www-backend
balance roundrobin
cookie SERVERID insert indirect nocache
server server1 1.1.1.1:19090 cookie server1 weight 1 maxconn 1024 check
server server2 2.2.2.2:19090 cookie server2 weight 1 maxconn 1024 check
server server3 3.3.3.3:19090 cookie server3 weight 1 maxconn 1024 check
Web-UI Config (/etc/contrail/config.global.js) changes
/* Is insecure access to WebUI?
* If set as false, then all http request will be redirected
* to https, if set true, then no https request will be processed, but only http
* request
*/
config.insecure_access = true;
// HTTP port for NodeJS Server.
config.http_port = '19090';
// HTTPS port for NodeJS Server.
config.https_port = '19091';
With this configuration, if a UI request comes to node1 from a specific browser, then all the subsequest request will go to node1 only. If requested from different browser, then it will be served by node2 and so on with round robin fashion. This is managed by adding SERVERID cookie object.
Below are the three configurations:
2a. Config for handling http request (Access UI By http://node1:8080)
haproxy Config(/etc/haproxy/haproxy.cfg)
frontend unsecured *:8080
timeout client 86400000
default_backend www_backend
backend www_backend
mode http
balance source
hash-type consistent
server server1 1.1.1.1:19090 check
server server2 2.2.2.2:19090 check
server server3 3.3.3.3:19090 check
Web-UI Config (/etc/contrail/config.global.js) changes
/* Is insecure access to WebUI?
* If set as false, then all http request will be redirected
* to https, if set true, then no https request will be processed, but only http
* request
*/
config.insecure_access = true;
// HTTP port for NodeJS Server.
config.http_port = '19090';
2b. Config for handling https request (Access UI by https://node1:8143)
This will translate the request to http request to all backend webui servers
haproxy Config(/etc/haproxy/haproxy.cfg) for SSL Offloading
frontend www-https
bind *:8143 ssl crt /root/<file_name>.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
backend www-backend
redirect scheme https if !{ ssl_fc }
balance source
hash-type consistent
server server1 1.1.1.1:19090 check
server server2 2.2.2.2:19090 check
server server3 3.3.3.3:19090 check
Web-UI Config (/etc/contrail/config.global.js) changes
/* Is insecure access to WebUI?
* If set as false, then all http request will be redirected
* to https, if set true, then no https request will be processed, but only http
* request
*/
config.insecure_access = true;
// HTTP port for NodeJS Server.
config.http_port = '19090';
// HTTPS port for NodeJS Server.
config.https_port = '19091';
2c. Config to redirect UI http request to https (Access by http://node1:8080)
This will redirect the request to https://node1:8143
haproxy Config(/etc/haproxy/haproxy.cfg) for redirecting http -> https
frontend www-http
bind *:8080
redirect location https://node1:8143
frontend www-https
bind *:8143 ssl crt /root/<file_name>.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
backend www-backend
balance source
hash-type consistent
server server1 1.1.1.1:19090 check
server server2 2.2.2.2:19090 check
server server3 3.3.3.3:19090 check
Web-UI Config (/etc/contrail/config.global.js) changes
/* Is insecure access to WebUI?
* If set as false, then all http request will be redirected
* to https, if set true, then no https request will be processed, but only http
* request
*/
config.insecure_access = true;
// HTTP port for NodeJS Server.
config.http_port = '19090';
// HTTPS port for NodeJS Server.
config.https_port = '19091';
For SSL certificate, you can generate the pem file as specified in below: You can copy all the 3 files from contrail-web-core repo, (https://github.com/Juniper/contrail-web-core/tree/master/keys) And then do the below:
$cat certrequest.csr cs-cert.pem cs-key.pem > <file_name>.pem
Once the config is done, restart as below: (The nodes where haproxy and web-ui running):
$service supervisor-webui restart
$service haproxy restart
(The nodes where only web-ui is running):
$service supervisor-webui restart
With this configuration, if a UI request comes from host1 and web-server node1 handles the request, then next time onwards, all request coming from same source is served by the same web-server unless that web-server is down.