I have couchdb 1.2 running on the port 5984 by default and I've enabled the bind address 0.0.0.0 so that I can access the couch from the outside world. At the same time I've enabled the "required user" to true(which by defaults enables the basic auth for couchdb). I can access the couch from outside and I'm majorly using this for replication.
I have nginx in front of my application and so all the requests coming to http://example.com are reidrected to https://example.com and the requests are served by my passenger server which runs my rails application.
As I've enabled the couch from out side the world, currently I can access my couchdb either by http://ip_address:5984 or http://example.com:5984 (observer its not https).
I want to enable https to the requests which are served by couchdb. Couple of solutions which I've thought and will not be useful for me are -
1. Add a proxy to couchdb either through location ex: all requests to https://example.com/couchdb/ can be proxy passed to http://127.0.0.1:5984 (or)
2. Add a proxy by listen port ex: listen on a different port say "https://example.com:5985" and proxy pass the requests to http://127.0.0.1:5984.
3. I can't listen to 5984 and proxy pass it to http://...:5984 as the port is already being used by couchdb.
Is there a way I can say nginx to proxy pass all the requests to port 5984 through https?
ie any requests to http://example.com:5984 should be redirected to http**s**://example.com:5984
I guess the simple answer for my question would be its not possible to proxy pass requests from http://example.com:5984 to {https://example.com:5984}. For solving this problem i've enabled default https for couch so i can access my couch only through {https://example.com:5984}. SSL for couch was implemented from couchdb1.1
Related
Please is it possible to configure reverse proxy using nginx for Grafana and Prometheus on same server. I have configured Prometheus access through https(listening on port 443 and direct output to port 9090). This works fine but configuring Grafana which is on same server to be accessed through https has been impossible. I tried it listening on port 80 and direct its output to port 3000, but it always default to http port. I also tried another port for listening but never worked.
Has anyone done this before and please can you share your valuable experience. Thanks.
Maybe this docker compose can be helpful https://github.com/vegasbrianc/prometheus/blob/master/README.md
The suggestion is to move the ssl termination to any web server (NGinx, Traefik, HAProxy) and forward the request in plain text to the underline services (prometheus and grafana). Here some examples: HAProxy exposes prometheus and Traefik
I have 3 spring boot applications, each running on a different port. Can someone guide me how to set up Ha Proxy to demonstarte load balancing between the 3 applications (can make multiple instances). Is there any feature in spring boot which integrates Ha Proxy? What are the thing that I have to change in the config file of Ha Proxy?
Actually, there are several ways one can achieve this. But, I don't think there is anything in spring boot to integrate with HAProxy, because they two are different processes and they two work independently and nothing linked to each other as you might know what spring boot does. And HAProxy is a load balancer, and also a proxy server for TCP and HTTP process that are distributed across multiple servers.
That explains the first part of your question.
Now actually, how can you achieve this is entirely based on how you want to set this up.
Run individual applications as service like you did, and route traffic to each of them based on url.
Another deploying the individual applications on a single tomcat and taking the help of context path in your application properties you can route traffic from outside world to tomcat while tomcat takes care of everything.
And there might be other ways to do this, someone can add in the future to this answer. But either way you need to use a proxy server to do this, it could be either HAProxy, Nginx, or anything that fits the purpose.
So, taking your approach let's assume you are running your applications on port 8081, 8082, 8083. Your HAProxy setting should look something like this.
frontend www_http
mode http
bind *:80
bind *:443 ssl crt /etc/ssl/certs/mycompany.pem
# passing on that browser is using https
reqadd X-Forwarded-Proto:\ https
# for Clickjacking
rspadd X-Frame-Options:\ SAMEORIGIN
# prevent browser from using non-secure
rspadd Strict-Transport-Security:\ max-age=15768000
redirect scheme https code 301 if !{ ssl_fc }
stats enable
stats refresh 30s
stats show-node
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
acl app1 hdr(host) -i app1.mycompany.com
acl app2 hdr(host) -i app2.mycompany.com
acl app3 hdr(host) -i app3.mycompany.com
# Just incase if you are using path instead of subdomain. But it's commented.
# acl app1 url_beg /app1
# acl app2 url_beg /app2
# acl app3 url_beg /app3
use_backend app_1_backend if app1
use_backend app_2_backend if app2
use_backend app_3_backend if app3
# backend for app 1
backend app_1_backend
timeout client 300000
timeout server 300000
redirect scheme https if !{ ssl_fc }
server app-1 127.0.0.1:8081 check
http-response set-header X-TS-Server-ID %s
# backend for app 2
backend app_2_backend
timeout client 300000
timeout server 300000
redirect scheme https if !{ ssl_fc }
server app-2 127.0.0.1:8082 check
http-response set-header X-TS-Server-ID %s
# backend for app 3
backend app_3_backend
timeout client 300000
timeout server 300000
redirect scheme https if !{ ssl_fc }
server app-3 127.0.0.1:8083 check
http-response set-header X-TS-Server-ID %s
This is some basic setup, but you can add your options and change everything as you like.
Hope this helps.
I am trying to change my site to https (port 443). Everything works correctly except for one thing, on my site i'm using a service call Yawcam which allows to stream a webcam (I'm using port 8081 to that end).
It is working when I use for my Apache server port 80 (http://myip:8081), but when using port 443 it doesn't respond (https://myip:8081).
All ports mentioned are opened to Public (80,443,8081) through my Windows Server firewall.
I'm out of ideas, do you have any?
This is nothing to do with your firewall, this is to do with the fact that you are using mixed content.
Chances are you are using http:// for the external service and this will be blocked by browsers as they do not like it when you try to load a less secure resource than the loaded page.
Try changing your external content URLs to https:// if possible.
You can see here for a little more info on what you could try: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content
My server offered by boss can access by port 80.
How can I configure the Web UI port 7180 to 80?
It doesn't work that I modified the server_port in /etc/cloudera-scm-agent/config.ini
I can't access the UI, so the following does not work:
Cloudera Server Ports
I need configure it in config files.
I have strong belief that you should NOT change this port. It's possible in general, however you may meet some issues like those one in your case.
I can suggest you to use reverse proxy server such as Nginx or Apache. It's much safer and maybe even faster.
So as result I'll get the following proxying chain which is fully transparent to clients:
Client (your Boss) connects to server via port 80
Nginx (or Apache) is listening port 80
Nginx sends HTTP requests to Cloudera on port 7180
Nginx returns request result to client (your Boss)
We have couple of http sites running behind load balancer ( with failover capability using hearbeat) and one https site. Everything is running fine but now i want to
add another https site. I couldn't find any references for hosting multiple https sites.
Has anyone hosted multiple https sites using HAproxy ? Can you please tell me how can i achieve this ? pls help me with your inputs.
Thanks,
Santhosh
You have to write rules to pick the backend either based on the frontend (IP address), Host header or TLS SNI ("Server Name Indicator"). What's best depends on your application really. If you need support for clients that don't support SNI (really old); then they won't get real TLS and you have to pick the backend based on the Host header.
Since I wrote the answer below haproxy has added ssl as a new feature. I use it on https://manage.ntppool.org/ and it's working nicely. You need the latest 1.5 development release (or 1.6 if that's out by the time you read this).
In HAProxy 1.8 http/2 is supported, too.
In 2012 the answer was:
HAProxy itself doesn't support SSL, you have to run an "SSL unwrapped" in front. Popular options are stunnel and stud. For HTTP you can also use Apache or Nginx.
You can launch any number of HTTPS enabled website using HAProxy. You have to do SSL offloading at HAProxy box. And ha-proxy will redirect requests to your server(site-box) via HTTP. You can distinguish between requests coming for your 2 different https website by parsing your URI, after SSL-ffloading at HA-Proxy
See HA-Proxy docs for more details, see hdr_dom and acl sections this will solve your problem.
Just for reference, you can get it with:
frontend http
bind :80
redirect scheme https code 301 if !{ ssl_fc }
frontend https
bind :443 ssl crt /etc/haproxy/ssl
reqadd X-Forwarded-Proto:\ https
option http-server-close
option forwardfor
# ACL for example1.com
acl ACL_example1.com hdr(host) -i example1.com
use_backend backend1 if ACL_example1.com
# ACL for example2.com
acl ACL_example2.com hdr(host) -i example2.com
use_backend backend2 if ACL_example2.com
backend backend1
balance roundrobin
server server1 192.168.1.10:80 check
server server2 192.168.1.20:80 check
backend backend2
balance roundrobin
server server3 192.168.1.30:80 check
server server4 192.168.1.40:80 check
In /etc/haproxy/ssl you must to have certificates in .pem format containing crt and key:
example1.com.pem
example2.com.pem
And use HAProxy above version 1.5