TLS

Deactivation of non-TLS routes in Openshift v3

Frédéric Giloux , ,

Introduction

OpenShift v3 comes with HAProxy as router per default. The router is used to expose services delivered by applications running inside OpenShift to the external world. With the current version of OpenShift 3.1 two port HTTP and TLS/SNI are configured on the router.
I have recently provided consulting on OpenShift for a customer, who was willing to disable the HTTP port on the router. When a route is created it is possible to define whether it is secured (encrypted) and what to do with the non-encrypted port (block, redirect or keep). The customer was however willing to take the option away from the route designer and enforce the company policy (external communication has to be encrypted) at the router level.
There may be more than a way of doing that. I would like here just to show how the HAProxy can be customized to fulfil this request by enforcing the redirection of unsecured connections to the TLS port. This approach may be used for other HAProxy customizations.

Customization

The default or current configuration of the HAProxy can be saved in an haproxynew folder with the following command

# docker run –rm –interactive=true –tty –entrypoint=cat
registry.access.redhat.com/openshift3/ose-haproxy-router:v3.1.1.6 haproxy-
config.template > haproxynew/haproxy-config.template

 

In the HAProxy configuration there is a section dedicated to the processing of unsecured requests:

# check if we need to redirect/force using https.
acl secure_redirect base,map_beg(/var/lib/haproxy/conf/os_edge_http_redirect.map) -m
found
redirect scheme https if secure_redirect

 

This section can be replaced as follows:

# force redirect/force using https.
redirect scheme https

 

A Dockerfile needs to be created so that an image can be generated with the new configuration

FROM openshift/origin-haproxy-router
ADD haproxynew/haproxy-config.template /var/lib/haproxy/conf/
ENV TEMPLATE_FILE=/var/lib/haproxy/conf/haproxy-config.template \RELOAD_SCRIPT=/var/lib/haproxy/reload-haproxy
ENTRYPOINT [“/usr/bin/openshift-router”]

 

The image can then get built locally

# docker build -t sandbox/haproxynew haproxynew

 

Finally the image can get tagged and pushed into the OpenShift registry or copied on the pods running the router. The new router can now get deployed.

# sudo oadm router router –replicas=1 –credentials=’/etc/origin/master/openshift
-router.kubeconfig’ –selector=’region=infra’ –service-account=router –default
-cert=apps-sandbox-com.pem –images=’sandbox/haproxynew’

 
We have now the following scenarios with the new router configuration:

  • The route has been created without tls: 503 service unavailable gets returned
  • The route has been created with http and tls: the insecureEdgeTerminationPolicy is ignored and the http connection gets always redirected to https.

That’s it!