Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Udacity secure elb #468

Closed
wants to merge 5 commits into from
Closed

Udacity secure elb #468

wants to merge 5 commits into from

Conversation

pmbauer
Copy link
Contributor

@pmbauer pmbauer commented Sep 1, 2015

This secures the aws load balancer, only allowing TLS traffic, terminating at the load balancers.
Only 'public' -tagged services in consul will be exported; that means marathon, mesos etc aren't exposed to the world.
We are using udacity's version of haproxy-consul because we need to use v0.10.0 of consul-template
https://github.com/udacity/haproxy-consul

@pmbauer
use udacity/haproxy-consul image
c615d02 
- we were over-riding this with an `APOLLO_haproxy_image` env var, but
  lets make it explicit.  The new filtering haproxy.tmpl from
  968f12f is only compatible with
  consul-template v0.9.0 or greater.
- asteris/haproxy-consul uses consul-template v0.8.0 and there are
  reports that v0.9.0 is unstable.
- udacity/haproxy-consul uses v0.10.0
@pmbauer
packer: preload udacity/haproxy-consul
94ba517 
udacity's haproxy-consul uses consul-template v0.10.0 with bug fixes and
iteration primitives to support the haproxy config we put in place to
filter out non-public services

see: 968f12f
     1580c60
@pmbauer
restrict exported services
8b66316 
- haproxy, as the public-facing gatekeeper, should only front for public
  services.  Services like marathon and mesos are internal and should
  not be proxied

- filter on consul "public" tag

- add explicit backend for consul since elb healthchecks hit it via the
  haproxy_status frontend
@pmbauer
restrict ELB traffic to 443/SSL
374612c 
- configure SSL termination at load balancers
@pmbauer
add auto-redirect from http to https
2c83461 
- add redirect directive based on X-Forwarded-Proto (set by AWS ELB)
  basing the redirect on ssl_fc will result in a looping redirect since
  AWS ELB is terminating our SSL and haproxy only ever sees http traffc

- reopen port 80 on the load balancer now that we have a safe redirect
  at the haproxy layer
@enxebre
Copy link
Contributor

enxebre commented Sep 1, 2015

Looks good to me.
Thanks!

@enxebre enxebre mentioned this pull request Nov 4, 2015
Open
@wallies
Copy link
Contributor

wallies commented Mar 22, 2016

closing as we no longer use haproxy. will revisit this when traefik letsencrypt support lands

@wallies wallies closed this Mar 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pmbauer @enxebre @wallies