How to allow a user to access some url without requiring the port

3/19/2019

I feel like this is a basic question but I'm struggling to find anything concrete in my research. This must be a common problem and im not sure what to google.

I'm running an air gapped Kubernetes cluster with a bunch of service on whom all have UIs. My services are exposed using NodePort. I can navigate to the ui by doing ip addr:NodePort. I have DNS setup using dnsmasq so I can access the URL at example.domain.com:NodePort.

I want to "hide" the nodeport portion of the url so that users/clients can access apps at example.domain.com/appname.

Im running an Apache Webserver to serve some files and I have implemented a bunch of redirects e.g.

Redirect permanent /appname http://example.domain.com:30000/

which works semi-nicely when access the UIs via firefox browser e.g. example.domain.com/appname. This does change the URL in the users address bar but I can live with that. The problem with this is that some clients don't automatically redirect to http://example.domain.com:30000/ and instead just present the 301 status code.

Can somebody point me in the right direction please.

Thanks

-- Murchy
apache
dns
dnsmasq
html
kubernetes

3 Answers

3/19/2019

Using apache or nginx , you can just use a virtual server that hides the internal ports. I dont think you need to put any redirection , you just need to serve a url to external client from virtual server :80 whos backend, upstream nodes are your internal nodes , with node ports.

You can find easy and better examples for nginx , ha-proxy and others.

Here is an apache example:

<VirtualHost *:80>
        ProxyRequests off

        ServerName domain.com

        <Proxy balancer://mycluster>
                # WebHead1
                BalancerMember http://node:NodePort
                # WebHead2
                BalancerMember http://node:NodePort

                # Security "technically we aren't blocking
                # anyone but this is the place to make
                # those changes.
                Require all granted
                # In this example all requests are allowed.

                # Load Balancer Settings
                # We will be configuring a simple Round
                # Robin style load balancer.  This means
                # that all webheads take an equal share of
                # of the load.
                ProxySet lbmethod=byrequests

        </Proxy>

        # balancer-manager
        # This tool is built into the mod_proxy_balancer
        # module and will allow you to do some simple
        # modifications to the balanced group via a gui
        # web interface.
        <Location /balancer-manager>
                SetHandler balancer-manager

                # I recommend locking this one down to your
                # your office
                Require host example.org

        </Location>

        # Point of Balance
        # This setting will allow to explicitly name the
        # the location in the site that we want to be
        # balanced, in this example we will balance "/"
        # or everything in the site.
        ProxyPass /balancer-manager !
        ProxyPass / balancer://mycluster/

</VirtualHost>
-- Ijaz Ahmad Khan
Source: StackOverflow

3/19/2019

You have to redirect HTTP traffic from port 80 (which is standard) to your NodePort.

For example

sudo iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 30000
-- A_Suh
Source: StackOverflow

3/21/2019

After seeing Ijaz answer I was able to refine my google search a little and came up with the below:

/etc/hosts

192.168.100.1 example.domain.com gitlab.domain.com example
<VirtualHost *:80>
  ServerName gitlab.domain.com
  ProxyPass / http://example.domain.com:30100/
  ProxyReversePass / http://example.domain.com:30100/
</VirtualHost>

systemctl restart httpd dnsmasq

If you navigate to gitlab.domain.com you will be redirected to the correct port (30100).

The downside to this is that one has to have a domain name for every application that I deploy. I would have preferred to do something similar to:

/etc/hosts

192.168.100.1 example.domain.com example
<VirtualHost *:80>
  ServerName example.domain.com
  ProxyPass /gitlab http://example.domain.com:30100/
  ProxyReversePass /gitlab http://example.domain.com:30100/

  ProxyPass /jira http://example.domain.com:30111/
  ProxyReversePass /jira http://example.domain.com:30111/
</VirtualHost>

However when I navigated to example.domain.com/gitlab it would append the correct url e.g. the landing page for gitlab is /users/sign_in, example.domain.com/users/sign_in however my browser displayed Not Found. The request URL /users/sign_in was not found on the server.

I couldnt figure out the correct configuration. If anyone has any further thoughts to fix this please let me know.

-- Murchy
Source: StackOverflow