Spinnaker HTTPS configuration through Apache

1/7/2020

My Spinnaker is running in Kubernetes with service type: LoadBalancer and added below azure annotations to take internal subnet private ip address to expose service internally.

  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    service.beta.kubernetes.io/azure-load-balancer-internal-subnet: subnetName

I've one ubuntu VM where Apache is installed. Created self signed certificated and terminated in apache configurations, and I'm able to access apache home page using HTTPS.

Then I've created proxy rule to Spinnaker service IP address. Basically I want to access Spinnaker from Apache HTTPS --> to internally HTTP traffic towards kubernetes service.

Here is Apache configurations:

xxxx@xxxx:/etc/apache2/sites-available$ ls -ltrh
total 28K
-rw-r--r-- 1 root root 1332 Jul 16 18:14 000-default.conf
-rw-r--r-- 1 root root 6338 Jul 16 18:14 default-ssl.conf
drwxr-xr-x 2 root root 4096 Dec 12 17:24 abc
-rw-r--r-- 1 root root  680 Dec 12 13:04 abc.conf
drwxr-xr-x 2 root root 4096 Dec 12 14:29 xyz
-rw-r--r-- 1 root root 1151 Dec 12 13:08 xyz.conf

cat abc/00-redirect-to-https.conf
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^spinnaker$ / [L,R=302]


cat abc.conf
<VirtualHost *:80>
    ServerAdmin webmaster@localhost

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/abc_error.log
    CustomLog ${APACHE_LOG_DIR}/abc_access.log combined

    <IfModule mod_headers.c>
      RequestHeader unset X-Forwarded-For
      RequestHeader unset X-Forwarded-Host
      RequestHeader unset X-Forwarded-Server
      RequestHeader set X-Forwarded-Proto "http"
      RequestHeader set X-Forwarded-Port "80"
    </IfModule>

    # Apache will try to set application/json based on mime type
    # This behaviour casing problems with empty json responses from spring
    RemoveType json

    Include sites-available/abc/*.conf
</VirtualHost>


cat xyz/00-spinnaker.conf
ProxyPass /spinnaker balancer://spinnaker
ProxyPassReverse  /spinnaker balancer://spinnaker
ProxyRequests     Off
AllowEncodedSlashes NoDecode
<Proxy balancer://spinnaker>
    BalancerMember http://172.18.1.99:9000/spinnaker loadfactor=1 keepalive=On retry=0
    ProxySet lbmethod=bytraffic
</Proxy>


cat xyz.conf
<VirtualHost *:443>
    ServerAdmin webmaster@localhost

    ServerName FQDN

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/xyz_error.log
    CustomLog ${APACHE_LOG_DIR}/xyz_access.log combined

    <IfModule mod_headers.c>
      RequestHeader unset X-Forwarded-For
      RequestHeader unset X-Forwarded-Host
      RequestHeader unset X-Forwarded-Server
      RequestHeader set X-Forwarded-Proto "https"
      RequestHeader set X-Forwarded-Port "443"
    </IfModule>

    SSLEngine on
    SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
    SSLHonorCipherOrder On
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

    SSLCertificateFile    /etc/apache2/certs/ca.cert
    SSLCertificateKeyFile /etc/apache2/certs/ca.key


    # Apache will try to set application/json based on mime type
    # This behaviour casing problems with empty json responses from spring
    RemoveType json

    Include sites-available/xyz/*.conf

</VirtualHost>

if I request this url in browser https://apacheServerDomainName/spinnaker then it redirects to spinnaker internally, But then if I want to go any other page in spinnaker say click on projects, applications etc. then it won't work because url will change to https://apacheServerDomainName/applications and this will give 404 because it assumes to get the page from local ubuntu apache server, whereas that request should also redirect and response from spinnaker.

please advise what kind of apache rewrite rule could help to achieve this requirement or any other suggestion..

-- Jaydeep Soni
apache
kubernetes
proxy
reverse-proxy
spinnaker

1 Answer

1/7/2020

Follow these steps

  1. deploy nginx ingress controller
  2. Define Ingress rule for Spinnaker including TLS certificate in a secret
  3. Nginx controller would do TLS termination allowing external connections over HTTPS
-- P Ekambaram
Source: StackOverflow