From 721319df53fa2ffb6fd80e78a07e8876f70e8d21 Mon Sep 17 00:00:00 2001 From: Miciah Masters Date: Sun, 25 Oct 2015 23:16:17 -0400 Subject: [PATCH] README.haproxy-sni-proxy.md: Minor fixes, BIND_IP Fix some minor grammatical issues, and expand a little on BIND_IP. --- .../README.haproxy-sni-proxy.md | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/plugins/frontend/haproxy-sni-proxy/README.haproxy-sni-proxy.md b/plugins/frontend/haproxy-sni-proxy/README.haproxy-sni-proxy.md index b61a41198bb..757f20ce10d 100644 --- a/plugins/frontend/haproxy-sni-proxy/README.haproxy-sni-proxy.md +++ b/plugins/frontend/haproxy-sni-proxy/README.haproxy-sni-proxy.md @@ -39,8 +39,8 @@ later and will have access to all client TLS parameters, including the SNI extension. Cartridges must allow applications to provide their own X509 server -certificates, and should accommodate clients that expect an X509 -certificate for the FQDN it contacted whether its an alias or the +certificates and should accommodate clients that expect an X509 +certificate for the FQDN it contacted whether it's an alias or the primary name of the application. @@ -52,15 +52,15 @@ mapping. The mapping frontend path requests which SNI proxy port to be used. It may be one of the following: - 1. A blank ("") which causes the first SNI proxy port to be selected. - 1. "TLS_PORT_1", "TLS_PORT_2", etc... which causes the first, second, etc... SNI proxy port to be selected. + 1. An empty string ("") which causes the first SNI proxy port to be selected. + 1. "TLS_PORT_1", "TLS_PORT_2", and so on, which causes the first, second, etc. SNI proxy port to be selected. 1. A port number, which will be used only if it is in the set of configured SNI proxy ports. Specific port numbers should be avoided as they can differ between -OpenShift installations, or even be changed by the administrator after +OpenShift installations or even be changed by the administrator after deployment. -The SNI proxy port numbers are constrained, and are unlikely to be the +The SNI proxy port numbers are constrained and are unlikely to be the port a service is normally expected to be on. The mapping backend path is not used. @@ -93,28 +93,29 @@ For more information, please refer to the [OpenShift Origin Cartridge Developer' ## SNI Proxy Requirements and Configuration The SNI proxy reads its configuration from the OpenShift node -configuration files. +configuration files: ``` /etc/openshift/node.conf /etc/openshift/node-plugins.d/openshift-origin-frontend-haproxy-sni-proxy.conf ``` The SNI proxy is configured for ports 2303 through 2308 by default. - This list is configurable through the "PROXY_PORTS" parameter in `openshift-origin-frontend-haproxy-sni-proxy.conf`. Caution should be -used changing the list to ensure that there are no conflicts, +used when changing the list to ensure that there are no conflicts, including with the gear port proxy. The proxy ports should have a firewall policy similar to ports 80 and -443 (HTTP and HTTPS). Typically, allowing contact. +443 (HTTP and HTTPS) to allow connections. -Depending on the configuration, the port proxy will bind to loopback -(127.0.0.1) and the IP address of the public facing network interface -(eg: eth0). If an IP address cannot be determined, then the port -proxy will bind to INADDR_ANY. +By default, the port proxy will bind to loopback (127.0.0.1) and the IP +address of the public-facing network interface specified by the +"EXTERNAL_ETH_DEV" setting in `node.conf` (e.g., eth0) or inferred from +the "PUBLIC_IP" setting in `node.conf`. The public-facing address can +be overridden using the "BIND_IP" setting in +`openshift-origin-frontend-haproxy-sni-proxy.conf`. If an IP address +cannot be determined, then the port proxy will bind to INADDR_ANY. The SNI proxy requires haproxy-1.5 for SNI support. As haproxy-1.5 is beta, it is expected to be installed alongside the default system version of haproxy and located at `/usr/sbin/haproxy15`. -