/ Security Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Updating HAProxy Configurations in OpenShift

DZone's Guide to

Updating HAProxy Configurations in OpenShift

A quick tutorial on how to fine tune the OpenShift router to make it more secure.

by
·
Feb. 06, 17 · Security Zone ·
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

For security reason we need to tune up the OpenShift router. OpenShift router uses the HAProxy. HAProxy has this settings:

acl network_allowed src 20.30.40.50 20.30.40.40
http-request deny if !network_allowed

If there would be any possibility to update the HAProxy configuration it should be working. But how to update the configuration?

The solution is to update the Docker image with the router.

Download the OpenShift proxy from https://github.com/openshift/origin/tree/master/images/router/haproxy and update file conf/haproxy-config.template like this (find the section backend and add those 4 lines):

backend be_edge_http_{{$cfgIdx}}
...
  {{ if (index $cfg.Annotations "rohlik.cz/acl") }}
        acl network_allowed src {{ index $cfg.Annotations "rohlik.cz/acl" }}
        http-request deny if !network_allowed
  {{ end }}  
...

After updating the file you have to build docker image and update the router definition. 

docker build -t rohlik-haproxy:v1.3.1 .

And update the router definition (dc/router in namespace default):

spec:
  strategy:
    type: Rolling
    rollingParams:
      updatePeriodSeconds: 1
      intervalSeconds: 1
      timeoutSeconds: 600
      maxUnavailable: 25%
      maxSurge: 0
      updatePercent: -25
    resources:
  triggers:
    -
      type: ConfigChange
  replicas: 1
  test: false
  selector:
    router: router
  template:
    metadata:
      creationTimestamp: null
      labels:
        router: router
    spec:
      volumes:
        -
          name: server-certificate
          secret:
            secretName: router-certs
      containers:
        -
          name: router
          image: 'rohlik-haproxy:v1.3.1'

Now you are able to use the annotations section in your route definition:

apiVersion: v1
kind: Route
metadata:
  name: rohlik
  namespace: rohlik
  selfLink: /oapi/v1/namespaces/rohlik/routes/rohlik
  labels:
    app: rohlik
  annotations:
    rohlik.cz/acl: 22.22.22.22

Finished :) I hope this article helps you.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Like This Article? Read More From DZone

Deploying Java EE Microservices on OpenShift
Linux Kernel Capabilities Explained
OpenShift Egress Options

Free DZone Refcard

Blockchain and Distributed Ledger Technology for Documents
DOWNLOAD
Topics:
haproxy ,openshift origin ,acl ,security

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Opinions expressed by DZone contributors are their own.

Security Partner Resources

What is the Deserialization vulnerability and what are the challenges in providing a solution
Find out how to Secure your applications with Point and Click protection.
Learn how to Patch faster than attackers can find you

Security Partner Resources

What is the Deserialization vulnerability and what are the challenges in providing a solution
Find out how to Secure your applications with Point and Click protection.
Learn how to Patch faster than attackers can find you

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone