在 Admin Router 前配置 HAProxy

使用 HAProxy 为 DC/OS Admin Router 设置 HTTP 代理

HTTP 代理必须执行即时 HTTP 请求和响应标头修改，因为 DC/OS 不知道用户代理程序用于寻址 HTTP 代理的自定义主机名和端口。

1. 安装 HAProxy 。

2. 您可以使用代理 IP 地址 DNS 条目找到您的任务 IP。

   • ：任务名称。
   • framework_name：框架名称，如果您不确定，则可能是 marathon。

   global
     daemon
     log 127.0.0.1 local0
     log 127.0.0.1 local1 notice
     maxconn 20000
     pidfile /var/run/haproxy.pid
   defaults
     log            global
     option         dontlog-normal
     mode         http
     retries             3
     maxconn          20000
     timeout connect  5000
     timeout client  50000
     timeout server  50000
   frontend http
     # Bind on port 9090. HAProxy will listen on port 9090 on each
     # available network for new HTTP connections.
     bind 0.0.0.0:9090
     # Specify your own server certificate chain and associated private key.
     # See https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt
     # bind *:9091 ssl crt /path/to/browser-trusted.crt
     #
     # Name of backend configuration for DC/OS.
     # so that its value is accessible during response processing.
     # Note: RFC 7230 requires clients to send the Host header and
     # specifies it to contain both, host and port information.
     http-request set-var(txn.request_host_header) req.hdr(Host)
     # Overwrite Host header to 'dcoshost'. This makes the Location
     # header in DC/OS Admin Router upstream responses contain a
     # predictable hostname (NGINX uses this header value when
     # constructing absolute redirect URLs). That value is used
     # in the response Location header rewrite logic (see regular
     # expression-based rewrite in the backend section below).
     http-request set-header Host dcoshost
   backend dcos
     # Option 1: use TLS-encrypted communication with DC/OS Admin Router and
     # perform server certificate verification (including hostname verification).
     # If you are using the community-supported version of DC/OS, you must
     # configure Admin Router with a custom TLS server certificate, see
     # /mesosphere/dcos/2.1/administering-clusters/. This step
     # is not required for DC/OS Enterprise.
     #
     # Explanation for the parameters in the following `server` definition line:
     #
     # 1.2.3.4:443
     #
     #   IP address and port that HAProxy uses to connect to DC/OS Admin
     #   Router. This needs to be adjusted to your setup.
     #
     #
     #   Instruct HAProxy to use TLS, and to error out if server certificate
     #   verification fails.
     #
     # ca-file dcos-ca.crt
     #
     #   The local file `dcos-ca.crt` is expected to contain the CA certificate
     #   that Admin Router's certificate will be verified against. It must be
     #   retrieved out-of-band (on Mesosphere DC/OS Enterprise this can be
     #   obtained via https://dcoshost/ca/dcos-ca.crt)
     #
     # verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
     #
     #   When verifying the TLS certificate presented by DC/OS Admin Router,
     #   perform hostname verification using the hostname specified here
     #   (expect the server certificate to contain a DNSName SAN that is
     #   equivalent to the hostname defined here). The hostname shown here is
     #   just an example and needs to be adjusted to your setup.
     server dcos-1 1.2.3.4:443 ssl verify required ca-file dcos-ca.crt verifyhost frontend-xxx.eu-central-1.elb.amazonaws.com
     # Option 2: use TLS-encrypted communication with DC/OS Admin Router, but do
     # not perform server certificate verification (warning: this is insecure, and
     # we hope that you know what you are doing).
     # server dcos-1 1.2.3.4:443 ssl verify none
     #
     # Rewrite response Location header if it contains an absolute URL
     # pointing to the 'dcoshost' host: replace 'dcoshost' with original
     # request Host header (containing hostname and port).

3. 使用这些设置启动 HAProxy。