Recently I have a project that need use haproxy,after I readed the config doc I found the acl.
with the acl I can filter some backends by the request url,that's cool.
But not enough,I want generate a dynamic backend server by the url params which I matched,for example:
acl dynamic_ser url_reg /*.(10.0.0.1|10.0.0.2)$
use_backend dynamic_server if dynamic_ser
backend dynamic_server
balance leastconn
option httpclose
server node1 10.0.0.1:8080
server node2 10.0.0.2:8080
and for my question,the url is dynamic sometimes may be /path?ip=10.0.0.1 and
sometimes may like this /path?ip=10.0.0.1&10.0.0.2 and may /path?ip=10.0.0.1&10.0.0.2&10.0.0.3 also.
and everytime I want get the backend server depend on the matched,of couse I can define these servers once a time.but I don't think it's good,any method can I use?
Remember that & is a delimiter between key-value pairs, so /path?ip=10.0.0.1&10.0.0.2 is mapped to {'ip':'10.0.0.1','10.0.0.2':null}
Related
For a scaling solution with Ant Media Server, how do we whitelist IP when using a load balancer? As you know for load balancer IP dynamically changes, and Ant Media Server can now white list domain name?
How should be the setup?
You have 2 choices for this request.
Option 1 - Setting IP Filter with REST Method
Step 1 - Remove below code snippets in /AMS_DIR/webapps/root/WEB-INF/web.xml
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>io.antmedia.console.rest.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>
Step 2 - Request Application Settings with following REST Method which supports GET method
http://domain-address.com:5080/rest/getSettings/WebRTCAppEE
Returns settings object for that application.
Step 3 - Add/edit remoteAllowedCIDR field in the settings object and send the settings to object to the following REST method below.
http://domain-address:5080/rest/changeSettings/WebRTCAppEE
Request Type: POST
Content-Type: application/json
You can add comma separated CIDR notations or IP Addresses to the remoteAllowedCIDR. For instance:
remoteAllowedCIDR=127.0.0.1,12.44.55.3/24,192.123.33.66
Note: You can change request https, port address, an application like WebRTCAppEE
Option 2 - Setting IP Filter with MongoDB
Step 1 - Update settings.remoteAllowedCIDR and updateTime field in the settings object in MongoDB -> clusterdb -> AppSettings collection. Also, you can connect MongoDB with service.
a- You can change settings.remoteAllowedCIDR the same way you do above
b- You should also update the updateTime field. You can set the current time in milliseconds(System.currentTimeMillis()). Let me give some more information about why we need to update updateTime.
Each AMS checks periodically updateTime field in AppSettings to update application settings. So, after the updated remoteAllowedCIDR field, you need to update updateTime field to let each node update itself.
Note: In the clusterdb, the application settings are storing in MongoDB as a collection.
You can also check out the following docs for MongoDB transactions and AppSettings class:
https://docs.mongodb.com/manual/core/transactions-in-applications/
https://docs.mongodb.com/manual/crud/#update-operations
https://github.com/ant-media/Ant-Media-Server-Common/blob/master/src/main/java/io/antmedia/AppSettings.java#L533
In this kind of setup I suggest to make use of security on the load balancer level.
Quick option for disabling IP security in Ant admin would be to put a 0.0.0.0/0 wildcard.
I have a JBOSS server that allows another server to make API calls. However, I would like to limit to that particular server to access only, how can I do so using digital certificate?
please advise
Hello ~ for EAP 7:
It seems you would like to restrict the connections for a specific application.
This can be done configuring ip-access-control in your applications WEB-INF/undertow-handlers.conf:
ip-access-control(default-allow=false, acl={'127.0.0.1 allow', '127.0.0.2 allow'})
Otherwise, if you do not want to change the app side, you can create an expression filter directly on Undertow:
expression-filter name="ip-access-filter" expression="ip-access-control(default-allow=false, acl={'127.0.0.1 allow', '127.0.0.2 allow'})"/> ~~~
By following many docs/tutorials I implemented SSL with Kernel and reverse proxy in my SF.
I made it work but the access point Url is as follow : https://mycluster.westeurope.cloudapp.azure.com:19081
before I implemented https, I had a CNAME mycustomdomain.com redirecting to mycluster.westeurope.cloudapp.azure.com which was working fine.
So now, I would like to know if there's a way to call http://mycustomdomain.com
and access the actual Uri. Is there a way with what I already have in place through probes/lbrules for example? Or do I have to implement an Application Gateway or use API management or something else?
Edit : LBRules+Probes
AppPortProbe : 44338 (backend ssl port in the SF)
FabricGatewayProbe : 19000
FabricHttpGatewayProbe : 19080
SFReverseProxyProbe : 19081
[Rule : Probe]
[AppPortLBRule (TCP/80 to TCP/19081) : 19081]
[LBHttpRule (TCP/19080) : 19080]
[LBRule (TCP/19000) : 19000]
[LBSFReverseProxyRule (TCP/19081 to TCP/44338) : 44338]
You question is too broad, there are too many questions that might bring many answers, I will try to answer with a few options:
In your scenario, to access the same url you should use https://mycustomdomain.com:19081 instead.
The problem here is, when you setup the cluster, the certificate used by the cluster is valid only for the domain 'mycluster.westeurope.cloudapp.azure.com' in your case your domain is not valid in the certificate used by SF and it will fail once you make any request to it.
You can skip certificate validation errors on your browser and continue. In your applications you could do the same, the problem is that is not a friendly way doing it.
To be able to use the domain without any conflicts, you have to register your own certificate created for the domain you own.
Because you are using reverse proxy, you also have to define the certificate in the cluster configuration, look for: reverseProxyCertificate in this link
For deploying applications using SSL will happen something similar, but in your application you can define the certificate you want to use on startup, in the cluster you have to define it in the cluster configuration.
You can find more information here:
Manage service fabric cluster security certificates
If the problem is the port, you have two options:
Create a 'Port forwarding' rule in the load balancer, to forward any
request in the port 80 to port 19081. You can find here how to do that with powershell.
Update the cluster/service configuration to listen in the port
80 instead of 19081. check it here
go to godaddy or whichever domain provider you use and add a transfert to your your azure domain : https://mycluster.westeurope.cloudapp.azure.com
I'm trying to load balance a cluster that is exposing port 7654. I've followed the instructions here. When following it exactly (creating the nginx cluster), it works fine, but when I try to apply it to my containers I can't get it to pass the health check. If I use kubectl to expose 7654 with LoadBalancer instead of NodePort, I'm able to connect, so it seems that the container is working fine. Does anyone have any advice for creating a load balancer?
According to https://cloud.google.com/compute/docs/load-balancing/health-checks#overview a successful health check "must return a valid HTTP response with code 200 and close the connection normally within the timeoutSec period". It's possible that your empty response wasn't closing the HTTP connection and adding HTML content caused your backend to close the connection.
It's easy to use the "RequestHeader append Proxy-Authorization" to create a forward proxy with no authentication that bounce over a password protected one.
But this header is not append to CONNECT requests...
I'm aware of the patch suggested at https://issues.apache.org/bugzilla/show_bug.cgi?id=37355, but it does not seems to be integrated in the trunk/release branch
Is there another way to configure the remote proxy authorization credentials (and could be used in CONNECT transactions) ?
I ported the patch from the 2005 mailing list message to the apache 2.2.X branch (last 2.2) and successfully test it.
Usage :
ProxyRemote * http://[user]:[pswd]#host:port/
(replace also the need of RequestHeader)
https://gist.github.com/131/2a5ffedc2acf61061cf39e966def2ff2