The is just a proof of concept and shouldn’t be used in production! I still have some issues with redirects to the new hostname.
In the series of encrypting network traffic within HCL Connections and Component Pack:
- Encrypt IHS Proxypass Traffic To Component Pack
- Securing Redis Traffic in HCL Connections with SSH Tunnels
the customizer part is missing. In a default configuration (or when you install as documented), the traffic from IHS and NGINX that is forwarded to the customizer (mw-proxy) and Ingress is unencrypted.
As the customizer forwards many different paths, it is not enough to just forward some paths for the Connections hostname. I believe it is necessary to create a DNS alias that points to our load balancer. At least I couldn’t make it work without an additional hostname.
Here you see the updated networkplan from the Proxypass article:
I assume that you made the config from the article Encrypt IHS Proxypass Traffic To Component Pack already.
I have added a CNAME entry to DNS: cnx8-db2-customizer.stoeps.home pointing to the host cnx8-db2.stoeps.home (my nginx and haproxy host).
| Function | IP Address | Example Hostname | Role |
|---|---|---|---|
| IBM HTTP Server | 10.0.22.90 | cnx8-db2-was.stoeps.home | Web Server |
| Load Balancer (HAProxy & NGINX) | 10.0.22.92 | cnx8-db2.stoeps.home cnx8-db2-customizer.stoeps.home |
Load balancing and forwarding DNS Alias for customizer |
| Kubernetes Cluster | 10.0.22.95 | cnx8-db2-cp.stoeps.home | Container orchestration with NGINX Ingress |
Add ingress for customizer traffic #
mw-proxy-ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mw-proxy-ingress
namespace: connections
labels:
app: mw-proxy-app
name: mw-proxy
type: ingress
spec:
ingressClassName: nginx
rules:
- host: cnx8-db2-customizer.stoeps.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: mw-proxy
port:
number: 80kubectl apply -f mw-proxy-ingress.yaml -n connectionsChange NGINX config to forward traffic to new hostname over TLS #
Now we need to change the NGINX configuration to forward the customizer traffic over TLS.
This is the default configuration to forward the customizer traffic directly over http.
1location / {
2 location ~ ^/(files/customizer|files/app|communities/service/html|forums/html|search/web|homepage/web|social/home|mycontacts|wikis/home|blogs|news|activities/service/html|profiles/html|viewer) {
3 proxy_pass http://cnx8-db2.stoeps.home:30301;
4 }
5
6 location ~ ^/(wikis/form/api/wikis|server-status|files/form/anonymous/api/tags|server-status|files/form/api/documents) {
7 proxy_cache off;
8 proxy_pass https://cnx8-db2-was.stoeps.home;
9 }
10
11 proxy_pass https://cnx8-db2-was.stoeps.home;
12}Now let’s add the part for TLS (line 3-8) and comment out the entry with port 30301:
1location / {
2 location ~ ^/(files/customizer|files/app|communities/service/html|forums/html|search/web|homepage/web|social/home|mycontacts|wikis/home|blogs|news|activities/service/html|profiles/html|viewer) {
3 proxy_set_header Host cnx8-db2-customizer.stoeps.home;
4 proxy_set_header X-Real-IP $remote_addr;
5 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6 proxy_set_header X-Forwarded-Proto $scheme;
7 proxy_set_header X-Forwarded-Host cnx8-db2.stoeps.home;
8 proxy_pass https://cnx8-db2-customizer.stoeps.home:32443;
9 }
10
11 location ~ ^/(wikis/form/api/wikis|server-status|files/form/anonymous/api/tags|server-status|files/form/api/documents) {
12 proxy_cache off;
13 proxy_pass https://cnx8-db2-was.stoeps.home;
14 }
15
16 proxy_pass https://cnx8-db2-was.stoeps.home;
17}It’s important to set X-Forwarded-Host (line 7) to the Connections hostname, or logout/login will redirect you to the customizer hostname.
So now we have secured Redis with SSH tunnels, IHS Proxy_Pass to Component Pack Ingress and Customizer.
The part of enabling ingress and IHS forwarding is officially documented now: Enabling secure traffic to the ingress controller
