Customizing Edge-LB templates

ENTERPRISE

How to customize Edge-LB load balancing by modifying templates.

Edge-LB uses templates to configure load balancing settings. This tutorial illustrates how you can create a custom haproxy template for Edge-LB to support Basic authentication.

In this tutorial, you use settings in the custom haproxy template to create at a simple userlist that defines the authenticated and authorized users who are allowed access using frontend and backend configuration settings.

Before you begin

  • You must have an active and properly-configured DC/OS Enterprise cluster.
  • You must have Edge-LB installed as described in the Edge-LB installation instructions.
  • You must have the edgelb command-line interface (CLI) installed.

Create a custom template

To create a custom template for Basic authentication:

  1. Install Edge-LB as described Installing Edge-LB.

  2. Create an Edge-LB pool as described in Expose and load balance a service.

  3. Fetch the template for the Edge-LB pool you created in the previous step and save it to a file named haproxy.tmpl by running the following command:

    dcos edgelb template show <pool-name> > haproxy.tmpl

    For example, if the pool you created was ping-lb, you would run the following command:

    dcos edgelb template show ping-lb > haproxy.tmpl

  4. Open the haproxy.tmpl template you created in the previous step in a text editor.

  5. Modify the haproxy.tmpl file to create a basic-auth user list with user names and passwords for a set of regular and administrative users.

    For example:

    userlist basic-auth
  group regular-users
  group admin-users

  user admin  password ASYRtiLFCipT6 groups admin-users
  user drew password n5se4LwUfAW1sqA groups regular-users
  user luz password x18R29iAdV/$1QU groups regular-users
  user guest insecure-password guestpassword

  6. Create an access control list (ACL) rule inside of the backend section for the users and groups you defined in the userlist who are allowed to access the load balanced service.

    For example:

    acl example-auth http_auth(basic-auth)
http-request auth realm example unless example-auth

  7. Create an access control list (ACL) rule inside backend section to grant different access rights to users who belong to the admin-users group that you defined in the userlist.

    For example:

    acl itadmin-auth http_auth_group(basic-auth) admin-users
http-request auth realm itadmin unless itadmin-auth

  8. Create additional access control list (ACL) rules inside frontend section to grant limited access to the users who do not belong to the admin-users or regular-users groups that you defined in the userlist.

    For example:

    acl guest-users hdr_dom(host) -i guest.example.org
acl basic-auth-user http_auth(basic-auth)
acl basic-auth-user-with-group  http_auth_group(basic-auth) admin-users regular-users
http-request auth realm guest if guest-users !basic-auth-user OR guest-users basic-auth-user-with-group
use_backend web-guest-production if guest-users

  9. Verify your user list and the access control rules you have set for the frontend and backend sections.

    For example:

    userlist basic-auth
  group regular-users
  group admin-users

  user admin password ASYRtiLFCipT6 groups admin-users
  user drew password n5se4LwUfAW1sqA groups regular-users
  user luz password x18R29iAdV/$1QU groups regular-users
  user guest insecure-password guestpassword

frontend web
  bind :80
  #bind :443 ssl crt /etc/ssl/cert/

  option httplog
  log /dev/log local0 debug

  option forwardfor except 127.0.0.1
  option forwardfor header X-Real-IP

  #redirect scheme https code 301 if !{ ssl_fc }

  # ACL rule for general access for users defined in backend
  acl example hdr_dom(host) -i example.org
  use_backend web-example-production if example

  # ACL rule for admin-users group member defined in the backend
  acl itadmin hdr_dom(host) -i itadmin.example.org
  use_backend web-example-production if itadmin

  # ACL rules for guests who are not admin-users or regular-users
  acl guest-users hdr_dom(host) -i guest.example.org
  acl basic-auth-user http_auth(basic-auth)
  acl basic-auth-user-with-group  http_auth_group(basic-auth) admin-users regular-users
  http-request auth realm guest if guest-users !basic-auth-user OR guest-users basic-auth-user-with-group
  use_backend web-guest-production if guest-users

backend web-example-production
  acl example-auth http_auth(basic-auth)
  http-request auth realm example unless example-auth

  mode http
  server example 10.0.10.15:80

backend web-itadmin-production
  acl itadmin-auth http_auth_group(basic-auth) admin-users
  http-request auth realm itadmin unless itadmin-auth

  mode http
  server itadmin 10.0.10.16:80

backend web-guest-production
  mode http
  server guest 10.0.10.17:80

  10. Update the Edge-LB pool to use the custom template by running a command similar to the following:

    dcos edgelb template update <pool-name> haproxy.tmpl

    For example, if the pool is ping-lb, you would run the following command:

    dcos edgelb template update ping-lb haproxy.tmpl