Giter Site home page Giter Site logo

hello-nginx-docker's Introduction


This repository provides some helper applications and configurations for testing TLS termination in the OpenShift enviroment. It is meant for testing purposes only, the certificates contained within this project are not valid.

It is important to note that routing for beta 1 relies on SNI for custom certificate delivery. In future iterations it is planned to be able to offer custom frontend implementations which will allow applications to serve non-sni traffic with custom certificates.

Building the docker image

docker build -t pweil/hello-nginx-docker .

Verifying the docker image

docker run pweil/hello-nginx-docker
docker ps
docker inspect <container id> | grep IP
# at this point you need to put a hosts entry in /etc/hosts for the docker container that is being run
# or you will receive an error from curl that the requested domain does not match the certificate
curl --cacert certs/mypersonalca/certs/ca.pem

Hello World

# you may also view the certificate being served with openssl
openssl s_client -connect | grep example
... lines removed for clarity ...
subject=/[email protected]/O=Example/OU=Example
issuer=/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/[email protected]

Testing with OpenShift V3 routing beta1

UC 1: non ssl enabled application

# clone openshift and start the vagrant environment
[pweil@localhost origin]$ vagrant up
# enter the vagrant machine
[pweil@localhost origin]$ vagrant ssh
Last login: Thu Oct 30 18:18:12 2014 from
[vagrant@openshiftdev ~]$ cd /data/src/

# build the base images (not necessary if they have been pushed to the openshift repository, as of writing they
# had not been pushed. This step may take a while to download images.
[vagrant@openshiftdev origin]$ hack/

# build the openshift release and build the openshift images
[vagrant@openshiftdev origin]$ hack/ && hack/

# add the build path and start openshift.  You can start this in the background or open another window and
# add the path to your new session as well
[vagrant@openshiftdev origin]$ export PATH=${ORIGIN_BASE}/_output/local/bin/linux/amd64:$PATH
[vagrant@openshiftdev origin]$ sudo /data/src/ start --loglevel=4

# If running in https mode, ensure openshift cli can authenticate
[vagrant@openshiftdev origin]$ sudo chmod a+r openshift.local.certificates/admin/*
[vagrant@openshiftdev origin]$ export KUBECONFIG=/data/src/
[vagrant@openshiftdev origin]$ export OPENSHIFT_CA_DATA=$(</data/src/

# deploy the router, non-secure pod, service, and route.  If running in non-https mode please adjust the url accordingly
[vagrant@openshiftdev origin]$ hack/ router
Creating router file and starting pod...
[vagrant@openshiftdev origin]$ openshift cli get pods
POD                 CONTAINER(S)                   IMAGE(S)                          HOST                  LABELS              STATUS
router              origin-haproxy-router-router   openshift/origin-haproxy-router   openshiftdev.local/   <none>              Running

[vagrant@openshiftdev ~]$ cd
[vagrant@openshiftdev ~]$ git clone
# starting the pod may take a while, it must download the container
[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/nginx_pod.json pods
[vagrant@openshiftdev ~]$ openshift cli get pods
POD                  CONTAINER(S)                   IMAGE(S)                          HOST                  LABELS                    STATUS
router               origin-haproxy-router-router   openshift/origin-haproxy-router   openshiftdev.local/   <none>                    Running
hello-nginx-docker   hello-nginx-docker-pod         pweil/hello-nginx-docker          openshiftdev.local/   name=hello-nginx-docker   Running

[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/unsecure/service.json
[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/unsecure/route.json
[vagrant@openshiftdev ~]$ curl -H
Hello World

# the below steps are for in depth testing/demonstration purposes only and aren't necessarily required
# to satisy the qa environment

# find the docker container running the router and enter it
[vagrant@openshiftdev ~]$ docker ps
[vagrant@openshiftdev ~]$ docker inspect 71ef | grep Pid
    "Pid": 5686,
[vagrant@openshiftdev ~]$ sudo nsenter -m -u -n -i -p -t 5686
[root@router /]# cd /var/lib/containers/router/

# view the created router state
[root@router router]# cat routes.json
  "hello-nginx": {
    "Name": "hello-nginx",
    "EndpointTable": {
      "": {
        "ID": "",
        "IP": "",
        "Port": "80"
    "ServiceAliasConfigs": {
      "": {
        "Host": "",
        "Path": "",
        "TLSTermination": "",
        "Certificates": null

 .... removed for clarity ...

[root@router conf]# cd /var/lib/haproxy/conf

# view the created http backend
[root@router conf]# cat haproxy.config
.... removed for clarity ....
backend be_http_hello-nginx
  mode http
  balance leastconn
  timeout check 5000ms
  server hello-nginx check inter 5000ms

[root@router conf]# exit

UC 2: Edge terminated route with custom cert

This use case assumes that you are starting from the ending point of UC 1 and will demonstrate using both an unsecure and secure route together.

[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/edge/route.json

# verify the certificate is being served correctly by the router
[vagrant@openshiftdev ~]$ openssl s_client -servername -connect | grep 'subject\|issuer'
depth=1 C = US, ST = SC, L = Default City, O = Default Company Ltd, OU = Test CA, CN =, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
subject=/[email protected]/O=Example/OU=Example
issuer=/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/[email protected]

# verify hello world
[vagrant@openshiftdev ~]$ curl --resolve --cacert hello-nginx-docker/certs/mypersonalca/certs/ca.pem
Hello World

UC 3: Passthrough termination

This use case assumes that you are starting with an empty OpenShift environment and demonstrates a secure, pod terminated route. Prior to running this use case it is assumed you have built and started OpenShift.

# install the router
[vagrant@openshiftdev origin]$ hack/ router
Creating router file and starting pod...

[vagrant@openshiftdev origin]$ openshift cli get pods
POD                 CONTAINER(S)                   IMAGE(S)                          HOST                  LABELS              STATUS
router              origin-haproxy-router-router   openshift/origin-haproxy-router   openshiftdev.local/   <none>              Running

# install the pod
[vagrant@openshiftdev origin]$ cd
[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/nginx_pod.json

[vagrant@openshiftdev ~]$ openshift cli get pods
POD                  CONTAINER(S)                   IMAGE(S)                          HOST                  LABELS                    STATUS
router               origin-haproxy-router-router   openshift/origin-haproxy-router   openshiftdev.local/   <none>                    Running
hello-nginx-docker   hello-nginx-docker-pod         pweil/hello-nginx-docker          openshiftdev.local/   name=hello-nginx-docker   Running

# install the service and route
[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/passthrough/service.json
[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/passthrough/route.json

# validate the certificate being served
[vagrant@openshiftdev ~]$ openssl s_client -servername -connect | grep 'subject\|issuer'
depth=1 C = US, ST = SC, L = Default City, O = Default Company Ltd, OU = Test CA, CN =, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
subject=/[email protected]/O=Example/OU=Example
issuer=/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/[email protected]

# validate the response
[vagrant@openshiftdev ~]$ curl --resolve --cacert hello-nginx-docker/certs/mypersonalca/certs/ca.pem
Hello World

# in depth review
[vagrant@openshiftdev ~]$ sudo nsenter -m -u -n -i -p -t <pid of your router container>
[root@router /]# cd /var/lib/haproxy/conf

# map indicating that translates the host name (via sni) to the backend name
[root@router conf]# cat hello-nginx-secure

# map indicating that this route should be treated as a passthrough (by using the
[root@router conf]# cat 1

# tcp backend created for the service
[root@router conf]# vi haproxy.config
... removed for clarity ...
frontend public_ssl
  bind :443
    tcp-request  inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend
    acl sni req.ssl_sni -m found
    acl sni_passthrough req.ssl_sni,map(/var/lib/haproxy/conf/ -m found
    use_backend be_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/] if sni sni_passthrough

... removed for clarity ...
backend be_tcp_hello-nginx-secure
  balance leastconn
  timeout check 5000ms
  server hello-nginx-secure check inter 5000ms

UC 4: Reencrypt termination

This use case assumes that you are starting with an empty OpenShift environment. Prior to running this use case it is assumed you have built and started OpenShift.

# install the router
[vagrant@openshiftdev origin]$ hack/ router
Creating router file and starting pod...

# install the pod, service, and route
[vagrant@openshiftdev origin]$ cd
[vagrant@openshiftdev ~]$ git clone
[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/nginx_pod.json
[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/reencrypt/service.json
[vagrant@openshiftdev ~]$ openshift cli create -f hello-nginx-docker/openshift/reencrypt/route.json

# verify the pod certificate is
[vagrant@openshiftdev ~]$ openshift cli get pod hello-nginx-docker -o json | grep podIP

[vagrant@openshiftdev ~]$ openssl s_client -connect | grep 'subject\|issuer'
depth=1 C = US, ST = SC, L = Default City, O = Default Company Ltd, OU = Test CA, CN =, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
subject=/[email protected]/O=Example/OU=Example
issuer=/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/[email protected]

# verify the route certificate is
[vagrant@openshiftdev ~]$ openssl s_client -connect -servername | grep 'subject\|issuer'
depth=1 C = US, ST = SC, L = Default City, O = Default Company Ltd, OU = Test CA, CN =, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
subject=/[email protected]/O=Example2/OU=Example2
issuer=/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/[email protected]

# verify the output of the route to ensure connectivity
# first, create a host entry for in /etc/hosts similar to the use cases above
[vagrant@openshiftdev ~]$ curl --resolve --cacert hello-nginx-docker/certs/mypersonalca/certs/ca.pem
Hello World

# in depth review
[vagrant@openshiftdev ~]$ sudo nsenter -m -u -n -i -p -t <pid of your router container>
[root@router /]# cd /var/lib/haproxy/conf

# the haproxy.conf relevant to termination + reencryption
[root@router conf]# cat haproxy.config
... removed for clarity ...
frontend fe_sni
   # terminate ssl on edge
   bind ssl crt /var/lib/containers/router/certs accept-proxy
   mode http

   # re-ssl?
   acl reencrypt hdr(host),map(/var/lib/haproxy/conf/ -m found
   use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/] if reencrypt

   # regular http
   use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/] if TRUE

   default_backend openshift_default

... removed for clarity ...
backend be_secure_hello-nginx-secure
  balance leastconn
  timeout check 5000ms
  server hello-nginx-secure ssl check inter 5000ms verify required ca-file /var/lib/containers/router/cacerts/www.example2.com_pod.pem

# the reencryption mapping that signals a secure tcp backend should be used
[root@router conf]# cat 1

# the mapping of host -> backend
[root@router conf]# cat hello-nginx-secure

Path based routes

Path based route examples rely on some of the existing services that were created in the use cases above. These examples assume that you have your router and nginx pod installed and running.

# Create the unsecure service if necessary
[vagrant@openshiftdev unsecure]$ osc create -f service.json
[vagrant@openshiftdev unsecure]$ osc create -f route_path.json

# Curling the host itself should not return succesfully
[vagrant@openshiftdev unsecure]$ curl --resolve
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.

# Curling the path should work
[vagrant@openshiftdev unsecure]$ curl --resolve
Hello World Test

[vagrant@openshiftdev unsecure]$ cd ../edge/

# Edge terminated example
[vagrant@openshiftdev edge]$ osc create -f route_path.json

# Curling the host itself should not return succesfully
[vagrant@openshiftdev edge]$ curl -k --resolve
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.

# Curling the path should work
[vagrant@openshiftdev edge]$ curl -k --resolve
Hello World Test

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.