Over the past several weeks, I’ve struggled with exposing my internal MAS 8 environment as a public facing application. After countless hours of research and experimentation, the solution turned out to be quite simple. If using a similar SNO configuration, this solution should enable your internal SNO environment as a public facing site.
Let’s baseline the MAS configuration and prerequisites:
- Bare metal SNO hosted on an internal VMware virtual machine
- When installing MAS, use the custom domain option – this is required or your instance will be configured to use IBM’s certificates (meaning a public cert secret will not be created)
- A Subject Alternate Name (or SAN) certificate, which includes an entry for each of the MAS/Manage subdomains (e.g., admin.instanceid.acme.com). It is advisable to include a wildcard entry (*.instanceid.acme.com).
- A Public DNS “A” record for your base domain - (instanceid.acme.com)
- Public DNS (CNAME) entries for each of the MAS/Manage subdomains (admin, api, auth, home) mapped to the A record base domain.
- To access the cluster console, include a DNS entry for the console (e.g., console-openshift-console.apps.instanceid.acme.com)
- Your network administrator will need to configure routing from your public IP address to the internal proxy server. Please work with your internal networking team on this process
Configuring the Reverse-Proxy Server
With the MAS prerequisites addressed, let’s move on to making your SNO environment public facing. Contrary to the number of articles available online, no additional configuration within the SNO cluster is required.
The magic happens by using a locally hosted reverse proxy server. Options might include Apache or Nginx. While it might be possible to make this work with Apache, Nginx was the solution I was able to configure successfully.
So, first things first – get a hold of a Linux-based Nginx web server. The next steps are to build the necessary configuration files. Two configuration files were created; one containing the server configuration for each subdomain and the second file contains the common SSL configuration.
server.conf
server {
access_log /etc/nginx/log/admin.instanceid.tld-access.log;
error_log /etc/nginx/log/admin.instanceid.tld-error.log;
server_name admin.instanceid.tld;
location / {
proxy_pass https://<node address.tld>:443;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For https://admin.instanceid.tld$request_uri;
}
listen *:443 ssl http2;
include /etc/nginx/conf.d/common.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
access_log /etc/nginx/log/auth.instanceid.tld-access.log;
error_log /etc/nginx/log/auth.instanceid.tld-error.log;
server_name auth.instanceid.tld;
location / {
proxy_pass https://<node address.tld>:443;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For https://auth.instanceid.tld$request_uri;
}
listen *:443 ssl http2;
include /etc/nginx/conf.d/common.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
access_log /etc/nginx/log/api.instanceid.tld-access.log;
error_log /etc/nginx/log/api.instanceid.tld-error.log;
server_name api.instanceid.tld;
location / {
proxy_pass https://<node address.tld>:443;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For https://api.instanceid.tld$request_uri;
}
listen *:443 ssl http2;
include /etc/nginx/conf.d/common.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
access_log /etc/nginx/log/pwmasdev.manage.instanceid.tld-access.log;
error_log /etc/nginx/log/pwmasdev.manage.instanceid.tld-error.log;
server_name pwmasdev.manage.instanceid.tld;
location / {
proxy_pass https://<node address.tld>:443;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For https://pwmasdev.manage.instanceid.tld$request_uri;
}
listen *:443 ssl http2;
include /etc/nginx/conf.d/common.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
access_log /etc/nginx/log/home.instanceid.tld-access.log;
error_log /etc/nginx/log/home.instanceid.tld-error.log;
server_name home.instanceid.tld;
location / {
proxy_pass https://<node address.tld>:443;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For https://home.instanceid.tld$request_uri;
}
listen *:443 ssl http2;
include /etc/nginx/conf.d/common.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Note: A server block is required within the “server.conf” file for each public DNS record created in the prerequisite steps
common.conf
Note: if you are sharing the Nginx server with others sites, some entries in the “common.conf” file may result in an error when restarting the Nginx service. The minimum required entries are “ssl_certificate” and “ssl_certificate_key”.
If the Nginx server is shared, then it is possible to eliminate the “common.conf” file and add the “ssl_certificate” and “ssl_certificate_key” directives directly into each server block in the “server.conf” file
Note: if you are sharing the Nginx server with others sites, some entries in the “common.conf” file may result in an error when restarting the Nginx service. The minimum required entries are “ssl_certificate” and “ssl_certificate_key”.
If the Nginx server is shared, then it is possible to eliminate the “common.conf” file and add the “ssl_certificate” and “ssl_certificate_key” directives directly into each server block in the “server.conf” file
Once the configuration files are in place, restart your Nginx server process. Your internal SNO MAS environment should now resolve as a public facing application.