I have a number of virtual machines running Listening Tentacles that I want to connect to. They are on a private network accessible only through the VM host.
I also have HAProxy installed on the VM host. Can connect to the Tentacles through HAProxy?
Configuring HAProxy
Note: I am not an HAProxy expert. This solution is an example and may require more configuration before it is ready for a production environment.
Starting configuration:
- HAProxy is running on hostname octavius.lan
- DNS entries are set up for each tentacle that point to the same IP as octavius.lan
- These are the octofx-*.lan domain names used in the config below
- These entries are on the network that hosts the Octopus server. This is what allows the Octopus server to map the octofx-*.lan domain name to the HAProxy server.
- The tentacles have local hostnames that they are referenced by on the HAProxy side.
- These are the names like octofx-web-development used in the backends.
- These can also be the internal IP addresses.
Add a frontend similar to this to your haproxy.cfg:
frontend tentacle
bind *:10933
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl octofx_worker req.ssl_sni -i octofx-worker.lan
acl octofx_development_web req.ssl_sni -i octofx-development-web.lan
acl octofx_test_web req.ssl_sni -i octofx-test-web.lan
acl octofx_production_web1 req.ssl_sni -i octofx-production-web1.lan
acl octofx_production_web2 req.ssl_sni -i octofx-production-web2.lan
acl octofx_production_service req.ssl_sni -i octofx-production-service.lan
use_backend octofx_worker_tentacle if octofx_worker
use_backend octofx_development_web_lan if octofx_development_web
use_backend octofx_test_web_lan if octofx_test_web
use_backend octofx_production_web1_lan if octofx_production_web1
use_backend octofx_production_web2_lan if octofx_production_web2
use_backend octofx_production_service_lan if octofx_production_service
This sets up HAProxy to listen on port 10933. It will inspect the domain name via req.ssl_sni and then route the request to the appropriate backend. It is possible to use a map instead of listing each backend individually.
The backends for each tentacle will look similar to this:
backend octofx_development_web_lan
mode tcp
server octofx_development_web_tentacle 172.28.128.100:10933
This forwards the request to the correct domain or IP and port for the tentacle.
The tcp and tcplog values in the settings are necessary for the SSL connection to pass through.
Configuring the Target in Octopus
When configuring a target in Octopus that is behind HAProxy, there is no extra configuration needed. Enter the hostname and port that will be used to connect through HAProxy. HAProxy will route the request to the target based on your configuration.
For example, with the configuration above, I would use the hostname octofx-development-web.lan and port 10933. When the request reaches HAProxy, it will forward the request to the tentacle at 172.28.128.100:10933.