search

adi90x / rancher-active-proxy

All in one active reverse proxy for Rancher ! For Kubernetes : https://github.com/adi90x/kube-active-proxy
MIT License
156 stars 55 forks source link

Added "ACME_INTERNAL" env #48

Closed DACRepair closed 4 years ago

DACRepair commented 6 years ago

Added the "ACME_INTERNAL" env to pipe acme requests to other RAP instances (IE using RAP_NAME).

note: a shared / sync'd folder should be used for letsencrypt data for best results.

adi90x commented 6 years ago

Hello , Thanks for the pull request ! However, two point on this : this add an environment variable , while the goal of the project is to use rancher service label as much as possible and second , it is doing the exact same thing as rap.le_bypass : except rap.le_bypass enable ACME access only for one service to limit risk or error . Is it the same ? Or is there another use case I don't see ?

Anyway thanks a lot for your contribution and do not hesitate to push any update/change you can make !

DACRepair commented 6 years ago

I see the le_bypass creates a bypass in the http redirect part of the template. This would allow for non-handled domains (by the instance with the flag) to pass through to a specified server so that it can handle them. In my usecase it would allow for a rap that is not touching the internet to request LE certs as well.

adi90x commented 6 years ago

Still not sure to understand your issue what is your setup :

A ( connected to internet / external proxy) || B ( RAP instance ) || ~~ || ~~ || S1 ~ S2 ~ S3( Services )

Is that your setup ?

DACRepair commented 6 years ago

Basically yes. Imagine 2 of those diagrams running side by side, but only one "A" is ported out to the internet. it allows for ACME signing requests to forward through to the other instance (because the template only generates non 503 responses for configured addresses). I have also made it so if you do not configure this, it will leave the template as normal.

adi90x commented 4 years ago

Merged in gitlab