How to set a HAproxy on top of Juju controller GUI

Setting HAproxy on top of Juju controller GUI has several advantages:

• It lets you to apply SSL certificates to Juju gui, which is not possible on embedded JUJU gui;
• It lets you to access the GUI via https://gui_hostname, instead of https://gui_hostname:17070/gui;
• It can be configured as a loadbalancer when the controller is made of several state servers in HA.

Setup instructions follow.

Deploy HAproxy server

Deploy a new machine in the model controller:

juju switch controller
juju deploy ubuntu gui-proxy
juju ssh gui-proxy/0
sudo apt-get update;sudo apt-get install haproxy

Configure HAproxy

Edit /etc/haproxy/haproxy.cfg and add the following lines:

frontend gui
   mode http
   bind *:80
   bind *:443 ssl crt /etc/haproxy/ssl.pem
   acl http ssl_fc,not
   acl gui_match path /
   http-request redirect scheme https if http
   http-request redirect prefix /dashboard append-slash if gui_match
   default_backend juju_api

backend juju_api
   mode http
   balance roundrobin
   server juju_controller_1 $CTRL_1_PRIVATE_ADDRESS:17070 check ssl verify none
   server juju_controller_2 $CTRL_2_PRIVATE_ADDRESS:17070 check ssl verify none
   ...

N.B. for older controllers (namely on Ubuntu 18) in the frontend gui section the second http-request line is:

http-request redirect prefix /gui append-slash if gui_match

Add SSL certificate

Request a SSL certificate for gui_hostname and copy its public and private key in /etc/haproxy/haproxy.cfg:

cat gui_hostname.crt gui_hostname_hostkey.pem  > /etc/haproxy/ssl.pem

Finally, restart haproxy service:

service haproxy restart

Edit security group

Remember to open TCP ports 80 and 443 on HAproxy server to make it accessible from the outside world (by default Juju deployed servers are closed).