How to expose an application to the internet
Once you have an application with a Service, you can make it available from the internet using an Ingress. Creating an Ingress object will automatically configure our load-balancer to send requests to your application.
For non-HTTP use cases, use a NodePort
Use this method to expose web applications via a domain name.
If you want direct access to a containers from inside the NYU network, use a NodePort instead.
Load balancer information
Our load balancer uses the IP 216.165.12.42. The subdomains *.users.hsrn.nyu.edu will resolve to that IP. We also have a certificate which covers all those subdomains, so your application can benefit from HTTPS without further configuration.
Ingress defaults to NYU-only access
For security reasons, an Ingress only allows access to NYU networks. This includes the NYU VPN.
See how to allow public access if you are certain you need it.
Using our load balancer with our domain
For example, to expose a Service called my-application with port 8000 at my-application.users.hsrn.nyu.edu, use the following Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-application-at-hsrn
annotations:
kubernetes.io/ingress.class: haproxy
# The following 2 lines redirect HTTP traffic to HTTPS for you
haproxy.org/ssl-redirect: "true"
haproxy.org/ssl-redirect-code: "301"
# The following line record the user's IP address in the 'X-Forwarded-For' header
haproxy.org/forwarded-for: "true"
spec:
rules:
- host: my-application.users.hsrn.nyu.edu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
# This is the name and port of your Service
name: my-application
port:
number: 8000
Using our load balancer with your own domain
If you want to use another domain name, rather than users.hsrn.nyu.edu, you will have to point it at our IP address: 216.165.12.42. This is done using an A record. Depending on the registrar from whom you bought your domain, the procedure will be different, but they should all support this operation.
For example, to expose a Service called my-application with port 8000 at my-application.example.org, use the following Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-application-own-domain
annotations:
kubernetes.io/ingress.class: haproxy
spec:
rules:
- host: my-application.example.org
http:
paths:
- path: /
pathType: Prefix
backend:
service:
# This is the name and port of your Service
name: my-application
port:
number: 8000
If you have a TLS certificate for your domain, you can upload it to the cluster as a Secret:
You can then use it in your Ingress to enable HTTPS:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-application-own-domain
annotations:
kubernetes.io/ingress.class: haproxy
# The following 2 lines redirect HTTP traffic to HTTPS for you
haproxy.org/ssl-redirect: "true"
haproxy.org/ssl-redirect-code: "301"
# The following line record the user's IP address in the 'X-Forwarded-For' header
haproxy.org/forwarded-for: "true"
spec:
rules:
- host: my-application.example.org
http:
paths:
- path: /
pathType: Prefix
backend:
service:
# This is the name and port of your Service
name: my-application
port:
number: 8000
tls:
- hosts:
- my-application.example.org
secretName: my-application.example.org
Access control
By default, ingresses allow access from NYU networks.
Password authentication
You can require a password to access your ingress using the following annotations:
metadata:
annotations:
...
# Use password authentication
haproxy.org/auth-type: basic-auth
haproxy.org/auth-secret: my-application-ingress-password
Create the corresponding secret with the following manifest:
apiVersion: v1
kind: Secret
metadata:
name: my-application-ingress-password
stringData:
username: $2y$05$NdhtDwim4PFy0/lBVU2dBOkNmD/.IKcbacQ4ECy3FYXVnX1IRY.Ka
anotheruser: $2y$05$Duchp5Lwmwy0BJU.0xsZ7eZTRPvc5wVxFmwKcQeqt6LTXLyzy84mq
You can generate the hashed password using the htpasswd tool:
$ htpasswd -n -B username
New password:
Re-type new password:
username:$2y$05$NdhtDwim4PFy0/lBVU2dBOkNmD/.IKcbacQ4ECy3FYXVnX1IRY.Ka
Note the space after :
YAML syntax requires you to put a space after the colon : in the secret. The htpasswd command outputs a colon and no space. Don't forget to add it.
Allowing access from the internet
By default, an Ingress only allows access from NYU networks.
You can allow access from the whole internet using the following annotation.
Do NOT let unknown users access sensitive data or services
With great power comes great responsibility. You have been provided access with a way to run services in a self-service manner. You will lose access and be held responsible if you let untrusted users into our systems.
For example, make sure not to enable unknown users execute commands or run code on our cluster. This includes running JupyterHub or Notebook, RStudio, remote desktops, proxy servers, etc. Abide by the Policy on Responsible Use of NYU Computers and Data.
Consider keeping services accessible to NYU users only (this will automatically include users on the NYU VPN) or locked behind a strong password.
# Only enable for safe sites that
# don't allow running commands and don't disclose sensitive data
hpc.nyu.edu/access: "public"
You can allow specific IP addresses and prefixes using this annotation:
Please use public internet access responsibly. In the future, we may need to block this feature if security is not taken seriously by everyone. Remember, it is better to take 2 minutes before your deadline to set up a password or IP whitelist, than have your site come down during your demo because security caught you.