Skip to content

How to expose an application to the internet

Once you have an application with a Service, you can make it available from the internet using an Ingress. Creating an Ingress object will automatically configure our load-balancer to send requests to your application.

For non-HTTP use cases, use a NodePort

Use this method to expose web applications via a domain name.

If you want direct access to a containers from inside the NYU network, use a NodePort instead.

Load balancer information

Our load balancer uses the IP 216.165.12.42. The subdomains *.users.hsrn.nyu.edu will resolve to that IP. We also have a certificate which covers all those subdomains, so your application can benefit from HTTPS without further configuration.

Ingress defaults to NYU-only access

For security reasons, an Ingress only allows access to NYU networks. This includes the NYU VPN.

See how to allow public access if you are certain you need it.

Using our load balancer with our domain

For example, to expose a Service called my-application with port 8000 at my-application.users.hsrn.nyu.edu, use the following Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-application-at-hsrn
  annotations:
    kubernetes.io/ingress.class: haproxy
    # The following 2 lines redirect HTTP traffic to HTTPS for you
    haproxy.org/ssl-redirect: "true"
    haproxy.org/ssl-redirect-code: "301"
    # The following line record the user's IP address in the 'X-Forwarded-For' header
    haproxy.org/forwarded-for: "true"
spec:
  rules:
    - host: my-application.users.hsrn.nyu.edu
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                # This is the name and port of your Service
                name: my-application
                port:
                  number: 8000

Using our load balancer with your own domain

If you want to use another domain name, rather than users.hsrn.nyu.edu, you will have to point it at our IP address: 216.165.12.42. This is done using an A record. Depending on the registrar from whom you bought your domain, the procedure will be different, but they should all support this operation.

For example, to expose a Service called my-application with port 8000 at my-application.example.org, use the following Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-application-own-domain
  annotations:
    kubernetes.io/ingress.class: haproxy
spec:
  rules:
    - host: my-application.example.org
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                # This is the name and port of your Service
                name: my-application
                port:
                  number: 8000

If you have a TLS certificate for your domain, you can upload it to the cluster as a Secret:

$ kubectl create secret tls my-application.example.org --key privkey.pem --cert cert.pem

You can then use it in your Ingress to enable HTTPS:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-application-own-domain
  annotations:
    kubernetes.io/ingress.class: haproxy
    # The following 2 lines redirect HTTP traffic to HTTPS for you
    haproxy.org/ssl-redirect: "true"
    haproxy.org/ssl-redirect-code: "301"
    # The following line record the user's IP address in the 'X-Forwarded-For' header
    haproxy.org/forwarded-for: "true"
spec:
  rules:
    - host: my-application.example.org
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                # This is the name and port of your Service
                name: my-application
                port:
                  number: 8000
  tls:
    - hosts:
        - my-application.example.org
      secretName: my-application.example.org

Access control

By default, ingresses allow access from NYU networks.

Password authentication

You can require a password to access your ingress using the following annotations:

metadata:
  annotations:
    ...
    # Use password authentication
    haproxy.org/auth-type: basic-auth
    haproxy.org/auth-secret: my-application-ingress-password

Create the corresponding secret with the following manifest:

apiVersion: v1
kind: Secret
metadata:
  name: my-application-ingress-password
stringData:
  username: $2y$05$NdhtDwim4PFy0/lBVU2dBOkNmD/.IKcbacQ4ECy3FYXVnX1IRY.Ka
  anotheruser: $2y$05$Duchp5Lwmwy0BJU.0xsZ7eZTRPvc5wVxFmwKcQeqt6LTXLyzy84mq

You can generate the hashed password using the htpasswd tool:

$ htpasswd -n -B username
New password:
Re-type new password:
username:$2y$05$NdhtDwim4PFy0/lBVU2dBOkNmD/.IKcbacQ4ECy3FYXVnX1IRY.Ka

Note the space after :

YAML syntax requires you to put a space after the colon : in the secret. The htpasswd command outputs a colon and no space. Don't forget to add it.

Allowing access from the internet

By default, an Ingress only allows access from NYU networks.

You can allow access from the whole internet using the following annotation.

Do NOT let unknown users access sensitive data or services

With great power comes great responsibility. You have been provided access with a way to run services in a self-service manner. You will lose access and be held responsible if you let untrusted users into our systems.

For example, make sure not to enable unknown users execute commands or run code on our cluster. This includes running JupyterHub or Notebook, RStudio, remote desktops, proxy servers, etc. Abide by the Policy on Responsible Use of NYU Computers and Data.

Consider keeping services accessible to NYU users only (this will automatically include users on the NYU VPN) or locked behind a strong password.

# Only enable for safe sites that
# don't allow running commands and don't disclose sensitive data
hpc.nyu.edu/access: "public"

You can allow specific IP addresses and prefixes using this annotation:

haproxy.org/allow-list: "192.168.1.0, 192.168.1.4, 192.168.2.0/24"

Please use public internet access responsibly. In the future, we may need to block this feature if security is not taken seriously by everyone. Remember, it is better to take 2 minutes before your deadline to set up a password or IP allow-list, than have your site come down during your demo because security caught you.