Run sshd and openshift-router on the same port using HAProxy on CentOS7

TL;DHTTW (Don’t Have Time To Write 🙂 )

Remove firewalls and only use iptables, because there are non trivial interactions that makes stuff complicated:
sudo systemctl stop firewalld && sudo systemctl start iptables; sudo systemctl start ip6tables

oc cluster up --image=registry.access.redhat.com/openshift3/ose --version=v3.3 --metrics --routing-suffix=paas.mycompany.com --public-hostname= paas.mycompany.com --use-existing-config

Change router default port:

oc env dc/router ROUTER_SERVICE_HTTPS_PORT=9443

Also edit dc router and change hostNetwork: true to false and hostPort form 443 to 9443

Then, here is the haproxy.cfg that you may need:

global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    stats socket /var/lib/haproxy/stats
defaults
    log                     global
    option                  dontlognull
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
listen ssl :443
  tcp-request inspect-delay 4s
  acl is_ssl req_ssl_ver 2:3.1
  tcp-request content accept if is_ssl
  use_backend ssh if !is_ssl
  server www-ssl 172.17.0.3:9443
  timeout client 2h
backend ssh
  mode tcp
  server ssh :22
  timeout server 2h

And finally, you will need to allow HAProxy to use port 443 by adding the following SELinux boolean:

setsebool -P haproxy_connect_any 1