digitaldemocratic/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf

#
# BEGIN: bind-direct.cnf
#
  bind :80
  http-request redirect scheme https code 301 unless { ssl_fc }
  http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
  http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
  bind :443 ssl crt /certs/chain.pem

  # This comes from the internet, do not trust the forwarding headers
  http-request del-header X-Forwarded-For
  http-request del-header X-Forwarded-Proto
  # But add our forwarding headers instead
  option forwardfor
  # We are always doing TLS, except for redirections
  http-request set-header X-SSL %[ssl_fc]
  http-request set-header X-Forwarded-Proto https

  # New line to test URI to see if its a letsencrypt request
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  use_backend letsencrypt if letsencrypt-acl
#
# END: bind-direct.cnf
#
[WAF] Consolidate proxies and documentation The environment / dd.conf variables: PROXY_PROTOCOL and DISABLE_WAF determine how DD and HAProxy will behave. - PROXY_PROTOCOL: whether or not the PROXY protocol will be accepted - DISABLE_WAF: whether or not WAF will be enabled This simplifies maintenance, as well as the overall architecture and operation. While at it, we now publish images for DD's HAProxy as well. 2022-11-23 20:10:13 +01:00			`#`
			`# BEGIN: bind-direct.cnf`
			`#`
			`bind :80`
			`http-request redirect scheme https code 301 unless { ssl_fc }`
			`http-request del-header ssl_client_cert unless { ssl_fc_has_crt }`
			`http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }`
			`bind :443 ssl crt /certs/chain.pem`

[network] Fix handling of forwarded headers This fixes several issues where services would see the internal IP of the proxy and not that of the client. It works by first unsetting any proxy-related headers that arrive from the internet, then setting those as seen by HAProxy's entrypoint frontend. And finally making sure that neither WAF when enabled nor other HAProxy backends touch these headers, while they are actually used by the final services. Services affected: Netcloud, Keycloak, Moodle 2022-12-02 06:49:56 +01:00			`# This comes from the internet, do not trust the forwarding headers`
			`http-request del-header X-Forwarded-For`
			`http-request del-header X-Forwarded-Proto`
			`# But add our forwarding headers instead`
			`option forwardfor`
[WP] Add CSP and Content-Type-Options headers We do this more reliably on HAProxy, as doing it from WP requires specialised plugins and in DD we are sure that traffic goes through the corresponding HAProxy backend. 2022-12-02 11:13:33 +01:00			`# We are always doing TLS, except for redirections`
			`http-request set-header X-SSL %[ssl_fc]`
			`http-request set-header X-Forwarded-Proto https`
[WAF] Consolidate proxies and documentation The environment / dd.conf variables: PROXY_PROTOCOL and DISABLE_WAF determine how DD and HAProxy will behave. - PROXY_PROTOCOL: whether or not the PROXY protocol will be accepted - DISABLE_WAF: whether or not WAF will be enabled This simplifies maintenance, as well as the overall architecture and operation. While at it, we now publish images for DD's HAProxy as well. 2022-11-23 20:10:13 +01:00
			`# New line to test URI to see if its a letsencrypt request`
			`acl letsencrypt-acl path_beg /.well-known/acme-challenge/`
			`use_backend letsencrypt if letsencrypt-acl`
			`#`
			`# END: bind-direct.cnf`
			`#`