digitaldemocratic/dd-sso/docker/haproxy/haproxy.proxy-protocol.conf

#
#   Copyright © 2021,2022 IsardVDI S.L.
#   Copyright © 2022 Evilham <contact@evilham.com>
#
#   This file is part of DD
#
#   DD is free software: you can redistribute it and/or modify
#   it under the terms of the GNU Affero General Public License as published by
#   the Free Software Foundation, either version 3 of the License, or (at your
#   option) any later version.
#
#   DD is distributed in the hope that it will be useful, but WITHOUT ANY
#   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
#   FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
#   details.
#
#   You should have received a copy of the GNU Affero General Public License
#   along with DD. If not, see <https://www.gnu.org/licenses/>.
#
# SPDX-License-Identifier: AGPL-3.0-or-later
resolvers mydns
    nameserver dns1 127.0.0.11:53

global
#   debug
    daemon
    log             127.0.0.1    local0
    tune.ssl.default-dh-param 2048
    h1-case-adjust content-type Content-Type
    h1-case-adjust content-encoding Content-Encoding
    h1-case-adjust transfer-encoding Transfer-Encoding

  defaults
    mode http
    timeout         connect 120s
    timeout         client 120s
    timeout         client-fin 120s
    timeout         server 120s
    timeout         tunnel 7200s
    option          http-server-close
    option          httpclose
    log             global
    option          httplog
    backlog         4096
    maxconn         2000
    option          tcpka
    option          h1-case-adjust-bogus-client

frontend website
    mode http
    bind :80
    bind :8888 accept-proxy
    redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
    http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
    http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
    bind :443 ssl crt /certs/chain.pem
    bind :591 accept-proxy ssl crt /certs/chain.pem

    acl is_upgrade hdr(Connection) -i upgrade
    acl is_websocket hdr(Upgrade) -i websocket

    acl is_nextcloud hdr_beg(host) nextcloud.
    acl is_moodle hdr_beg(host) moodle. !path_beg -i /local/tresipuntimportgc/
    acl is_moodle_long hdr_beg(host) moodle.  path_beg -i /local/tresipuntimportgc/
    acl is_oof hdr_beg(host) oof.
    acl is_wp hdr_sub(host) .wp.
    acl is_wp hdr_beg(host) wp.
    acl is_pad hdr_beg(host) pad.
    acl is_sso hdr_beg(host) sso.
    acl is_api hdr_beg(host) api.
    acl is_admin hdr_beg(host) admin.

    acl is_root path -i /
    http-request deny if is_pad is_root

    use_backend be_api if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }

    use_backend letsencrypt if { path_beg /.well-known/acme-challenge/ }
    use_backend be_api if is_nextcloud { path_beg /avatar/ }
    use_backend be_nextcloud if is_nextcloud
    use_backend be_moodle_long if is_moodle_long
    use_backend be_moodle if is_moodle
    use_backend be_oof if is_oof
    use_backend be_wp if is_wp
    use_backend be_etherpad if is_pad
    use_backend be_admin if is_sso { path_beg /socket.io }
    use_backend be_admin if is_admin
    use_backend be_sso if is_sso
    use_backend be_api if is_api

    http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }
#    default_backend be_sso

backend letsencrypt
  server letsencrypt 127.0.0.1:8080

backend be_api
	mode http
  http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
  # Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128
  http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")]
	server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_sso
	mode http
  option httpclose
	option forwardfor
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
  http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]*);(.*) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure;
	server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_admin
	mode http
  option forwardfor
  timeout queue 600s
  timeout server 600s
  timeout connect 600s
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none

## APPS
backend be_moodle
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_moodle_long
	mode http
  timeout server 900s
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_nextcloud
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_etherpad
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_oof
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_wp
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto

    http-request set-header X-SSL %[ssl_fc]
    http-request set-header X-Forwarded-Proto https
	server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
[haproxy] Support other HAProxy configurations This can be used by setting up HAPROXY_CONF in dd.conf, which will determine which config file will be used. We also add haproxy.proxy-protocol.conf which is cleaner than haproxy.conf and allows the PROXY protocol on certain ports. With this setup it is possible to e.g. run DD without a public IPv4 address by proxying it from an edge server. 2022-08-30 20:47:42 +02:00			`#`
			`# Copyright © 2021,2022 IsardVDI S.L.`
			`# Copyright © 2022 Evilham <contact@evilham.com>`
			`#`
			`# This file is part of DD`
			`#`
			`# DD is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or (at your`
			`# option) any later version.`
			`#`
			`# DD is distributed in the hope that it will be useful, but WITHOUT ANY`
			`# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more`
			`# details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License`
			`# along with DD. If not, see <https://www.gnu.org/licenses/>.`
			`#`
			`# SPDX-License-Identifier: AGPL-3.0-or-later`
			`resolvers mydns`
			`nameserver dns1 127.0.0.11:53`

			`global`
			`# debug`
			`daemon`
			`log 127.0.0.1 local0`
			`tune.ssl.default-dh-param 2048`
			`h1-case-adjust content-type Content-Type`
			`h1-case-adjust content-encoding Content-Encoding`
			`h1-case-adjust transfer-encoding Transfer-Encoding`

			`defaults`
			`mode http`
			`timeout connect 120s`
			`timeout client 120s`
			`timeout client-fin 120s`
			`timeout server 120s`
			`timeout tunnel 7200s`
			`option http-server-close`
			`option httpclose`
			`log global`
			`option httplog`
			`backlog 4096`
			`maxconn 2000`
			`option tcpka`
			`option h1-case-adjust-bogus-client`

			`frontend website`
			`mode http`
			`bind :80`
			`bind :8888 accept-proxy`
			`redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }`
			`http-request del-header ssl_client_cert unless { ssl_fc_has_crt }`
			`http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }`
			`bind :443 ssl crt /certs/chain.pem`
			`bind :591 accept-proxy ssl crt /certs/chain.pem`

			`acl is_upgrade hdr(Connection) -i upgrade`
			`acl is_websocket hdr(Upgrade) -i websocket`

			`acl is_nextcloud hdr_beg(host) nextcloud.`
			`acl is_moodle hdr_beg(host) moodle. !path_beg -i /local/tresipuntimportgc/`
			`acl is_moodle_long hdr_beg(host) moodle. path_beg -i /local/tresipuntimportgc/`
			`acl is_oof hdr_beg(host) oof.`
			`acl is_wp hdr_sub(host) .wp.`
			`acl is_wp hdr_beg(host) wp.`
			`acl is_pad hdr_beg(host) pad.`
			`acl is_sso hdr_beg(host) sso.`
			`acl is_api hdr_beg(host) api.`
			`acl is_admin hdr_beg(host) admin.`

			`acl is_root path -i /`
			`http-request deny if is_pad is_root`

			`use_backend be_api if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }`

			`use_backend letsencrypt if { path_beg /.well-known/acme-challenge/ }`
			`use_backend be_api if is_nextcloud { path_beg /avatar/ }`
			`use_backend be_nextcloud if is_nextcloud`
			`use_backend be_moodle_long if is_moodle_long`
			`use_backend be_moodle if is_moodle`
			`use_backend be_oof if is_oof`
			`use_backend be_wp if is_wp`
			`use_backend be_etherpad if is_pad`
			`use_backend be_admin if is_sso { path_beg /socket.io }`
			`use_backend be_admin if is_admin`
			`use_backend be_sso if is_sso`
			`use_backend be_api if is_api`

			`http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }`
			`# default_backend be_sso`

			`backend letsencrypt`
			`server letsencrypt 127.0.0.1:8080`

			`backend be_api`
			`mode http`
			`http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`# Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128`
			`http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")]`
			`server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_sso`
			`mode http`
			`option httpclose`
			`option forwardfor`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]);(.) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure;`
			`server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_admin`
			`mode http`
			`option forwardfor`
			`timeout queue 600s`
			`timeout server 600s`
			`timeout connect 600s`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`## APPS`
			`backend be_moodle`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_moodle_long`
			`mode http`
			`timeout server 900s`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_nextcloud`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_etherpad`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_oof`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_wp`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`

			`http-request set-header X-SSL %[ssl_fc]`
			`http-request set-header X-Forwarded-Proto https`
			`server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`