From f8575b59e14c020c37c5419afff4ab540bd77332 Mon Sep 17 00:00:00 2001 From: darta Date: Tue, 4 Jan 2022 10:30:58 +0100 Subject: [PATCH] feat(haproxy): haproxy without ports to be behind another proxy --- docker-compose-parts/haproxy-behind.yml | 23 +++ docker-compose-parts/haproxy.yml | 5 + docker-compose-parts/keycloak.yml | 5 + docker-compose-parts/postgresql.yml | 5 + docker/haproxy/Dockerfile-behind | 16 ++ docker/haproxy/haproxy-behind.conf | 192 ++++++++++++++++++++++++ 6 files changed, 246 insertions(+) create mode 100644 docker-compose-parts/haproxy-behind.yml create mode 100644 docker/haproxy/Dockerfile-behind create mode 100644 docker/haproxy/haproxy-behind.conf diff --git a/docker-compose-parts/haproxy-behind.yml b/docker-compose-parts/haproxy-behind.yml new file mode 100644 index 0000000..02039bb --- /dev/null +++ b/docker-compose-parts/haproxy-behind.yml @@ -0,0 +1,23 @@ +--- +version: '3.7' +services: + isard-sso-haproxy: + build: + context: ${BUILD_ROOT_PATH}/docker/haproxy + dockerfile: Dockerfile-behind + target: production + container_name: isard-sso-haproxy + restart: unless-stopped + volumes: + - /etc/localtime:/etc/localtime:ro + - ${SRC_FOLDER}/haproxy/letsencrypt:/etc/letsencrypt:rw + - ${SRC_FOLDER}/haproxy/certs:/certs:rw + networks: + - isard_net + env_file: + - .env + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "10" diff --git a/docker-compose-parts/haproxy.yml b/docker-compose-parts/haproxy.yml index ac0cde3..c05bda3 100644 --- a/docker-compose-parts/haproxy.yml +++ b/docker-compose-parts/haproxy.yml @@ -21,3 +21,8 @@ services: target: 443 env_file: - .env + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "10" diff --git a/docker-compose-parts/keycloak.yml b/docker-compose-parts/keycloak.yml index 63b42eb..07cb4f0 100644 --- a/docker-compose-parts/keycloak.yml +++ b/docker-compose-parts/keycloak.yml @@ -37,3 +37,8 @@ services: restart: unless-stopped networks: - isard_net + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "10" diff --git a/docker-compose-parts/postgresql.yml b/docker-compose-parts/postgresql.yml index 2b22c54..ff6be77 100644 --- a/docker-compose-parts/postgresql.yml +++ b/docker-compose-parts/postgresql.yml @@ -12,3 +12,8 @@ services: - ${BUILD_ROOT_PATH}/init/databases:/docker-entrypoint-initdb.d networks: - isard_net + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "10" diff --git a/docker/haproxy/Dockerfile-behind b/docker/haproxy/Dockerfile-behind new file mode 100644 index 0000000..de0a834 --- /dev/null +++ b/docker/haproxy/Dockerfile-behind @@ -0,0 +1,16 @@ +FROM haproxy:lts-alpine3.15 as production + +USER root +RUN apk add openssl certbot py-pip +RUN pip install certbot-plugin-gandi + +COPY letsencrypt-hook-deploy-concatenante.sh / +COPY letsencrypt.sh /usr/local/sbin/ +COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew +COPY auto-generate-certs.sh /usr/local/sbin/ + +COPY docker-entrypoint.sh /usr/local/bin/ +RUN ln -s /usr/local/bin/docker-entrypoint.sh / +RUN chmod 775 docker-entrypoint.sh + +ADD haproxy-behind.conf /usr/local/etc/haproxy/haproxy.cfg diff --git a/docker/haproxy/haproxy-behind.conf b/docker/haproxy/haproxy-behind.conf new file mode 100644 index 0000000..2f63895 --- /dev/null +++ b/docker/haproxy/haproxy-behind.conf @@ -0,0 +1,192 @@ +resolvers mydns + nameserver dns1 127.0.0.11:53 + +global +# debug + daemon + log 127.0.0.1 local0 + tune.ssl.default-dh-param 2048 + h1-case-adjust content-type Content-Type + h1-case-adjust content-encoding Content-Encoding + h1-case-adjust transfer-encoding Transfer-Encoding + + defaults + mode http + timeout connect 25s + timeout client 25s + timeout client-fin 25s + timeout server 25s + timeout tunnel 7200s + option http-server-close + option httpclose + log global + option httplog + backlog 4096 + maxconn 2000 + option tcpka + option h1-case-adjust-bogus-client + +frontend website + mode http + bind :80 + # redirect scheme https if !{ ssl_fc } + # http-request del-header ssl_client_cert unless { ssl_fc_has_crt } + # http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } + # bind :443 ssl crt /certs/chain.pem + + acl is_upgrade hdr(Connection) -i upgrade + acl is_websocket hdr(Upgrade) -i websocket + + acl is_nextcloud hdr_beg(host) nextcloud. + acl is_moodle hdr_beg(host) moodle. + acl is_jitsi hdr_beg(host) jitsi. + acl is_oof hdr_beg(host) oof. + acl is_wp hdr_sub(host) .wp. + acl is_wp hdr_beg(host) wp. + acl is_pad hdr_beg(host) pad. + acl is_sso hdr_beg(host) sso. + acl is_ipa hdr_beg(host) ipa. + acl is_api hdr_beg(host) api. + acl is_admin hdr_beg(host) admin. + + use_backend be_nextcloud if is_nextcloud + use_backend be_moodle if is_moodle + use_backend be_jitsi if is_jitsi + use_backend be_oof if is_oof + use_backend be_wp if is_wp + use_backend be_etherpad if is_pad + use_backend be_admin if is_sso { path_beg /socket.io } + use_backend be_adminer if is_sso { path_beg /isard-sso-adminer } + use_backend be_admin if is_admin + use_backend be_sso if is_sso + use_backend be_ipa if is_ipa + use_backend be_api if is_api + + http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" } +# default_backend be_sso + +backend be_api + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server api isard-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_ipa + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server freeipa isard-sso-freeipa:443 check port 443 ssl verify none inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_sso + mode http + option httpclose + #option http-server-close + option forwardfor + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server keycloak isard-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_admin + mode http + option forwardfor + timeout queue 600s + timeout server 600s + timeout connect 600s + # acl authorized http_auth(AuthUsers) + # http-request auth realm AuthUsers unless authorized + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server isard-sso-admin isard-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_adminer + mode http + # acl authorized http_auth(AuthUsers) + # http-request auth realm AuthUsers unless authorized + http-request redirect scheme http drop-query append-slash if { path -m str /isard-sso-adminer } + http-request replace-path /isard-sso-adminer/(.*) /\1 + # http-request del-header Authorization + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server isard-sso-adminer isard-sso-adminer:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +## APPS +backend be_moodle + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server moodle isard-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_nextcloud + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server nextcloud isard-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_etherpad + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server etherpad isard-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_jitsi + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server jitsi isard-apps-jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_oof + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server onlyoffice isard-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_wp + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + + http-request set-header X-SSL %[ssl_fc] + http-request set-header X-Forwarded-Proto https + server wp isard-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + + + listen stats + bind 0.0.0.0:8888 + mode http + stats enable + option httplog + stats show-legends + stats uri /haproxy + stats realm Haproxy\ Statistics + stats refresh 5s + #stats auth staging:mypassword + #acl authorized http_auth(AuthUsers) + #stats http-request auth unless authorized + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + +userlist AuthUsers + user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.