Merge branch 'haproxy-behind' into 'master'

feat(haproxy): haproxy without ports to be behind another proxy

See merge request isard/isard-sso!69

docker-compose-parts/haproxy-behind.yml

@@ -0,0 +1,23 @@
+---
+version: '3.7'
+services:
+  isard-sso-haproxy:
+    build:
+      context: ${BUILD_ROOT_PATH}/docker/haproxy
+      dockerfile: Dockerfile-behind
+      target: production
+    container_name: isard-sso-haproxy
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ${SRC_FOLDER}/haproxy/letsencrypt:/etc/letsencrypt:rw
+      - ${SRC_FOLDER}/haproxy/certs:/certs:rw
+    networks:
+      - isard_net
+    env_file:
+      - .env
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "10"

docker-compose-parts/haproxy.yml

@@ -21,3 +21,8 @@ services:
       target: 443
     env_file:
       - .env
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "10"

docker-compose-parts/keycloak.yml

@@ -37,3 +37,8 @@ services:
     restart: unless-stopped
     networks:
       - isard_net
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "10"

docker-compose-parts/postgresql.yml

@@ -12,3 +12,8 @@ services:
       - ${BUILD_ROOT_PATH}/init/databases:/docker-entrypoint-initdb.d
     networks:
       - isard_net
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "10"

docker/haproxy/Dockerfile-behind

@@ -0,0 +1,16 @@
+FROM haproxy:lts-alpine3.15 as production
+
+USER root
+RUN apk add openssl certbot py-pip
+RUN pip install certbot-plugin-gandi
+
+COPY letsencrypt-hook-deploy-concatenante.sh /
+COPY letsencrypt.sh /usr/local/sbin/
+COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew
+COPY auto-generate-certs.sh /usr/local/sbin/
+
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN ln -s /usr/local/bin/docker-entrypoint.sh /
+RUN chmod 775 docker-entrypoint.sh
+
+ADD haproxy-behind.conf /usr/local/etc/haproxy/haproxy.cfg

docker/haproxy/haproxy-behind.conf

@@ -0,0 +1,192 @@
+resolvers mydns
+    nameserver dns1 127.0.0.11:53
+    
+global
+#   debug
+    daemon
+    log             127.0.0.1    local0
+    tune.ssl.default-dh-param 2048
+    h1-case-adjust content-type Content-Type
+    h1-case-adjust content-encoding Content-Encoding
+    h1-case-adjust transfer-encoding Transfer-Encoding
+
+  defaults
+    mode http
+    timeout         connect 25s
+    timeout         client 25s
+    timeout         client-fin 25s
+    timeout         server 25s
+    timeout         tunnel 7200s
+    option          http-server-close
+    option          httpclose
+    log             global
+    option          httplog
+    backlog         4096
+    maxconn         2000
+    option          tcpka
+    option          h1-case-adjust-bogus-client
+
+frontend website
+    mode http
+    bind :80
+    # redirect scheme https if !{ ssl_fc }
+    # http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
+    # http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
+    # bind :443 ssl crt /certs/chain.pem
+
+    acl is_upgrade hdr(Connection) -i upgrade
+    acl is_websocket hdr(Upgrade) -i websocket 
+    
+    acl is_nextcloud hdr_beg(host) nextcloud.
+    acl is_moodle hdr_beg(host) moodle.
+    acl is_jitsi hdr_beg(host) jitsi.
+    acl is_oof hdr_beg(host) oof.
+    acl is_wp hdr_sub(host) .wp.
+    acl is_wp hdr_beg(host) wp.
+    acl is_pad hdr_beg(host) pad.
+    acl is_sso hdr_beg(host) sso.
+    acl is_ipa hdr_beg(host) ipa.
+    acl is_api hdr_beg(host) api.
+    acl is_admin hdr_beg(host) admin.
+
+    use_backend be_nextcloud if is_nextcloud
+    use_backend be_moodle if is_moodle
+    use_backend be_jitsi if is_jitsi
+    use_backend be_oof if is_oof
+    use_backend be_wp if is_wp
+    use_backend be_etherpad if is_pad
+    use_backend be_admin if is_sso { path_beg /socket.io }
+    use_backend be_adminer if is_sso { path_beg /isard-sso-adminer }
+    use_backend be_admin if is_admin
+    use_backend be_sso if is_sso
+    use_backend be_ipa if is_ipa
+    use_backend be_api if is_api
+    
+    http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }
+#    default_backend be_sso
+
+backend be_api
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server api isard-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_ipa
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server freeipa isard-sso-freeipa:443 check port 443 ssl verify none inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_sso
+	mode http
+  option httpclose
+	#option http-server-close
+	option forwardfor
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server keycloak isard-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_admin
+	mode http
+  option forwardfor
+  timeout queue 600s
+  timeout server 600s
+  timeout connect 600s
+  # acl authorized http_auth(AuthUsers)
+  # http-request auth realm AuthUsers unless authorized
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server isard-sso-admin isard-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_adminer
+	mode http
+  # acl authorized http_auth(AuthUsers)
+  # http-request auth realm AuthUsers unless authorized
+  http-request redirect scheme http drop-query append-slash if { path -m str /isard-sso-adminer }
+  http-request replace-path /isard-sso-adminer/(.*) /\1 
+  # http-request del-header Authorization 
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server isard-sso-adminer isard-sso-adminer:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+## APPS
+backend be_moodle
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server moodle isard-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_nextcloud
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server nextcloud isard-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_etherpad
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server etherpad isard-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_jitsi
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server jitsi isard-apps-jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_oof
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server onlyoffice isard-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_wp
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+
+    http-request set-header X-SSL %[ssl_fc]
+    http-request set-header X-Forwarded-Proto https
+	server wp isard-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+
+  listen stats 
+        bind                0.0.0.0:8888
+        mode                http
+        stats               enable
+        option              httplog
+        stats               show-legends
+        stats               uri /haproxy
+        stats               realm Haproxy\ Statistics
+        stats               refresh 5s
+        #stats               auth staging:mypassword
+        #acl authorized http_auth(AuthUsers)
+        #stats          http-request auth unless authorized
+        timeout             connect 5000ms
+        timeout             client 50000ms
+        timeout             server 50000ms
+
+userlist AuthUsers
+    user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.