Deduplicate haproxy configuration and Dockerfile

docker-compose-parts/haproxy-behind.yml

@@ -6,7 +6,7 @@ services:
       args:
         HAPROXY_IMG: ${HAPROXY_IMG-haproxy:2.4.12-alpine3.15}
       context: ${BUILD_ROOT_PATH}/docker/haproxy
-      dockerfile: Dockerfile-behind
+      dockerfile: Dockerfile
       target: production
     container_name: isard-sso-haproxy
     restart: unless-stopped

docker/haproxy/Dockerfile-behind

@@ -1,17 +0,0 @@
-ARG HAPROXY_IMG
-FROM $HAPROXY_IMG as production
-
-USER root
-RUN apk add openssl certbot py-pip
-RUN pip install certbot-plugin-gandi
-
-COPY letsencrypt-hook-deploy-concatenante.sh /
-COPY letsencrypt.sh /usr/local/sbin/
-COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew
-COPY auto-generate-certs.sh /usr/local/sbin/
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s /usr/local/bin/docker-entrypoint.sh /
-RUN chmod 775 docker-entrypoint.sh
-
-ADD haproxy-behind.conf /usr/local/etc/haproxy/haproxy.cfg

docker/haproxy/haproxy-behind.conf

@@ -1,199 +0,0 @@
-resolvers mydns
-    nameserver dns1 127.0.0.11:53
-    
-global
-#   debug
-    daemon
-    log             127.0.0.1    local0
-    tune.ssl.default-dh-param 2048
-    h1-case-adjust content-type Content-Type
-    h1-case-adjust content-encoding Content-Encoding
-    h1-case-adjust transfer-encoding Transfer-Encoding
-
-  defaults
-    mode http
-    timeout         connect 25s
-    timeout         client 25s
-    timeout         client-fin 25s
-    timeout         server 25s
-    timeout         tunnel 7200s
-    option          http-server-close
-    option          httpclose
-    log             global
-    option          httplog
-    backlog         4096
-    maxconn         2000
-    option          tcpka
-    option          h1-case-adjust-bogus-client
-
-frontend website
-    mode http
-    bind :80
-    # redirect scheme https if !{ ssl_fc }
-    # http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
-    # http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
-    # bind :443 ssl crt /certs/chain.pem
-
-    acl is_upgrade hdr(Connection) -i upgrade
-    acl is_websocket hdr(Upgrade) -i websocket 
-    
-    acl is_nextcloud hdr_beg(host) nextcloud.
-    acl is_moodle hdr_beg(host) moodle.
-    acl is_jitsi hdr_beg(host) jitsi.
-    acl is_oof hdr_beg(host) oof.
-    acl is_wp hdr_sub(host) .wp.
-    acl is_wp hdr_beg(host) wp.
-    acl is_pad hdr_beg(host) pad.
-    acl is_sso hdr_beg(host) sso.
-    acl is_ipa hdr_beg(host) ipa.
-    acl is_api hdr_beg(host) api.
-    acl is_admin hdr_beg(host) admin.
-
-    acl is_root path -i /
-    http-request deny if is_pad is_root
-
-    use_backend be_api if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }
-
-    use_backend be_nextcloud if is_nextcloud
-    use_backend be_moodle if is_moodle
-    use_backend be_jitsi if is_jitsi
-    use_backend be_oof if is_oof
-    use_backend be_wp if is_wp
-    use_backend be_etherpad if is_pad
-    use_backend be_admin if is_sso { path_beg /socket.io }
-    use_backend be_adminer if is_sso { path_beg /isard-sso-adminer }
-    use_backend be_admin if is_admin
-    use_backend be_sso if is_sso
-    use_backend be_ipa if is_ipa
-    use_backend be_api if is_api
-
-    http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }
-#    default_backend be_sso
-
-backend be_api
-	mode http
-  http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server api isard-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_ipa
-	mode http
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server freeipa isard-sso-freeipa:443 check port 443 ssl verify none inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_sso
-	mode http
-  option httpclose
-	#option http-server-close
-	option forwardfor
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-  http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]*);(.*) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure;
-	server keycloak isard-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_admin
-	mode http
-  option forwardfor
-  timeout queue 600s
-  timeout server 600s
-  timeout connect 600s
-  # acl authorized http_auth(AuthUsers)
-  # http-request auth realm AuthUsers unless authorized
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server isard-sso-admin isard-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_adminer
-	mode http
-  # acl authorized http_auth(AuthUsers)
-  # http-request auth realm AuthUsers unless authorized
-  http-request redirect scheme http drop-query append-slash if { path -m str /isard-sso-adminer }
-  http-request replace-path /isard-sso-adminer/(.*) /\1 
-  # http-request del-header Authorization 
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server isard-sso-adminer isard-sso-adminer:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-## APPS
-backend be_moodle
-	mode http
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server moodle isard-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_nextcloud
-	mode http
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server nextcloud isard-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_etherpad
-	mode http
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server etherpad isard-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_jitsi
-	mode http
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server jitsi isard-apps-jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_oof
-	mode http
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-	server onlyoffice isard-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-backend be_wp
-	mode http
-  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
-  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
-  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
-  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
-
-    http-request set-header X-SSL %[ssl_fc]
-    http-request set-header X-Forwarded-Proto https
-	server wp isard-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
-
-
-  listen stats 
-        bind                0.0.0.0:8888
-        mode                http
-        stats               enable
-        option              httplog
-        stats               show-legends
-        stats               uri /haproxy
-        stats               realm Haproxy\ Statistics
-        stats               refresh 5s
-        #stats               auth staging:mypassword
-        #acl authorized http_auth(AuthUsers)
-        #stats          http-request auth unless authorized
-        timeout             connect 5000ms
-        timeout             client 50000ms
-        timeout             server 50000ms
-
-userlist AuthUsers
-    user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.

docker/haproxy/haproxy.conf

@@ -29,7 +29,7 @@ global
 frontend website
     mode http
     bind :80
-    redirect scheme https if !{ ssl_fc }
+    redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
     http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
     http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
     bind :443 ssl crt /certs/chain.pem