[haproxy] Support other HAProxy configurations

This can be used by setting up HAPROXY_CONF in dd.conf, which will determine which config file will be used. We also add haproxy.proxy-protocol.conf which is cleaner than haproxy.conf and allows the PROXY protocol on certain ports. With this setup it is possible to e.g. run DD without a public IPv4 address by proxying it from an edge server.
2022-08-30 20:47:42 +02:00 · 2022-08-30 20:47:42 +02:00 · 72f9d927e1
parent 993b5f0e24
commit 72f9d927e1
3 changed files with 189 additions and 1 deletions
--- a/dd-sso/docker-compose-parts/haproxy.yml
+++ b/dd-sso/docker-compose-parts/haproxy.yml
@ -39,6 +39,11 @@ services:
      target: 80
    - published: 443
      target: 443
+    # These are for cases when operators want to use PROXY protocol in front
+    - published: 8888
+      target: 8888
+    - published: 591
+      target: 591
    env_file:
      - .env
    logging:
--- a/dd-sso/docker/haproxy/Dockerfile
+++ b/dd-sso/docker/haproxy/Dockerfile
@ -33,4 +33,4 @@ COPY docker-entrypoint.sh /usr/local/bin/
 RUN ln -s /usr/local/bin/docker-entrypoint.sh /
 RUN chmod 775 docker-entrypoint.sh

-ADD haproxy.conf /usr/local/etc/haproxy/haproxy.cfg
+ADD ${HAPROXY_CONF:-haproxy.conf} /usr/local/etc/haproxy/haproxy.cfg
--- a/dd-sso/docker/haproxy/haproxy.proxy-protocol.conf
+++ b/dd-sso/docker/haproxy/haproxy.proxy-protocol.conf
@ -0,0 +1,183 @@
+#
+#   Copyright © 2021,2022 IsardVDI S.L.
+#   Copyright © 2022 Evilham <contact@evilham.com>
+#
+#   This file is part of DD
+#
+#   DD is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   DD is distributed in the hope that it will be useful, but WITHOUT ANY
+#   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+#   FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+#   details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with DD. If not, see <https://www.gnu.org/licenses/>.
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+resolvers mydns
+    nameserver dns1 127.0.0.11:53
+
+global
+#   debug
+    daemon
+    log             127.0.0.1    local0
+    tune.ssl.default-dh-param 2048
+    h1-case-adjust content-type Content-Type
+    h1-case-adjust content-encoding Content-Encoding
+    h1-case-adjust transfer-encoding Transfer-Encoding
+
+  defaults
+    mode http
+    timeout         connect 120s
+    timeout         client 120s
+    timeout         client-fin 120s
+    timeout         server 120s
+    timeout         tunnel 7200s
+    option          http-server-close
+    option          httpclose
+    log             global
+    option          httplog
+    backlog         4096
+    maxconn         2000
+    option          tcpka
+    option          h1-case-adjust-bogus-client
+
+frontend website
+    mode http
+    bind :80
+    bind :8888 accept-proxy
+    redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
+    http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
+    http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
+    bind :443 ssl crt /certs/chain.pem
+    bind :591 accept-proxy ssl crt /certs/chain.pem
+
+    acl is_upgrade hdr(Connection) -i upgrade
+    acl is_websocket hdr(Upgrade) -i websocket
+
+    acl is_nextcloud hdr_beg(host) nextcloud.
+    acl is_moodle hdr_beg(host) moodle. !path_beg -i /local/tresipuntimportgc/
+    acl is_moodle_long hdr_beg(host) moodle.  path_beg -i /local/tresipuntimportgc/
+    acl is_oof hdr_beg(host) oof.
+    acl is_wp hdr_sub(host) .wp.
+    acl is_wp hdr_beg(host) wp.
+    acl is_pad hdr_beg(host) pad.
+    acl is_sso hdr_beg(host) sso.
+    acl is_api hdr_beg(host) api.
+    acl is_admin hdr_beg(host) admin.
+
+    acl is_root path -i /
+    http-request deny if is_pad is_root
+
+    use_backend be_api if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }
+
+    use_backend letsencrypt if { path_beg /.well-known/acme-challenge/ }
+    use_backend be_api if is_nextcloud { path_beg /avatar/ }
+    use_backend be_nextcloud if is_nextcloud
+    use_backend be_moodle_long if is_moodle_long
+    use_backend be_moodle if is_moodle
+    use_backend be_oof if is_oof
+    use_backend be_wp if is_wp
+    use_backend be_etherpad if is_pad
+    use_backend be_admin if is_sso { path_beg /socket.io }
+    use_backend be_adminer if is_sso { path_beg /dd-sso-adminer }
+    use_backend be_admin if is_admin
+    use_backend be_sso if is_sso
+    use_backend be_api if is_api
+
+    http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }
+#    default_backend be_sso
+
+backend letsencrypt
+  server letsencrypt 127.0.0.1:8080
+
+backend be_api
+	mode http
+  http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+  # Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128
+  http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")]
+	server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_sso
+	mode http
+  option httpclose
+	option forwardfor
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+  http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]*);(.*) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure;
+	server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_admin
+	mode http
+  option forwardfor
+  timeout queue 600s
+  timeout server 600s
+  timeout connect 600s
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+## APPS
+backend be_moodle
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_moodle_long
+	mode http
+  timeout server 900s
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_nextcloud
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_etherpad
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_oof
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+	server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
+
+backend be_wp
+	mode http
+  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
+  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
+  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
+  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
+
+    http-request set-header X-SSL %[ssl_fc]
+    http-request set-header X-Forwarded-Proto https
+	server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none