EDUCATIC
/
digitaldemocratic
mirror of https://gitlab.com/digitaldemocratic/digitaldemocratic
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat(haproxy): haproxy without ports to be behind another proxy

darta 2022-01-04 10:30:58 +01:00
parent b37e4558ab
commit f8575b59e1
6 changed files with 246 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docker-compose-parts/haproxy-behind.yml Normal file
View File

@ -0,0 +1,23 @@
---
version: '3.7'
services:
isard-sso-haproxy:
build:
context: ${BUILD_ROOT_PATH}/docker/haproxy
dockerfile: Dockerfile-behind
target: production
container_name: isard-sso-haproxy
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SRC_FOLDER}/haproxy/letsencrypt:/etc/letsencrypt:rw
- ${SRC_FOLDER}/haproxy/certs:/certs:rw
networks:
- isard_net
env_file:
- .env
logging:
driver: "json-file"
options:
max-size: "5m"
max-file: "10"

5
docker-compose-parts/haproxy.yml
View File

@ -21,3 +21,8 @@ services:
target: 443
env_file:
- .env
logging:
driver: "json-file"
options:
max-size: "5m"
max-file: "10"

5
docker-compose-parts/keycloak.yml
View File

@ -37,3 +37,8 @@ services:
restart: unless-stopped
networks:
- isard_net
logging:
driver: "json-file"
options:
max-size: "5m"
max-file: "10"

5
docker-compose-parts/postgresql.yml
View File

@ -12,3 +12,8 @@ services:
- ${BUILD_ROOT_PATH}/init/databases:/docker-entrypoint-initdb.d
networks:
- isard_net
logging:
driver: "json-file"
options:
max-size: "5m"
max-file: "10"

16
docker/haproxy/Dockerfile-behind Normal file
View File

@ -0,0 +1,16 @@
FROM haproxy:lts-alpine3.15 as production
USER root
RUN apk add openssl certbot py-pip
RUN pip install certbot-plugin-gandi
COPY letsencrypt-hook-deploy-concatenante.sh /
COPY letsencrypt.sh /usr/local/sbin/
COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew
COPY auto-generate-certs.sh /usr/local/sbin/
COPY docker-entrypoint.sh /usr/local/bin/
RUN ln -s /usr/local/bin/docker-entrypoint.sh /
RUN chmod 775 docker-entrypoint.sh
ADD haproxy-behind.conf /usr/local/etc/haproxy/haproxy.cfg

192
docker/haproxy/haproxy-behind.conf Normal file
View File

@ -0,0 +1,192 @@
resolvers mydns
nameserver dns1 127.0.0.11:53
global
# debug
daemon
log 127.0.0.1 local0
tune.ssl.default-dh-param 2048
h1-case-adjust content-type Content-Type
h1-case-adjust content-encoding Content-Encoding
h1-case-adjust transfer-encoding Transfer-Encoding
defaults
mode http
timeout connect 25s
timeout client 25s
timeout client-fin 25s
timeout server 25s
timeout tunnel 7200s
option http-server-close
option httpclose
log global
option httplog
backlog 4096
maxconn 2000
option tcpka
option h1-case-adjust-bogus-client
frontend website
mode http
bind :80
# redirect scheme https if !{ ssl_fc }
# http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
# http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
# bind :443 ssl crt /certs/chain.pem
acl is_upgrade hdr(Connection) -i upgrade
acl is_websocket hdr(Upgrade) -i websocket
acl is_nextcloud hdr_beg(host) nextcloud.
acl is_moodle hdr_beg(host) moodle.
acl is_jitsi hdr_beg(host) jitsi.
acl is_oof hdr_beg(host) oof.
acl is_wp hdr_sub(host) .wp.
acl is_wp hdr_beg(host) wp.
acl is_pad hdr_beg(host) pad.
acl is_sso hdr_beg(host) sso.
acl is_ipa hdr_beg(host) ipa.
acl is_api hdr_beg(host) api.
acl is_admin hdr_beg(host) admin.
use_backend be_nextcloud if is_nextcloud
use_backend be_moodle if is_moodle
use_backend be_jitsi if is_jitsi
use_backend be_oof if is_oof
use_backend be_wp if is_wp
use_backend be_etherpad if is_pad
use_backend be_admin if is_sso { path_beg /socket.io }
use_backend be_adminer if is_sso { path_beg /isard-sso-adminer }
use_backend be_admin if is_admin
use_backend be_sso if is_sso
use_backend be_ipa if is_ipa
use_backend be_api if is_api
http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }
# default_backend be_sso
backend be_api
mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server api isard-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_ipa
mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server freeipa isard-sso-freeipa:443 check port 443 ssl verify none inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_sso
mode http
option httpclose
#option http-server-close
option forwardfor
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server keycloak isard-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_admin
mode http
option forwardfor
timeout queue 600s
timeout server 600s
timeout connect 600s
# acl authorized http_auth(AuthUsers)
# http-request auth realm AuthUsers unless authorized
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server isard-sso-admin isard-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_adminer
mode http
# acl authorized http_auth(AuthUsers)
# http-request auth realm AuthUsers unless authorized
http-request redirect scheme http drop-query append-slash if { path -m str /isard-sso-adminer }
http-request replace-path /isard-sso-adminer/(.*) /\1
# http-request del-header Authorization
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server isard-sso-adminer isard-sso-adminer:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
## APPS
backend be_moodle
mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server moodle isard-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_nextcloud
mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server nextcloud isard-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_etherpad
mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server etherpad isard-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_jitsi
mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server jitsi isard-apps-jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_oof
mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server onlyoffice isard-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_wp
mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-Forwarded-Proto https
server wp isard-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
listen stats
bind 0.0.0.0:8888
mode http
stats enable
option httplog
stats show-legends
stats uri /haproxy
stats realm Haproxy\ Statistics
stats refresh 5s
#stats auth staging:mypassword
#acl authorized http_auth(AuthUsers)
#stats http-request auth unless authorized
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
userlist AuthUsers
user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.