We do this more reliably on HAProxy, as doing it from WP requires
specialised plugins and in DD we are sure that traffic goes through
the corresponding HAProxy backend.
This fixes several issues where services would see the internal IP of
the proxy and not that of the client.
It works by first unsetting any proxy-related headers that arrive from
the internet, then setting those as seen by HAProxy's entrypoint
frontend.
And finally making sure that neither WAF when enabled nor other
HAProxy backends touch these headers, while they are actually used by
the final services.
Services affected: Netcloud, Keycloak, Moodle
The environment / dd.conf variables: PROXY_PROTOCOL and DISABLE_WAF
determine how DD and HAProxy will behave.
- PROXY_PROTOCOL: whether or not the PROXY protocol will be accepted
- DISABLE_WAF: whether or not WAF will be enabled
This simplifies maintenance, as well as the overall architecture and operation.
While at it, we now publish images for DD's HAProxy as well.
This enables more advanced customisation by allowing for
administrators to fully replace the footer of the login theme.
We try to take into account maintainability, at the same time mention
that it is the administrators' responsibility to keep their
customisations compatible with newer versions of DD.
This can be used by setting up HAPROXY_CONF in dd.conf, which will
determine which config file will be used.
We also add haproxy.proxy-protocol.conf which is cleaner than
haproxy.conf and allows the PROXY protocol on certain ports.
With this setup it is possible to e.g. run DD without a public IPv4
address by proxying it from an edge server.