By having the environment explicit on each service, we both document
the settings and have more control over what each service is allowed
to see.
This avoids weird things like nginx having access to postgresql's
credentials on its environment.
As a bonus: we are able to use one single environment file, which is
basically dd.conf with some values that are dynamically-calculated and
added from dd-ctl.
The environment / dd.conf variables: PROXY_PROTOCOL and DISABLE_WAF
determine how DD and HAProxy will behave.
- PROXY_PROTOCOL: whether or not the PROXY protocol will be accepted
- DISABLE_WAF: whether or not WAF will be enabled
This simplifies maintenance, as well as the overall architecture and operation.
While at it, we now publish images for DD's HAProxy as well.
This can be used by setting up HAPROXY_CONF in dd.conf, which will
determine which config file will be used.
We also add haproxy.proxy-protocol.conf which is cleaner than
haproxy.conf and allows the PROXY protocol on certain ports.
With this setup it is possible to e.g. run DD without a public IPv4
address by proxying it from an edge server.
Evilham
Manuel Caballero
Manuel Caballero