feat(haproxy): Initial commit

build-context/Dockerfile

@@ -0,0 +1,14 @@
+# For the remainder of this Dockerfile EXAMPLE_ARG_FOR_DOCKERFILE will be
+# available with a value of 'must_be_available_in_dockerfile', check out the env
+# file at 'env/fully.qualified.domain.name.example' for reference.
+# ARG EXAMPLE_ARG_FOR_DOCKERFILE
+
+# Another env var, this one's needed in the example build step below:
+# ARG HAPROXY_VERSION
+
+# Example
+# FROM "haproxy:${HAPROXY_VERSION}"
+# RUN apt-get update && \
+#     apt-get -y install \
+#     somepackage-6.q16-6-extra && \
+#     rm -rf /var/lib/apt/lists/*

build-context/docker-data/config/haproxy.cfg

@@ -0,0 +1,49 @@
+global
+    daemon
+    maxconn                         200
+    log                             stdout format raw local0
+    ssl-default-bind-ciphersuites   TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options        prefer-client-ciphers no-tls-tickets ssl-min-ver TLSv1.3
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options      no-tls-tickets ssl-min-ver TLSv1.3
+
+defaults generic_defaults
+    log                             global
+    maxconn                         50
+
+    # Irrelevant on frontends
+    timeout                         connect 5s
+    timeout                         server  5s
+
+    # Irrelevant on backends
+    timeout                         client 30s
+
+defaults http_defaults from generic_defaults
+    mode                            http
+    option                          forwardfor
+    option                          httplog
+
+frontend fe_stats from http_defaults
+    bind                            :"${STATS_PORT-61000}"
+    stats                           enable
+    stats                           uri /
+    stats                           refresh 10s
+    acl ips_allowed                 src 10.10.10.0/24 10.10.1.0/24
+    http-request                    deny if !ips_allowed
+
+frontend fe_https-proxy from http_defaults
+    bind                            :80
+    bind                            :443 ssl strict-sni crt /usr/local/etc/haproxy/certs alpn h2,http/1.1
+    redirect                        scheme https code 301 if !{ ssl_fc }
+    http-response                   set-header Strict-Transport-Security max-age=63072000
+    use_backend                     %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/hosts.map,be_no-match)]
+
+backend be_example.net from http_defaults
+    compression                     algo gzip
+    compression                     type text/plain text/css
+    option                          httpchk
+    http-check                      send meth HEAD uri /status hdr Host example.net hdr User-Agent "${HEALTH_CHECK_USER_AGENT-HAProxy} health check"
+    server                          nextcloud-loft example.net:8080 check inter 10s fall 3 rise 3
+
+backend be_no-match from http_defaults
+    http-request                    deny deny_status 404

build-context/docker-data/config/hosts.map

@@ -0,0 +1,6 @@
+# See https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy
+# 
+# domain                        backend
+fully.qualified.domain.name     be_example.net
+example.net                     be_example.net
+another.domain.com              be_example.net