feat(haproxy): Initial commit

2023-06-20 23:49:32 +02:00
parent b4bbb66dce
commit 867e1ff919
14 changed files with 359 additions and 2 deletions
--- a/build-context/docker-data/.gitkeep
+++ b/build-context/docker-data/.gitkeep
--- a/build-context/docker-data/config/certs/example.com.pem
+++ b/build-context/docker-data/config/certs/example.com.pem
--- a/build-context/docker-data/config/certs/example.com.pem.key
+++ b/build-context/docker-data/config/certs/example.com.pem.key
--- a/build-context/docker-data/config/certs/example.net.pem
+++ b/build-context/docker-data/config/certs/example.net.pem
--- a/build-context/docker-data/config/certs/example.net.pem.key
+++ b/build-context/docker-data/config/certs/example.net.pem.key
--- a/build-context/docker-data/config/haproxy.cfg
+++ b/build-context/docker-data/config/haproxy.cfg
@@ -0,0 +1,49 @@
+global
+    daemon
+    maxconn                         200
+    log                             stdout format raw local0
+    ssl-default-bind-ciphersuites   TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options        prefer-client-ciphers no-tls-tickets ssl-min-ver TLSv1.3
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options      no-tls-tickets ssl-min-ver TLSv1.3
+
+defaults generic_defaults
+    log                             global
+    maxconn                         50
+
+    # Irrelevant on frontends
+    timeout                         connect 5s
+    timeout                         server  5s
+
+    # Irrelevant on backends
+    timeout                         client 30s
+
+defaults http_defaults from generic_defaults
+    mode                            http
+    option                          forwardfor
+    option                          httplog
+
+frontend fe_stats from http_defaults
+    bind                            :"${STATS_PORT-61000}"
+    stats                           enable
+    stats                           uri /
+    stats                           refresh 10s
+    acl ips_allowed                 src 10.10.10.0/24 10.10.1.0/24
+    http-request                    deny if !ips_allowed
+
+frontend fe_https-proxy from http_defaults
+    bind                            :80
+    bind                            :443 ssl strict-sni crt /usr/local/etc/haproxy/certs alpn h2,http/1.1
+    redirect                        scheme https code 301 if !{ ssl_fc }
+    http-response                   set-header Strict-Transport-Security max-age=63072000
+    use_backend                     %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/hosts.map,be_no-match)]
+
+backend be_example.net from http_defaults
+    compression                     algo gzip
+    compression                     type text/plain text/css
+    option                          httpchk
+    http-check                      send meth HEAD uri /status hdr Host example.net hdr User-Agent "${HEALTH_CHECK_USER_AGENT-HAProxy} health check"
+    server                          nextcloud-loft example.net:8080 check inter 10s fall 3 rise 3
+
+backend be_no-match from http_defaults
+    http-request                    deny deny_status 404
--- a/build-context/docker-data/config/hosts.map
+++ b/build-context/docker-data/config/hosts.map
@@ -0,0 +1,6 @@
+# See https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy
+# 
+# domain                        backend
+fully.qualified.domain.name     be_example.net
+example.net                     be_example.net
+another.domain.com              be_example.net