|
|
|
@ -22,6 +22,185 @@ networks: |
|
|
|
external: true |
|
|
|
``` |
|
|
|
|
|
|
|
ON first run you need to: |
|
|
|
On first run you need to: |
|
|
|
|
|
|
|
`docker network create phoenix-network` |
|
|
|
|
|
|
|
|
|
|
|
## HAProxy setup |
|
|
|
|
|
|
|
... in docker-compose.yml ... |
|
|
|
|
|
|
|
``` |
|
|
|
default-backend: |
|
|
|
container_name: 'default-backend' |
|
|
|
image: nginx:1.22.0-alpine |
|
|
|
volumes: |
|
|
|
- /docker-volumes/haproxy-config/core/nginx/html:/usr/share/nginx/html |
|
|
|
restart: always |
|
|
|
networks: |
|
|
|
- phoenix-network |
|
|
|
|
|
|
|
rsyslog: |
|
|
|
container_name: 'rsyslog' |
|
|
|
hostname: 'rsyslog' |
|
|
|
image: alpine-rsyslog |
|
|
|
build: |
|
|
|
context: ./alpine-rsyslog |
|
|
|
volumes: |
|
|
|
- $PWD/haproxy-config/core/haproxy.conf:/etc/rsyslog.d/haproxy.conf |
|
|
|
- $PWD/haproxy-config/log:/var/log |
|
|
|
- $PWD/haproxy-config/spool:/var/spool |
|
|
|
- $PWD/rsyslog/rsyslog.conf:/etc/rsyslog.conf |
|
|
|
ports: |
|
|
|
- '127.0.0.1:514:514' |
|
|
|
networks: |
|
|
|
- phoenix-network |
|
|
|
|
|
|
|
|
|
|
|
haproxy: |
|
|
|
container_name: 'haproxy' |
|
|
|
hostname: 'haproxy' |
|
|
|
image: haproxytech/haproxy-alpine:latest |
|
|
|
ports: |
|
|
|
- 443:443 |
|
|
|
- 80:80 |
|
|
|
depends_on: |
|
|
|
- default-backend |
|
|
|
- rsyslog |
|
|
|
volumes: |
|
|
|
- $PWD/haproxy-config/log:/var/log |
|
|
|
- $PWD/haproxy-config/certs:/usr/local/etc/haproxy/certs:ro |
|
|
|
- $PWD/haproxy-config/core:/usr/local/etc/haproxy/core:ro |
|
|
|
- $PWD/haproxy-config/maps:/usr/local/etc/haproxy/maps:ro |
|
|
|
- $PWD/haproxy-config/sites:/usr/local/etc/haproxy/sites:ro |
|
|
|
command: "haproxy -f /usr/local/etc/haproxy/core/haproxy.cfg -f /usr/local/etc/haproxy/sites/" |
|
|
|
networks: |
|
|
|
- phoenix-network |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
in `haproxy-config/core/haproxy.conf`: |
|
|
|
|
|
|
|
``` |
|
|
|
$UDPServerAddress 127.0.0.1 |
|
|
|
$UDPServerRun 514 |
|
|
|
local0.* /var/log/haproxy.log |
|
|
|
& ~ |
|
|
|
``` |
|
|
|
|
|
|
|
in `haproxy-config/core/haproxy.cfg`: |
|
|
|
|
|
|
|
``` |
|
|
|
global |
|
|
|
tune.ssl.default-dh-param 2048 |
|
|
|
log rsyslog:514 local0 |
|
|
|
maxconn 4096 |
|
|
|
|
|
|
|
defaults |
|
|
|
option httplog |
|
|
|
option forwardfor except 127.0.0.1 |
|
|
|
option forwardfor header X-Real-IP |
|
|
|
option http-no-delay |
|
|
|
log global |
|
|
|
mode http |
|
|
|
|
|
|
|
retries 10 |
|
|
|
option redispatch |
|
|
|
timeout connect 4000 |
|
|
|
timeout client 600000 |
|
|
|
timeout server 600000 |
|
|
|
timeout queue 10s |
|
|
|
|
|
|
|
frontend default_frontend |
|
|
|
mode http |
|
|
|
|
|
|
|
bind *:80 |
|
|
|
bind *:443 ssl crt /usr/local/etc/haproxy/certs alpn h2,http/1.1 |
|
|
|
|
|
|
|
# redirect non-www |
|
|
|
|
|
|
|
# http-request redirect prefix https://%[hdr(Host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. } |
|
|
|
|
|
|
|
# Make a rule that the server cannot be directly accessed by IP address |
|
|
|
|
|
|
|
acl has_domain hdr(Host),map_str(/usr/local/etc/haproxy/maps/domains.map) -m found |
|
|
|
http-request deny if !has_domain |
|
|
|
|
|
|
|
# ACME challenge rule? |
|
|
|
|
|
|
|
acl letsencrypt-acl path_beg /.well-known/acme-challenge/ |
|
|
|
redirect code 301 scheme https if !{ ssl_fc && letsencrypt-acl } |
|
|
|
compression algo gzip |
|
|
|
compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json image/svg+xml |
|
|
|
acl is_content_type_html res.hdr(Content-Type) -i text/html |
|
|
|
http-response set-header Content-Type text/html;\ charset=UTF-8 if is_content_type_html |
|
|
|
http-response set-header Cache-Control no-cache,\ max-age=31536000 |
|
|
|
http-response set-header Expires %[date(3600),http_date] |
|
|
|
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" |
|
|
|
http-response set-header X-XSS-Protection "1; mode=block" |
|
|
|
http-response set-header X-Content-Type-Options "nosniff" |
|
|
|
http-response set-header Referrer-Policy "strict-origin-when-cross-origin" |
|
|
|
use_backend %[base,lower,regsub(^www\.,,i),map_beg(/usr/local/etc/haproxy/maps/sites.map,default_backend)] |
|
|
|
|
|
|
|
|
|
|
|
listen stats |
|
|
|
bind *:9999 |
|
|
|
mode http |
|
|
|
log global |
|
|
|
stats enable |
|
|
|
stats realm Haproxy\ Statistics |
|
|
|
stats uri /haproxy_stats |
|
|
|
stats hide-version |
|
|
|
|
|
|
|
|
|
|
|
backend haproxy_stats_backend |
|
|
|
http-request auth realm haproxy-stats unless { http_auth_group(basic-auth-list) is-haproxy-stats } |
|
|
|
mode http |
|
|
|
compression algo gzip |
|
|
|
compression offload |
|
|
|
server server_nginx localhost:9999 |
|
|
|
|
|
|
|
|
|
|
|
userlist basic-auth-list |
|
|
|
group is-guest |
|
|
|
group is-haproxy-stats |
|
|
|
|
|
|
|
user guest password $5$N7CpS0mo$FyJtlwQOwzAi5HnCISumyBKWyPu6DhBO7eGzUUyWoJ7 groups is-guest |
|
|
|
``` |
|
|
|
|
|
|
|
... in `haproxy-config/sites/web-push.anomalistlabs.com.cfg` ... |
|
|
|
|
|
|
|
define an HAProxy backend and map it to the Docker host and port |
|
|
|
NOTE: this also turned off CORS origin rule |
|
|
|
``` |
|
|
|
backend web_push_backend |
|
|
|
mode http |
|
|
|
compression algo gzip |
|
|
|
compression offload |
|
|
|
http-response set-header Access-Control-Allow-Origin "*" |
|
|
|
server server_nginx endorser-push-server:3000 |
|
|
|
``` |
|
|
|
|
|
|
|
... in `haproxy-config/maps/domains.map` ... |
|
|
|
|
|
|
|
add a domain that will be used as a base |
|
|
|
|
|
|
|
``` |
|
|
|
timesafari.anomalistlabs.com |
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
... in `haproxy-config/maps/sites.map` ... |
|
|
|
|
|
|
|
map the `/web-push` path to the `web_push_backend` |
|
|
|
NOTE: `timesafari-pwa.anomalistlabs.com` PWA sits on the root |
|
|
|
|
|
|
|
``` |
|
|
|
timesafari-pwa.anomalistlabs.com/web-push/ web_push_backend |
|
|
|
``` |
|
|
|
|
|
|
|
## The rest .. |
|
|
|
|
|
|
|
`docker-compose up -d` should just work :-) |
|
|
|
|
|
|
|
|
Matthew Raymer
10 months ago