Skip to content
This repository has been archived by the owner on Mar 21, 2024. It is now read-only.

Commit

Permalink
Health & reload
Browse files Browse the repository at this point in the history
Re-enable SSL health checks (which we may drop again)
Remove ics deploy scripts (will change either way)
Update launch script to exec haproxy entrypoint
--> using haproxy entrypoint handles HUP signal to reload proxy config

Signed-off-by: Erin Schnabel <[email protected]>
  • Loading branch information
Erin Schnabel committed Sep 3, 2017
1 parent 688e1c4 commit 850c7d6
Show file tree
Hide file tree
Showing 7 changed files with 61 additions and 258 deletions.
18 changes: 10 additions & 8 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,24 @@ FROM haproxy:1.7.9

LABEL maintainer="Erin Schnabel <[email protected]> (@ebullientworks)"

RUN apt-get update && apt-get install -y wget ca-certificates --no-install-recommends && rm -rf /var/lib/apt/lists/*
RUN apt-get update \
&& apt-get install -y wget ca-certificates --no-install-recommends \
&& rm -rf /var/lib/apt/lists/*

RUN ln -s /usr/local/etc/haproxy /etc/ && \
mkdir -p /run/haproxy/
RUN mkdir -p /run/haproxy \
mkdir -p /opt/haproxy

RUN wget https://github.com/coreos/etcd/releases/download/v2.2.2/etcd-v2.2.2-linux-amd64.tar.gz -q && \
tar xzf etcd-v2.2.2-linux-amd64.tar.gz etcd-v2.2.2-linux-amd64/etcdctl --strip-components=1 && \
rm etcd-v2.2.2-linux-amd64.tar.gz && \
mv etcdctl /usr/local/bin/etcdctl

COPY ./proxy.pem /etc/ssl/proxy.pem
COPY ./startup.sh /opt/startup.sh
COPY ./proxy.pem /etc/ssl/proxy.pem
COPY ./startup.sh /opt/startup.sh

COPY ./haproxy.cfg /etc/haproxy/haproxy.cfg
COPY ./haproxy-ics.cfg /etc/haproxy/haproxy-ics.cfg
COPY ./haproxy-dev.cfg /etc/haproxy/haproxy-dev.cfg
# allow local override to work
COPY ./haproxy.cfg /opt/haproxy/haproxy.cfg
COPY ./haproxy-dev.cfg /opt/haproxy/haproxy-dev.cfg

EXPOSE 80 443 1936

Expand Down
56 changes: 32 additions & 24 deletions haproxy-dev.cfg
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
global
log /dev/stdout local0 info

stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s

debug

# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
# To scan/check site, https://securityheaders.io/
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-options no-sslv3 no-tls-tickets
Expand All @@ -18,16 +17,16 @@ global
spread-checks 5

userlist admins
user admin insecure-password PLACEHOLDER_PASSWORD
user admin insecure-password admin

resolvers docker
nameserver dns "${DNS_TCP_ADDR}:${DNS_TCP_PORT}"
resolve_retries 3
timeout retry 1s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
hold other 10s
hold refused 10s
hold nx 10s
hold timeout 10s
hold valid 10s

defaults
Expand All @@ -38,6 +37,8 @@ defaults
option dontlog-normal
option dontlognull

option log-health-checks

option http-server-close
timeout connect 5s
timeout client 30s
Expand All @@ -48,20 +49,20 @@ defaults
default-server resolvers docker resolve-prefer ipv4
default-server init-addr none

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http

listen stats
bind *:1936 ssl crt /etc/ssl/proxy.pem
stats enable
stats uri /
stats hide-version
stats auth admin:PLACEHOLDER_PASSWORD
stats auth admin:admin


frontend frontend-ssl
Expand Down Expand Up @@ -101,10 +102,10 @@ frontend frontend-ssl
use_backend roomjs if roomjs

acl slackin path_beg -i /slackin
use_backend slackin if slackin
use_backend slackin if slackin

acl swagger path_beg -i /swagger
use_backend swagger if swagger
use_backend swagger if swagger

default_backend static-content

Expand All @@ -116,52 +117,59 @@ backend auth
option httplog
option httpchk GET /auth/health HTTP/1.1\r\nHost:localhost
balance roundrobin
server auth1 auth:9443 check-ssl ssl verify none
server auth1 auth:9443 ssl check check-ssl verify none

backend map
mode http
option httplog
option httpchk GET /map/v1/health HTTP/1.1\r\nHost:localhost
balance roundrobin
server map1 map:9443 check-ssl ssl verify none
server map1 map:9443 ssl check check-ssl verify none

backend mediator
mode http
option httplog
option httpchk GET /mediator HTTP/1.1\r\nHost:localhost
balance roundrobin
server mediator1 mediator:9443 check-ssl ssl verify none
server mediator1 mediator:9443 ssl check check-ssl verify none

backend player
mode http
option httplog
option httpchk GET /players/v1/health HTTP/1.1\r\nHost:localhost
balance roundrobin
server player1 player:9443 check-ssl ssl verify none
server player1 player:9443 ssl check check-ssl verify none

backend room
mode http
option httplog
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
balance roundrobin
server room1 room:9443 check-ssl ssl verify none
server room1 room:9443 ssl check check-ssl verify none

backend roomjs
mode http
option httplog
balance roundrobin
server roomjs1 roomjs:5000 check

backend slackin
mode http
option httplog
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
balance roundrobin
server slackin1 slackin:3000 check inter 1m

backend swagger
mode http
option httpchk HEAD /health HTTP/1.1\r\nHost:localhost
option httplog
option httpchk HEAD /health HTTP/1.1\r\nHost:localhost
balance roundrobin
server swagger1 swagger:8080 check inter 1m

backend static-content
mode http
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
option httpchk HEAD /health HTTP/1.1\r\nHost:localhost
option httplog
balance roundrobin
server webapp1 webapp:8080 check inter 1m
135 changes: 0 additions & 135 deletions haproxy-ics.cfg

This file was deleted.

Loading

0 comments on commit 850c7d6

Please sign in to comment.