remove a8 entirely, dns resolve

Signed-off-by: Erin Schnabel <[email protected]>
gameontext · Aug 23, 2017 · c97e69c · c97e69c
1 parent 066b73e
commit c97e69c
Show file tree

Hide file tree

Showing 5 changed files with 234 additions and 231 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -5,13 +5,18 @@ services:
 language: java
 jdk:
 - openjdk8
+env:
+- COMMIT=${TRAVIS_COMMIT::8}
+- REPO_IMAGE=${DOCKER_REPO}/${DOCKER_IMAGE}
 script:
 - echo "TRAVIS_BRANCH='$TRAVIS_BRANCH'" \
   ;if [ "$TRAVIS_BRANCH" == "master" ]; then
      echo "Building and Pushing new image" \
      && docker login -u="${DOCKER_USERNAME}" -p="${DOCKER_PASSWORD}" && echo "Login ok" \
-     && docker build -t ${DOCKER_REPO}/${DOCKER_IMAGE} ${DOCKER_BUILDDIR} && echo "Build complete" \
-     && docker push ${DOCKER_REPO}/${DOCKER_IMAGE} && echo "Push complete"
+     && docker build -t ${REPO_IMAGE}:${COMMIT} ${DOCKER_BUILDDIR} && echo "Build complete" \
+     && docker tag ${REPO_IMAGE}:${COMMIT} ${REPO_IMAGE}:latest \
+     && docker tag ${REPO_IMAGE}:${COMMIT} ${REPO_IMAGE}:travis-${TRAVIS_BUILD_NUMBER} \
+     && docker push ${REPO_IMAGE} && echo "Push complete"
   ;else
      echo "Not master branch, skipping docker"
   ;fi

diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,9 @@
-FROM haproxy:1.6
+FROM haproxy:1.7.9
 
-MAINTAINER Ben Smith (benjsmi@us.ibm.com)
+LABEL maintainer="Erin Schnabel <schnabel@us.ibm.com> (@ebullientworks)"
 
 RUN apt-get update && apt-get install -y wget ca-certificates --no-install-recommends && rm -rf /var/lib/apt/lists/*
 
-RUN wget -qO- https://github.com/amalgam8/amalgam8/releases/download/v0.4.2/a8sidecar.sh | sh
-
 RUN ln -s /usr/local/etc/haproxy /etc/ && \
     mkdir -p /run/haproxy/
 

diff --git a/haproxy-dev.cfg b/haproxy-dev.cfg
@@ -1,176 +1,164 @@
 global
-	#chroot /var/lib/haproxy
-  #user haproxy
-	#group haproxy
-	stats socket /run/haproxy/admin.sock mode 660 level admin
-	stats timeout 30s
+  log /dev/stdout local0 info
+
+  stats socket /run/haproxy/admin.sock mode 660 level admin
+  stats timeout 30s
+
   debug
-	ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
+
+  # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+  # https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
+  tune.ssl.default-dh-param 2048
+  ssl-default-bind-options no-sslv3 no-tls-tickets
+  ssl-default-server-options no-sslv3 no-tls-tickets
+  ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+  ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+  # Distribute the health checks with a bit of randomness
+  spread-checks 5
 
 userlist admins
   user admin insecure-password PLACEHOLDER_PASSWORD
 
+resolvers docker
+  nameserver dns "${DNS_TCP_ADDR}:${DNS_TCP_PORT}"
+  resolve_retries       3
+  timeout retry         1s
+  hold other           30s
+  hold refused         30s
+  hold nx              30s
+  hold timeout         30s
+  hold valid           10s
+
 defaults
-	mode	http
-	retries 3
-	option redispatch
-	option dontlog-normal
-	option dontlognull
-  timeout connect 5000
-  timeout client  500000
-  timeout server  500000
-	errorfile 400 /etc/haproxy/errors/400.http
-	errorfile 403 /etc/haproxy/errors/403.http
-	errorfile 408 /etc/haproxy/errors/408.http
-	errorfile 500 /etc/haproxy/errors/500.http
-	errorfile 502 /etc/haproxy/errors/502.http
-	errorfile 503 /etc/haproxy/errors/503.http
-	errorfile 504 /etc/haproxy/errors/504.http
-
-frontend logstash-lumberjack
-  bind *:5043
-  mode tcp
-  option tcplog
-  default_backend logstash-lumberjack
+  log   global
+  mode  http
+  retries 3
+  option redispatch
+  option dontlog-normal
+  option dontlognull
+
+  option http-server-close
+  timeout connect 5s
+  timeout client 30s
+  timeout client-fin 30s
+  timeout server 30s
+  timeout tunnel  1h
+
+  default-server resolvers docker resolve-prefer ipv4
+  default-server init-addr none
+
+  errorfile 400 /etc/haproxy/errors/400.http
+  errorfile 403 /etc/haproxy/errors/403.http
+  errorfile 408 /etc/haproxy/errors/408.http
+  errorfile 500 /etc/haproxy/errors/500.http
+  errorfile 502 /etc/haproxy/errors/502.http
+  errorfile 503 /etc/haproxy/errors/503.http
+  errorfile 504 /etc/haproxy/errors/504.http
+
+listen stats
+    bind *:1936 ssl crt /etc/ssl/proxy.pem
+    stats enable
+    stats uri /
+    stats hide-version
+    stats auth admin:PLACEHOLDER_PASSWORD
+
 
 frontend frontend-ssl
+  bind *:80
   bind *:443 ssl crt /keystore/proxy.pem
   mode http
   option httplog
+  redirect scheme https code 301 if !{ ssl_fc }
 
-  acl player path_beg -i /play
-  use_backend player	if player
+  option forwardfor
+  reqadd X-Forwarded-Proto:\ https
+  reqadd X-Forwarded-Port:\ 443
+
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
   acl auth path_beg -i /auth
-  use_backend auth	if auth
+  acl not_ready nbsrv(auth) lt 1
+  use_backend auth  if auth
 
   acl map path_beg -i /map
+  acl not_ready nbsrv(map) lt 1
   use_backend map if map
 
-  acl swagger	 path_beg -i /swagger
-  use_backend swagger		if swagger
-
-  acl room	 path_beg -i /rooms
-  use_backend room		if room
-
-  acl roomjs	path_beg -i /roomjs
-  use_backend	roomjs	if roomjs
-
   acl mediator path_beg -i /mediator
+  acl not_ready nbsrv(mediator) lt 1
   use_backend mediator  if mediator
 
-  default_backend static-content
-
-frontend frontend-plain
-  bind *:80
-  mode http
-  option httplog
-
   acl player path_beg -i /play
   acl not_ready nbsrv(player) lt 1
-  use_backend player	if player
-
-  acl auth path_beg -i /auth
-  acl not_ready nbsrv(auth) lt 1
-  use_backend auth	if auth
+  use_backend player  if player
 
-  acl room	 path_beg -i /rooms
+  acl room  path_beg -i /rooms
   acl not_ready nbsrv(room) lt 1
-  use_backend room		if room
+  use_backend room    if room
 
-  acl swagger	 path_beg -i /swagger
-  use_backend swagger		if swagger
-
-  acl roomjs	path_beg -i /roomjs
-  use_backend	roomjs	if roomjs
-
-  acl map path_beg -i /map
-  acl not_ready nbsrv(map) lt 1
-  use_backend map if map
+  acl roomjs  path_beg -i /roomjs
+  use_backend  roomjs  if roomjs
 
-  acl mediator path_beg -i /mediator
-  acl not_ready nbsrv(mediator) lt 1
-  use_backend mediator  if mediator
+  acl swagger  path_beg -i /swagger
+  use_backend swagger    if swagger
 
   default_backend static-content
 
   monitor-uri   /site_alive
   monitor fail  if not_ready
 
-backend room
-  mode http
-  option httplog
-  option httpchk HEAD / HTTP/1.1\r\nHost:localhost
-  balance roundrobin
-  server room1 room:9080 check
-
-backend roomjs
+backend auth
   mode http
   option httplog
+  option httpchk GET /auth/health HTTP/1.1\r\nHost:localhost
   balance roundrobin
-  server roomjs1 192.168.99.100:5000 check
+  server auth1 auth:9443 check-ssl ssl verify none
 
 backend map
   mode http
   option httplog
-  option httpchk GET /map/map/v1/health HTTP/1.1\r\nHost:localhost
+  option httpchk GET /map/v1/health HTTP/1.1\r\nHost:localhost
   balance roundrobin
-  acl map2 path_beg -i /map/map
-  http-request set-uri http://%[req.hdr(Host)]/map%[path]?%[query] if !map2
-  server map1 127.0.0.1:6379 check verify none
+  server map1 map:9443 check-ssl ssl verify none
 
 backend mediator
   mode http
   option httplog
+  option httpchk GET /mediator HTTP/1.1\r\nHost:localhost
   balance roundrobin
-  acl mediator2 path_beg -i /mediator/mediator
-  http-request set-uri http://%[req.hdr(Host)]/mediator%[path]?%[query] if !mediator2
-  server mediator1 127.0.0.1:6379 check verify none
+  server mediator1 mediator:9443 check-ssl ssl verify none
 
-backend auth
+backend player
   mode http
   option httplog
-  option httpchk GET /auth/auth/health HTTP/1.1\r\nHost:localhost
+  option httpchk GET /players/v1/health HTTP/1.1\r\nHost:localhost
   balance roundrobin
-  acl auth2 path_beg -i /auth/auth
-  http-request set-uri http://%[req.hdr(Host)]/auth%[path]?%[query] if !auth2
-  server auth1 127.0.0.1:6379 check verify none
+  server player1 player:9443 check-ssl ssl verify none
 
-backend player
+backend room
   mode http
   option httplog
+  option httpchk HEAD / HTTP/1.1\r\nHost:localhost
   balance roundrobin
-  acl player2 path_beg -i /players/players
-  http-request set-uri http://%[req.hdr(Host)]/players%[path]?%[query] if !player2
-  server player1 127.0.0.1:6379 check verify none
+  server room1 room:9443 check-ssl ssl verify none
 
-backend static-content
+backend roomjs
   mode http
-  option httpchk HEAD / HTTP/1.1\r\nHost:localhost
   option httplog
   balance roundrobin
-  server webapp1 webapp:8080 check inter 1m
-
-backend logstash-lumberjack
-  mode tcp
-  option tcplog
-  balance roundrobin
-  server logstash1 192.168.99.100:5043 check
+  server roomjs1 roomjs:5000 check
 
 backend swagger
   mode http
-  acl swagger_root path -i /swagger
-  redirect location /swagger/ if swagger_root
-  option httpchk HEAD /swagger/ HTTP/1.1\r\nHost:localhost
+  option httpchk HEAD /health HTTP/1.1\r\nHost:localhost
   option httplog
   balance roundrobin
-  acl swagger2 path_beg -i /swagger/swagger/
-  http-request set-uri http://%[req.hdr(Host)]/swagger%[path]?%[query] if !swagger2
-  server swagger1 127.0.0.1:6379 check verify none
+  server swagger1 swagger:8080 check inter 1m
 
-listen stats
-    bind *:1936 ssl crt /etc/ssl/proxy.pem
-    stats enable
-    stats uri /
-    stats hide-version
-    stats auth admin:PLACEHOLDER_PASSWORD
+backend static-content
+  mode http
+  option httpchk HEAD / HTTP/1.1\r\nHost:localhost
+  option httplog
+  balance roundrobin
+  server webapp1 webapp:8080 check inter 1m