add haproxy files here not in base image

Author: crosmuller

core/docker-compose.yml

@@ -24,6 +24,14 @@ services:
           - invite.dev.openconext.local
           - sbs.dev.openconext.local
     hostname: haproxy.docker
+    # bind mount separate files because the haproxy config
+    # directory also contains some static error files we do not want
+    # in our repository
+    volumes:
+      - ./haproxy/backends.map:/usr/local/etc/haproxy/backends.map:ro
+      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - ./haproxy/haproxy.crt:/usr/local/etc/haproxy/haproxy.crt:ro
+      - ./haproxy/haproxy.pem:/usr/local/etc/haproxy/haproxy.pem:ro
 
   mariadb:
     image: mariadb:10.6

core/haproxy/backends.map

@@ -0,0 +1,28 @@
+azuremfa.dev.openconext.local azuremfa_be
+gateway.dev.openconext.local gateway_be
+middleware.dev.openconext.local middleware_be
+ra.dev.openconext.local ra_be
+selfservice.dev.openconext.local selfservice_be
+tiqr.dev.openconext.local tiqr_be
+webauthn.dev.openconext.local webauthn_be
+ssp.dev.openconext.local ssp_be
+demogssp.dev.openconext.local demogssp_be
+stepupapi.dev.openconext.local stepupapi_be
+engine.dev.openconext.local engine_be
+engine-api.dev.openconext.local engine_be
+profile.dev.openconext.local profile_be
+mujina-idp.dev.openconext.local mujina-idp_be
+mujina-sp.dev.openconext.local mujina-sp_be
+manage.dev.openconext.local manage_be
+connect.dev.openconext.local connect_be
+teams.dev.openconext.local teams_be
+voot.dev.openconext.local voot_be
+pdp.dev.openconext.local pdp_be
+aa.dev.openconext.local aa_be
+oidc-playground.dev.openconext.local oidcplayground_be 
+userlifecycle.dev.openconext.local userlifecycle_be 
+spdashboard.dev.openconext.local spdashboard_be
+invite.dev.openconext.local invite_be
+welcome.dev.openconext.local welcome_be
+sbs.dev.openconext.local sbs_be
+

core/haproxy/haproxy.cfg

@@ -0,0 +1,138 @@
+global
+  log stdout format raw local0 info
+  pidfile     /tmp/haproxy.pid
+  log         127.0.0.1 len 32768  local2
+  log-send-hostname
+  maxconn     4000
+  user        haproxy
+  group       haproxy
+  ulimit-n    9000
+  ssl-default-bind-options no-sslv3 no-tls-tickets
+  ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
+  ssl-default-server-options no-sslv3 no-tls-tickets
+  ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
+  stats socket 127.0.0.1:14567
+  stats socket /var/lib/haproxy/haproxy.stats mode 660 level admin user haproxy group haproxy expose-fd listeners
+  server-state-file /var/lib/haproxy/state
+
+defaults
+    mode                        http
+    log                         global
+    option                      http-ignore-probes
+    option                      http-server-close
+    option                      httplog
+    option                      redispatch
+    retries                     3
+    timeout http-request        10s
+    timeout queue               1m
+    timeout connect             10s
+    timeout client              1m
+    timeout server              1m
+    timeout http-keep-alive     10s
+    timeout check               10s
+    maxconn                     3000
+    load-server-state-from-file global
+
+resolvers docker
+    nameserver dns1 127.0.0.11:53
+    resolve_retries 3
+    timeout resolve 1s
+    timeout retry   1s
+    hold other      10s
+    hold refused    10s
+    hold nx         10s
+    hold timeout    10s
+    hold valid      10s
+    hold obsolete   10s
+
+frontend  fe_web
+    bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.pem no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind *:80
+    http-request set-header X-Forwarded-Proto https
+    use_backend stat if { path -i /haproxy }
+    use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/backends.map)]
+
+backend azuremfa_be
+    server docker azuremfa:80 check resolvers docker init-addr libc,none
+
+backend gateway_be
+    server docker gateway:80 check resolvers docker init-addr libc,none
+
+backend middleware_be
+    server docker middleware:80 check resolvers docker init-addr libc,none
+
+backend ra_be
+    server docker ra:80 check resolvers docker init-addr libc,none
+
+backend selfservice_be
+    server docker selfservice:80 check resolvers docker init-addr libc,none
+
+backend tiqr_be
+    server docker tiqr:80 check resolvers docker init-addr libc,none
+
+backend webauthn_be
+    server docker webauthn:80 check resolvers docker init-addr libc,none
+
+backend ssp_be
+    server docker ssp:80 check resolvers docker init-addr libc,none
+
+backend demogssp_be
+    server docker demogssp:80 check resolvers docker init-addr libc,none
+
+backend stepupapi_be
+    server docker stepupapi:80 check resolvers docker init-addr libc,none
+
+backend engine_be
+    server docker engine:80 check resolvers docker init-addr libc,none
+
+backend profile_be
+    server docker profile:80 check resolvers docker init-addr libc,none
+
+backend mujina-idp_be
+    server docker mujina-idp:80 check resolvers docker init-addr libc,none
+    option forwarded
+
+backend mujina-sp_be
+    server docker mujina-sp:80 check resolvers docker init-addr libc,none
+
+backend manage_be
+    server docker managegui:80 check resolvers docker init-addr libc,none
+
+backend connect_be
+    server docker oidcng:80 check resolvers docker init-addr libc,none
+
+backend pdp_be
+    server docker pdpgui:80 check resolvers docker init-addr libc,none
+
+backend teams_be
+    server docker teamsgui:80 check resolvers docker init-addr libc,none
+
+backend voot_be
+    server docker voot:8080 check resolvers docker init-addr libc,none
+
+backend aa_be
+    server docker aa:8080 check resolvers docker init-addr libc,none
+
+backend oidcplayground_be
+    server docker oidcplaygroundgui:80 check resolvers docker init-addr libc,none
+
+backend userlifecycle_be
+    server docker userlifecycle:80 check resolvers docker init-addr libc,none
+
+backend spdashboard_be
+    server docker spdashboard:80 check resolvers docker init-addr libc,none
+
+backend invite_be
+    server docker inviteclient:80 check resolvers docker init-addr libc,none
+
+backend welcome_be
+    server docker invitewelcome:80 check resolvers docker init-addr libc,none
+
+backend sbs_be
+    server docker sbs:8080 check resolvers docker init-addr libc,none
+
+backend stat
+    stats enable
+    stats uri /haproxy
+    stats refresh 15s
+    stats show-legends

core/haproxy/haproxy.crt

@@ -21,4 +21,3 @@ lN765qvCcBoMc9bGdkCY+CEWV0mrVx0deFtoValOHSonU8lfGVXuAOPAFQ6IWCd/
 xYc2HYhfoShF0HcVjJhJAVysFQ+1oEus3xygGt8ywsJE+2b3c+OSnpqPjZKCopLd
 QVPFkX+6L74Uug8cIwB6B0SBlsd79664YNOB
 -----END CERTIFICATE-----
-

core/haproxy/haproxy.pem

@@ -0,0 +1,53 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCTXniv7fbbcelj
+HDGoMoCRlpirVdbiLUQDwGbnRa+VjohagE+HcAc42n3bncC8U8s3AfB4ONpEh9Mo
+MLD8beR3puEoPxhfQmtRnxHOr80ZhGbY2qqTjDUq0YkBsnq9XTCQd4AWiWXFC1YU
+xbJLe4CltWvCCcigbIbnydtE5m3/xnw+CfjE+vzC4gD4XxUwgCtUATZbxPYgldkF
+Z2zbGsaM1FU9nTAZVk7u9kGxvDRsjankNOXbQpD04B2KYTzZxGgdEzbQtO/JCUAn
+XjSy/yriH2z/vpWZPJMM1cHENdxv+2eIgaurRMcE5R8ZSWhHE7MNGcl1U44vtCsW
+fqeS6GQFAgMBAAECggEACEU/BLCYMAyein9kkgnziTgobUUuABeGP6emnsgcaIpN
+QLb+v50b6qbodVDPJkKVnwqu0jBun3X39cN1y1Tng4eMD1QrK/1wRG5m83COVCZI
+F1d+RzWRLkwAImY/2SzHsvPh7mHboklWlWfa772IpMQfvg4KgmZU0+FSOvWrqrUF
+Ks54ETNqki5GydjrYDGLuSwAcC/owNe45Zdx5Uu/6O+DFlowVKWgxf4r6PKQZ6xI
+SoFQpV9R/yecEqAzst/CIgjFp37kI9/X1g9NkK11JIrnWRApVD97IXglItA3NWTn
+LLunwdY4Qvm/TBx7PBppclRNEX30Sw/doqF25Dn0AQKBgQDCxbdsK7PvTGKHTW41
+LgusOlRWpzBRILvsmnKnMMotaYaxDPOqfySrBul7+/sMYi9d2nPiDb9T0xaIm6Lw
+0VjmpA4XLA6vyLeokz4fw/1ef+qouXVz3QTC8o/sIOObilcO/Z9qfP+ONduBdhhG
+AEo9/7850UC5V2oRZuyKFDY5gQKBgQDBsfqmPFLmpwWaO7xPKGTpQ7wTDy37823H
+TCr1gCj60BkouUYUyYbf7j+W290ukRJupUZLTo8df8dogmwA7Qi9ET+cobAos1bD
+S8xOSbK95/rdVX5H/Qgbw7yspQlye0ffmQZqAOQMmOLCHos+6YsfznM+FJ6/nWTr
+KAv0LBaEhQKBgCkKIhDv0HUeojAiN5OLBTif/b9YcQzXGeHL1Va3KBKThqbttLX7
+Hk3PIglW2doNIi/jZMF/5g2Sj8/vA1E8uz+116Y4SUvuvgwOImvtDwkHaPluQnpM
+WsF8/KhjcbIHXzqwZBO7DNn5LSxFJu4xB3Oy3KchGUM0UQwjpLmfcqGBAoGBAJ7k
+5BturQstxLjLfCTrnCyHNkfkUfK3tTyizTLr2bI2+AyiQE1ZLN2SUnPtFTrYI2jF
+CC9K2Lh4VBr1sqfnyx1egvJ46UvaIri++3DVoF2Nagwb0CY5+mbcYXC3SlKxszpI
+DCz1Yh67ZHmeGNiZOVn0QDGTNM83zMvj5Dp/2FEJAoGAB3rzW5LcA+LVT6hPcgbo
+sn9RGhVrqmiysNYAc7tT0/QI21QSWlQ+KUHq66S07AMm85uzUFLnw+ci1kLyFts8
+tcfp4F0hyKQADbRvzqXwWqkPjAr1VqYzJOCVeHlPtrvsaGDltM+eu0tf6ZQOQ8mH
+pTmwrSTeyUvvofYpFd/B8ZE=
+-----END PRIVATE KEY-----
+-
+-----BEGIN CERTIFICATE-----
+MIID1zCCAr+gAwIBAgIUDvja2rnsTgFy+cvxfHNTWDbMRLwwDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0
+cmVjaHQxEjAQBgNVBAoMCVNVUkYgQi5WLjETMBEGA1UECwwKT3BlbkNvbmV4dDEf
+MB0GA1UEAwwWKi5kZXYub3BlbmNvbmV4dC5sb2NhbDAeFw0yMzAzMjgxMTQ0Mjha
+Fw0yNTEyMjIxMTQ0MjhaMHsxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0
+MRAwDgYDVQQHDAdVdHJlY2h0MRIwEAYDVQQKDAlTVVJGIEIuVi4xEzARBgNVBAsM
+Ck9wZW5Db25leHQxHzAdBgNVBAMMFiouZGV2Lm9wZW5jb25leHQubG9jYWwwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTXniv7fbbceljHDGoMoCRlpir
+VdbiLUQDwGbnRa+VjohagE+HcAc42n3bncC8U8s3AfB4ONpEh9MoMLD8beR3puEo
+PxhfQmtRnxHOr80ZhGbY2qqTjDUq0YkBsnq9XTCQd4AWiWXFC1YUxbJLe4CltWvC
+CcigbIbnydtE5m3/xnw+CfjE+vzC4gD4XxUwgCtUATZbxPYgldkFZ2zbGsaM1FU9
+nTAZVk7u9kGxvDRsjankNOXbQpD04B2KYTzZxGgdEzbQtO/JCUAnXjSy/yriH2z/
+vpWZPJMM1cHENdxv+2eIgaurRMcE5R8ZSWhHE7MNGcl1U44vtCsWfqeS6GQFAgMB
+AAGjUzBRMB0GA1UdDgQWBBRXEU6j5ncv/nhZIPHFXGNoGPWsHzAfBgNVHSMEGDAW
+gBRXEU6j5ncv/nhZIPHFXGNoGPWsHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQARl/Hu+C6argh4I9UvCaJGyQaKNH8fe7JWkailaCLZBXXi/Wpi
+6vTqZmTUp03Srqkxm2ng/8UjslN7mX1AYgofqv8vUK3wrNkjiW5E6fWNw8jy+s81
+8g6UNCvorEp+6TxDciR1BK5dC2yLlhvhfayAtMxdR0mMybEhk9PCMwJSaMmrzRpm
+lN765qvCcBoMc9bGdkCY+CEWV0mrVx0deFtoValOHSonU8lfGVXuAOPAFQ6IWCd/
+xYc2HYhfoShF0HcVjJhJAVysFQ+1oEus3xygGt8ywsJE+2b3c+OSnpqPjZKCopLd
+QVPFkX+6L74Uug8cIwB6B0SBlsd79664YNOB
+-----END CERTIFICATE-----
+