put haproxy config here and not in base container

crosmuller · crosmuller · commit 904521f3720f · 2025-07-02T16:04:44.000+02:00
diff --git a/core/docker-compose.yml b/core/docker-compose.yml
@@ -5,8 +5,13 @@ services:
     ports:
       - 80:80
       - 443:443
+    # bind mount separate files because the haproxy config
+    # directory also contains some static error files we do not want
+    # in our repository
     volumes:
       - ./haproxy/haproxy.pem:/usr/local/etc/haproxy/haproxy.pem
+      - ./haproxy/backends.map:/usr/local/etc/haproxy/backends.map:ro
+      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
     networks:
       coreconextdev:
         aliases:
diff --git a/core/haproxy/backends.map b/core/haproxy/backends.map
@@ -0,0 +1,27 @@
+azuremfa.dev.openconext.local azuremfa_be
+gateway.dev.openconext.local gateway_be
+middleware.dev.openconext.local middleware_be
+ra.dev.openconext.local ra_be
+selfservice.dev.openconext.local selfservice_be
+tiqr.dev.openconext.local tiqr_be
+webauthn.dev.openconext.local webauthn_be
+ssp.dev.openconext.local ssp_be
+demogssp.dev.openconext.local demogssp_be
+stepupapi.dev.openconext.local stepupapi_be
+engine.dev.openconext.local engine_be
+engine-api.dev.openconext.local engine_be
+profile.dev.openconext.local profile_be
+mujina-idp.dev.openconext.local mujina-idp_be
+mujina-sp.dev.openconext.local mujina-sp_be
+manage.dev.openconext.local manage_be
+connect.dev.openconext.local connect_be
+teams.dev.openconext.local teams_be
+voot.dev.openconext.local voot_be
+pdp.dev.openconext.local pdp_be
+aa.dev.openconext.local aa_be
+oidc-playground.dev.openconext.local oidcplayground_be 
+userlifecycle.dev.openconext.local userlifecycle_be 
+spdashboard.dev.openconext.local spdashboard_be
+invite.dev.openconext.local invite_be
+welcome.dev.openconext.local welcome_be
+sbs.dev.openconext.local sbs_be
diff --git a/core/haproxy/haproxy.cfg b/core/haproxy/haproxy.cfg
@@ -0,0 +1,138 @@
+global
+  log stdout format raw local0 info
+  pidfile     /tmp/haproxy.pid
+  log         127.0.0.1 len 32768  local2
+  log-send-hostname
+  maxconn     4000
+  user        haproxy
+  group       haproxy
+  ulimit-n    9000
+  ssl-default-bind-options no-sslv3 no-tls-tickets
+  ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
+  ssl-default-server-options no-sslv3 no-tls-tickets
+  ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
+  stats socket 127.0.0.1:14567
+  stats socket /var/lib/haproxy/haproxy.stats mode 660 level admin user haproxy group haproxy expose-fd listeners
+  server-state-file /var/lib/haproxy/state
+
+defaults
+    mode                        http
+    log                         global
+    option                      http-ignore-probes
+    option                      http-server-close
+    option                      httplog
+    option                      redispatch
+    retries                     3
+    timeout http-request        10s
+    timeout queue               1m
+    timeout connect             10s
+    timeout client              1m
+    timeout server              1m
+    timeout http-keep-alive     10s
+    timeout check               10s
+    maxconn                     3000
+    load-server-state-from-file global
+
+resolvers docker
+    nameserver dns1 127.0.0.11:53
+    resolve_retries 3
+    timeout resolve 1s
+    timeout retry   1s
+    hold other      10s
+    hold refused    10s
+    hold nx         10s
+    hold timeout    10s
+    hold valid      10s
+    hold obsolete   10s
+
+frontend  fe_web
+    bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.pem no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind *:80
+    http-request set-header X-Forwarded-Proto https
+    use_backend stat if { path -i /haproxy }
+    use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/backends.map)]
+
+backend azuremfa_be
+    server docker azuremfa:80 check resolvers docker init-addr libc,none
+
+backend gateway_be
+    server docker gateway:80 check resolvers docker init-addr libc,none
+
+backend middleware_be
+    server docker middleware:80 check resolvers docker init-addr libc,none
+
+backend ra_be
+    server docker ra:80 check resolvers docker init-addr libc,none
+
+backend selfservice_be
+    server docker selfservice:80 check resolvers docker init-addr libc,none
+
+backend tiqr_be
+    server docker tiqr:80 check resolvers docker init-addr libc,none
+
+backend webauthn_be
+    server docker webauthn:80 check resolvers docker init-addr libc,none
+
+backend ssp_be
+    server docker ssp:80 check resolvers docker init-addr libc,none
+
+backend demogssp_be
+    server docker demogssp:80 check resolvers docker init-addr libc,none
+
+backend stepupapi_be
+    server docker stepupapi:80 check resolvers docker init-addr libc,none
+
+backend engine_be
+    server docker engine:80 check resolvers docker init-addr libc,none
+
+backend profile_be
+    server docker profile:80 check resolvers docker init-addr libc,none
+
+backend mujina-idp_be
+    server docker mujina-idp:80 check resolvers docker init-addr libc,none
+    option forwarded
+
+backend mujina-sp_be
+    server docker mujina-sp:80 check resolvers docker init-addr libc,none
+
+backend manage_be
+    server docker managegui:80 check resolvers docker init-addr libc,none
+
+backend connect_be
+    server docker oidcng:80 check resolvers docker init-addr libc,none
+
+backend pdp_be
+    server docker pdpgui:80 check resolvers docker init-addr libc,none
+
+backend teams_be
+    server docker teamsgui:80 check resolvers docker init-addr libc,none
+
+backend voot_be
+    server docker voot:8080 check resolvers docker init-addr libc,none
+
+backend aa_be
+    server docker aa:8080 check resolvers docker init-addr libc,none
+
+backend oidcplayground_be
+    server docker oidcplaygroundgui:80 check resolvers docker init-addr libc,none
+
+backend userlifecycle_be
+    server docker userlifecycle:80 check resolvers docker init-addr libc,none
+
+backend spdashboard_be
+    server docker spdashboard:80 check resolvers docker init-addr libc,none
+
+backend invite_be
+    server docker inviteclient:80 check resolvers docker init-addr libc,none
+
+backend welcome_be
+    server docker invitewelcome:80 check resolvers docker init-addr libc,none
+
+backend sbs_be
+    server docker sbs:8080 check resolvers docker init-addr libc,none
+
+backend stat
+    stats enable
+    stats uri /haproxy
+    stats refresh 15s
+    stats show-legends
