[FIX] Refactor using proxy.py

Author: josep-tecnativa

Dockerfile

@@ -1,33 +1,45 @@
 FROM python:3-alpine
 
-ENTRYPOINT ["dumb-init", "--", "/usr/local/bin/entrypoint.sh"]
-CMD ["proxy"]
-HEALTHCHECK CMD ["healthcheck"]
-
-RUN apk add --no-cache -t .build build-base curl-dev && \
-    apk add --no-cache iptables ipset iproute2 dnsmasq && \
-    apk add --no-cache libcurl && \
-    pip install --no-cache-dir dnspython dumb-init pycurl && \
-    apk del .build
+RUN apk add --no-cache --virtual .build-deps \
+        build-base \
+        curl-dev \
+    && apk add --no-cache \
+        dumb-init \
+        dnsmasq \
+        iproute2 \
+        ipset \
+        iptables \
+        libcurl \
+    && pip install --no-cache-dir \
+        dnspython \
+        pycurl \
+    && apk del .build-deps
 
 ENV NAMESERVERS="1.1.1.1 8.8.8.8" \
     PORT="*" \
-    LISTEN_PORT=15000 \
-    RESOLVE_INTERVAL=60 \
-    PRE_RESOLVE=0 \
-    MODE=tcp \
-    VERBOSE=0 \
-    MAX_CONNECTIONS=100 \
-    UDP_ANSWERS=1 \
-    HTTP_HEALTHCHECK=0 \
+    LISTEN_PORT="15000" \
+    RESOLVE_INTERVAL="60" \
+    PRE_RESOLVE="0" \
+    MODE="tcp" \
+    VERBOSE="0" \
+    MAX_CONNECTIONS="100" \
+    UDP_ANSWERS="1" \
+    HTTP_HEALTHCHECK="0" \
     HTTP_HEALTHCHECK_URL="http://\$TARGET/" \
-    SMTP_HEALTHCHECK=0 \
+    SMTP_HEALTHCHECK="0" \
     SMTP_HEALTHCHECK_URL="smtp://\$TARGET/" \
     SMTP_HEALTHCHECK_COMMAND="HELP" \
-    DNS_UPSTREAMS="1.1.1.1 8.8.8.8" \
-    RESOLVE_INTERVAL="60"
+    DNS_UPSTREAMS="1.1.1.1 8.8.8.8"
 
 COPY proxy.py /usr/local/bin/proxy
 COPY healthcheck.py /usr/local/bin/healthcheck
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
-RUN chmod +x /usr/local/bin/entrypoint.sh
+
+RUN chmod +x \
+    /usr/local/bin/proxy \
+    /usr/local/bin/healthcheck \
+    /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["dumb-init", "--", "/usr/local/bin/entrypoint.sh"]
+CMD ["proxy"]
+HEALTHCHECK CMD ["healthcheck"]

entrypoint.sh

@@ -5,24 +5,6 @@ log() {
   echo "[entrypoint] $*"
 }
 
-run() {
-  "$@"
-}
-
-ip_for_iface() {
-  iface="$1"
-  ip -4 addr show dev "$iface" | awk '/inet /{print $2}' | cut -d/ -f1 | head -n1
-}
-
-extract_domains_from_allowed_hosts() {
-  for item in ${ALLOWED_HOSTS:-}; do
-    case "$item" in
-      "" ) ;;
-      *[!0-9.]* ) printf '%s\n' "$item" ;;
-    esac
-  done | sort -u | xargs
-}
-
 detect_iface_for_gateway() {
   gw_ip="$1"
   ip route get "$gw_ip" 2>/dev/null | awk '
@@ -107,17 +89,21 @@ project_containers = [
 if not project_containers:
     raise RuntimeError(f"No running containers found for project {PROJECT}")
 
-odoo_container = None
+primary_container = None
 for c in project_containers:
     if (c.get("Labels") or {}).get("com.docker.compose.service") == PRIMARY_SERVICE:
-        odoo_container = c
+        primary_container = c
         break
 
-if not odoo_container:
-    raise RuntimeError(f"Could not find primary service {PRIMARY_SERVICE} in project {PROJECT}")
+if not primary_container:
+    raise RuntimeError(
+        f"Could not find primary service {PRIMARY_SERVICE} in project {PROJECT}"
+    )
 
-odoo_inspect = docker_get(f"/v1.41/containers/{odoo_container['Id']}/json")
-odoo_networks = set((odoo_inspect.get("NetworkSettings", {}).get("Networks") or {}).keys())
+primary_inspect = docker_get(f"/v1.41/containers/{primary_container['Id']}/json")
+primary_networks = set(
+    (primary_inspect.get("NetworkSettings", {}).get("Networks") or {}).keys()
+)
 
 lines = []
 seen = set()
@@ -130,7 +116,7 @@ for c in project_containers:
     networks = inspect.get("NetworkSettings", {}).get("Networks") or {}
 
     for net_name, net_cfg in networks.items():
-        if net_name not in odoo_networks:
+        if net_name not in primary_networks:
             continue
 
         ip = (net_cfg or {}).get("IPAddress")
@@ -182,19 +168,22 @@ refresh_hosts_from_docker_loop() {
   done &
 }
 
+extract_domains_from_allowed_hosts() {
+  for item in ${ALLOWED_HOSTS:-}; do
+    case "$item" in
+      "") ;;
+      *[!0-9.]*) printf '%s\n' "$item" ;;
+    esac
+  done | sort -u | xargs
+}
+
 start_dnsmasq_local() {
   dns_forwarder="$1"
-  : "${DNS_ALLOWED_DOMAINS:=}"
-
-  if [ -z "$DNS_ALLOWED_DOMAINS" ]; then
-    DNS_ALLOWED_DOMAINS="$(extract_domains_from_allowed_hosts)"
-  fi
 
   mkdir -p /run
   touch /run/dnsmasq-internal.hosts
 
   log "local dnsmasq: forwarder=$dns_forwarder"
-  log "local dnsmasq: allowed domains=$DNS_ALLOWED_DOMAINS"
 
   cat > /etc/dnsmasq.conf <<EOF
 no-resolv
@@ -205,113 +194,13 @@ bind-interfaces
 listen-address=127.0.0.1
 addn-hosts=/run/dnsmasq-internal.hosts
 clear-on-reload
+server=$dns_forwarder
 EOF
 
-  for domain in $DNS_ALLOWED_DOMAINS; do
-    echo "server=/$domain/$dns_forwarder" >> /etc/dnsmasq.conf
-  done
-
   dnsmasq -k -C /etc/dnsmasq.conf -x /run/dnsmasq.pid >/dev/null 2>&1 &
   log "local dnsmasq started on 127.0.0.1:53"
 }
 
-start_dnsmasq_gateway() {
-  : "${DNS_UPSTREAMS:=1.1.1.1 8.8.8.8}"
-  : "${DNS_ALLOWED_DOMAINS:=}"
-
-  if [ -z "$DNS_ALLOWED_DOMAINS" ]; then
-    DNS_ALLOWED_DOMAINS="$(extract_domains_from_allowed_hosts)"
-  fi
-
-  log "gateway dnsmasq: upstreams=$DNS_UPSTREAMS"
-  log "gateway dnsmasq: allowed domains=$DNS_ALLOWED_DOMAINS"
-
-  mkdir -p /run
-
-  cat > /etc/dnsmasq.conf <<EOF
-no-resolv
-bogus-priv
-cache-size=1000
-filter-AAAA
-EOF
-
-  for domain in $DNS_ALLOWED_DOMAINS; do
-    for ns in $DNS_UPSTREAMS; do
-      echo "server=/$domain/$ns" >> /etc/dnsmasq.conf
-    done
-  done
-
-  dnsmasq -k -C /etc/dnsmasq.conf -x /run/dnsmasq.pid >/dev/null 2>&1 &
-  log "gateway dnsmasq started"
-}
-
-resolve_allowed_ips_once() {
-  python3 - <<'PY'
-import os
-import socket
-
-items = os.environ.get("ALLOWED_HOSTS", "").split()
-ips = set()
-
-for item in items:
-    if not item:
-        continue
-    try:
-        socket.inet_aton(item)
-        ips.add(item)
-        continue
-    except OSError:
-        pass
-
-    try:
-        for res in socket.getaddrinfo(item, None, type=socket.SOCK_STREAM):
-            ip = res[4][0]
-            if ":" not in ip:
-                ips.add(ip)
-    except socket.gaierror:
-        pass
-
-for ip in sorted(ips):
-    print(ip)
-PY
-}
-
-setup_gateway_firewall() {
-  : "${IPSET_NAME:=whitelist}"
-  : "${ALLOWED_HOSTS:=}"
-  : "${REFRESH_INTERVAL:=300}"
-
-  run ipset create "$IPSET_NAME" hash:ip -exist
-
-  resolve_allowed_ips_once | while read -r ip; do
-    [ -n "$ip" ] && ipset add "$IPSET_NAME" "$ip" -exist || true
-  done
-
-  run iptables -t nat -C POSTROUTING -j MASQUERADE 2>/dev/null || \
-    run iptables -t nat -A POSTROUTING -j MASQUERADE
-
-  run iptables -C FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || \
-    run iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-
-  run iptables -C FORWARD -m set --match-set "$IPSET_NAME" dst -j ACCEPT 2>/dev/null || \
-    run iptables -A FORWARD -m set --match-set "$IPSET_NAME" dst -j ACCEPT
-
-  (
-    while :; do
-      resolve_allowed_ips_once | while read -r ip; do
-        [ -n "$ip" ] && ipset add "$IPSET_NAME" "$ip" -exist || true
-      done
-      sleep "$REFRESH_INTERVAL"
-    done
-  ) &
-}
-
-gateway_mode() {
-  start_dnsmasq_gateway
-  setup_gateway_firewall
-  tail -f /dev/null
-}
-
 net_setup_mode() {
   echo "INFO: net_setup_mode: waiting for gateway DNS..."
   GW_IP="$(wait_for_gateway_resolution)"
@@ -360,10 +249,27 @@ net_setup_mode() {
   tail -f /dev/null
 }
 
+proxy_mode() {
+  # La imagen tiene CMD ["proxy"], así que quitamos ese argumento
+  # para no pasarlo dos veces al script Python.
+  if [ "${1:-}" = "proxy" ]; then
+    shift
+  fi
+
+  exec /usr/local/bin/proxy "$@"
+}
+
 main() {
   case "${MODE_RUN:-gateway}" in
-    gateway) gateway_mode ;;
-    net_setup) net_setup_mode ;;
+    net_setup)
+      net_setup_mode
+      ;;
+    gateway|"")
+      proxy_mode "$@"
+      ;;
+    legacy|tcp|proxy)
+      proxy_mode "$@"
+      ;;
     *)
       echo "Unknown MODE_RUN=${MODE_RUN:-}" >&2
       exit 1