Major version bump

- updated alpine 3.12.0 -> 3.16.2 - updated haproxy 2.1.2 -> 2.6.6 - added .local wildcard cert as example - added certbot as backend for LetsEncrypt's acme challenge -updated config with relevant changes for new backend & ssl settings
nitr8 · Oct 29, 2022 · 22825a8 · 22825a8
1 parent e3d1c01
commit 22825a8
Show file tree

Hide file tree

Showing 7 changed files with 100 additions and 35 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
-**/certs
 **/.DS_Store
 
 old/
+
+certs/local.*
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,15 @@
-FROM alpine:3.12.0
+FROM alpine:3.16.2
 MAINTAINER Wayne Humphrey <wayne@humphrey.za.net>
-ENV HAPROXY_URL https://www.haproxy.org/download/2.1/src/haproxy-2.1.2.tar.gz
-ENV HAPROXY_SHA256 6079b08a8905ade5a9a2835ead8963ee10a855d8508a85efb7181eea2d310b77
+ENV HAPROXY_URL https://www.haproxy.org/download/2.6/src/haproxy-2.6.6.tar.gz
+ENV HAPROXY_SHA256 d0c80c90c04ae79598b58b9749d53787f00f7b515175e7d8203f2796e6a6594d
+
+RUN echo "@edge http://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories
+RUN apk update
+RUN apk add libexecinfo-dev@edge
 
 RUN set -x \
 	\
+	&& echo "@edge http://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories \
 	&& apk upgrade && apk update \
 	&& apk add --no-cache --virtual .build-deps \
 		ca-certificates \
@@ -26,17 +31,8 @@ RUN set -x \
 	&& tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1 \
 	&& rm haproxy.tar.gz \
 	\
-	&& makeOpts=' \
-		TARGET=linux-glibc \
-		USE_LUA=1 \
-		LUA_INC=/usr/include/lua5.3 \
-		LUA_LIB=/usr/lib/lua5.3 \
-		USE_OPENSSL=1 \
-		USE_PCRE=1 PCREDIR= \
-		USE_ZLIB=1 \
-	' \
-	&& make -C /usr/src/haproxy -j "$(getconf _NPROCESSORS_ONLN)" all $makeOpts \
-	&& make -C /usr/src/haproxy install-bin $makeOpts \
+  && make -C /usr/src/haproxy -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 LUA_INC=/usr/include/lua5.3 LUA_LIB=/usr/lib/lua5.3 USE_ZLIB=1 \
+	&& make -C /usr/src/haproxy install-bin \
 	\
 	&& rm -rf /usr/src/haproxy \
 	\
@@ -66,6 +62,7 @@ ADD ./helper/errors/ /errors/
 ADD ./helper/etc/ /etc/
 ADD ./helper/haproxy/ /etc/haproxy/
 ADD ./helper/www/ /www/
+ADD ./certs/wildcard.pem /certs/wildcard.pem
 
 ADD ./helper/entrypoint.sh /bin/entrypoint
 RUN chmod +x /bin/entrypoint

diff --git a/README.md b/README.md
@@ -27,22 +27,22 @@ docker run -it --rm -p 80:80 -p 443:443 -v $(PWD)/haproxy.cfg:/etc/haproxy.cfg -
 
 ```bash
 mkdir certs && cd certs
-openssl req -x509 -nodes -days 11297 -newkey rsa:2048 -keyout local.key -out local.pem -config local-wildcard.cnf -sha256
+openssl req -x509 -nodes -days 11297 -newkey rsa:2048 -keyout local.key -out local.pem -config ../wildcard.cnf -sha256
 cat local.pem local.key > wildcard.pem
 ```
 
 ## HAProxy Stats
 
-ENABLE_STATS=TRUE
-```http://localhost:666```
-default username and password is - foo / bar
+If you set enabled HAProxy Stats by setting the `ENABLE_STATS` varable to `true` then open a webpage and visit: `http://localhost:666`
 
-## TBD
+The default username and password is (foo / bar)
+
+## Imaging
 
 ```bash
 docker build -t whumphrey/haproxy .
-docker run -it --rm -p 80:80 -p 443:443 -p 666:666 -e ENABLE_STATS=TRUE -v $(PWD)/my_haproxy.cfg:/etc/haproxy/proxy.cfg -v $(PWD)/certs:/certs whumphrey/haproxy
 docker run -it --rm -p 80:80 -p 443:443 -p 666:666 -e ENABLE_STATS=TRUE whumphrey/haproxy
+docker run -it --rm -p 80:80 -p 443:443 -p 666:666 -e ENABLE_STATS=TRUE -v $(PWD)/my_haproxy.cfg:/etc/haproxy/proxy.cfg -v $(PWD)/certs:/certs whumphrey/haproxy
 ```
 
 ### Shout outs

diff --git a/certs/wildcard.pem b/certs/wildcard.pem
@@ -0,0 +1,58 @@
+-----BEGIN CERTIFICATE-----
+MIIFLzCCBBegAwIBAgIUa5ZvnysJF6XZddNpE4JvvkjqbtkwDQYJKoZIhvcNAQEL
+BQAwgaQxCzAJBgNVBAYTAkNIMQ4wDAYDVQQIDAVTdGF0ZTERMA8GA1UEBwwITG9j
+YXRpb24xFTATBgNVBAoMDFNlY3VyZSBUcnVzdDEUMBIGA1UECwwLQ29ycG9yYXRp
+b24xJjAkBgNVBAMMHUxvY2FsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MR0wGwYJ
+KoZIhvcNAQkBFg5zc2xAZG9tYWluLmNvbTAgFw0yMjEwMjkwODQ5MzhaGA8yMDUz
+MTAwMzA4NDkzOFowgaQxCzAJBgNVBAYTAkNIMQ4wDAYDVQQIDAVTdGF0ZTERMA8G
+A1UEBwwITG9jYXRpb24xFTATBgNVBAoMDFNlY3VyZSBUcnVzdDEUMBIGA1UECwwL
+Q29ycG9yYXRpb24xJjAkBgNVBAMMHUxvY2FsIENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5MR0wGwYJKoZIhvcNAQkBFg5zc2xAZG9tYWluLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAL/9tqw32CFGWpobgRmqUHD6+O6XkrZsHCStlU21
+UqGy1dGJ27XcQyGlwl9HJk3BPCKC3rvUd1SrVPnvGuevDG+Gegb9dM+B3a/573gH
+xmAxW/JdMBYCgPsSG51ezoBmBUwCXj/ogqGnHcHtA0wzepBsSGeib9RTmgJR+BGD
+yHiHhBQVYTOoc0LGfkTLsmlNyjALTfLljB4dOKraC4N7yYWO/N4W53FoRqqlINoo
+3bTEz1Ur2nty9cz+i2vP2e3I9kmP/VHQlJVEdNBhvFQrw6QgUZlGiD1VeFpZVdNL
++7tAI7UMI2s78OYI6UqbL5+caudJsKcycQaNQhfnuja0HHsCAwEAAaOCAVMwggFP
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMIHOBgNVHSMEgcYwgcOhgaqkgacwgaQx
+CzAJBgNVBAYTAkNIMQ4wDAYDVQQIDAVTdGF0ZTERMA8GA1UEBwwITG9jYXRpb24x
+FTATBgNVBAoMDFNlY3VyZSBUcnVzdDEUMBIGA1UECwwLQ29ycG9yYXRpb24xJjAk
+BgNVBAMMHUxvY2FsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MR0wGwYJKoZIhvcN
+AQkBFg5zc2xAZG9tYWluLmNvbYIUa5ZvnysJF6XZddNpE4JvvkjqbtkwGQYDVR0R
+BBIwEIIFbG9jYWyCByoubG9jYWwwKgYJYIZIAYb4QgENBB0WG0xvY2FsIEdlbmVy
+YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU4GMnQmiZHhpVEctuv1gDDtuBjb0w
+DQYJKoZIhvcNAQELBQADggEBAIE5j/P50sXyKH46FDKzZK9GsMeFnFCpA4Ou/Ts5
+eJ8IBDq6+Dc1t0VYLghM5kW3R3ndP/b1dUInK2rKjBt967y1Byp3sSxmDNzdp2I8
+pdnFsOcanbHTs5a+nldmXJJtZEBUMuZBROkZXIrisE3oxtqktJjksjktjLFxjBYc
+kPHX/N76Oa8JLj5LZXeBFBMDo56oIsE0DRqrzfBwcWqoQSfqOTT8d4ky3/ZYh++S
+qr1AAlIHWnhWO6KuPiRsGNTkgn9ftly2kMiS/fTJ/Y4qQzFxGB5PQ9Q3PDaCPenv
+aD6BgnMCnFP+VGKGRSXOjkH65a79wXlYwd8diKkASTwLxmE=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC//basN9ghRlqa
+G4EZqlBw+vjul5K2bBwkrZVNtVKhstXRidu13EMhpcJfRyZNwTwigt671HdUq1T5
+7xrnrwxvhnoG/XTPgd2v+e94B8ZgMVvyXTAWAoD7EhudXs6AZgVMAl4/6IKhpx3B
+7QNMM3qQbEhnom/UU5oCUfgRg8h4h4QUFWEzqHNCxn5Ey7JpTcowC03y5YweHTiq
+2guDe8mFjvzeFudxaEaqpSDaKN20xM9VK9p7cvXM/otrz9ntyPZJj/1R0JSVRHTQ
+YbxUK8OkIFGZRog9VXhaWVXTS/u7QCO1DCNrO/DmCOlKmy+fnGrnSbCnMnEGjUIX
+57o2tBx7AgMBAAECggEABnhFziLpoSFuTzArFxLSuCP0/JFWC9iz0BabZ+161eEh
+bHjBUy0ThBBCbxSGOWuQG7eeSuUbilpluDBzDyiqeh2lghPLemytbE83Xyuf50Dy
+kMXMJ4m5D/zpulFmExSdDBUuWOf8cvcfPRhAGrLHaBOGExv5ucWBdJ+PhQOUX19e
+p44w7bKgoUCHPHWLU1DB+T7TlTtFKpXFVXBCkgIQXUMEQWMwZ1rk+t7zOcdaRYfn
+y5zd56TSHd5eEumnYRc+rWIM4oZDzFXkkZ6LqYLMzHftC2SLL6LS7UYdZ2HEaCfZ
+5fHEg7sODrezek4yPC4i8HmkTUVyJ58H4olpPsqbQQKBgQDDRDOejFVYcr6qGE+d
+lFiS5ZWrwwZTZa04ZahjvwUSd6aYynQh1AuBnaOXhYafBvejgx9UJVNkFSx/uf58
+0jJOA8CGtVrzzIWxAx9GJI+O3Wb2CZnPiPIPMBMwBLql51gjpbyFDnv3Quc8/Nyh
+cUn2gJmpeGlSf8jCP8Gr2CtkQQKBgQD7tLevTv2FWmpqokfUDRwDpmdlUxHFzobY
+i3xrhKLzo/l8i8n5xYzzrRgDTjD9QgmGhcHuT8ed7NqSeOB09UOSlOWDpJ073ire
+DijA8fKHC5wlN74KsbiaAyXJXUxU96LofqD/CUhREGj/H+/9IG1VUp/xDYwKSpX1
+YAaNY7WhuwKBgCOokMSjW/KLAcaOKfvc20/4HR0AwGb6ameiKN4ORB7bOtEsJ4kF
+8BP7daR1/d+Mpix2BYKYTmI4e6fXj2G8APO+O6pd8/4Rm1h3+X4VryGnzOWhWzVL
+DOk5HkfmlS820CGyYnrp6jl9Pj0k8CWLSrZ5RZZtJs6qBz9x5Sw8jbABAoGAMnxP
+73i/fvTgrVy5XX33pX/F81vTD8LZ5ysrHIGxEX9NNj7vlwqZt/J7A4a2asXJFVNU
+z5Du7+0m9gQKuUrMb+Uvl9T3uJ9aJ8ndQL4GsDGS8yAYHRsCdNm2xYnSGqTE5y8m
+6aCaAbBx7uIgB7xuUZPOAtJ9yT6mj13gUpGyR6sCgYBrwvvkcdHNAWUPAwjAgXpT
+eBsrcEx+Igede7qDLm6M+kqLyGEX0tqY2jw7j3YC5V+3C2HAsl+2VQeZl/1fKytB
+JSVJ3pQS7voUJO1LpF6CkzEqqz29GAQwb0ckF0n5LJYxNXgZsEBTph9VbpkO7TlY
+lI8geI3WdrUAfG38y02jkw==
+-----END PRIVATE KEY-----
diff --git a/helper/haproxy/global.cfg b/helper/haproxy/global.cfg
@@ -21,7 +21,7 @@ global
   tune.ssl.maxrecord 1460
 
   # Runtime API, Metrics and Alerting enable state file and stat socket
-  stats socket *:1999 level admin 
+  stats socket *:1999 level admin
   stats socket /var/run/haproxy.sock mode 600 level admin
   server-state-file /etc/haproxy/haproxy.state
 
@@ -52,4 +52,4 @@ defaults
   errorfile 503 /errors/503.http
   errorfile 504 /errors/504.http
 
-  load-server-state-from-file global
+  #load-server-state-from-file global
diff --git a/helper/haproxy/proxy.cfg b/helper/haproxy/proxy.cfg
@@ -1,17 +1,22 @@
-# Listen on the HTTPS and HTTP ports
+# Listen on HTTP if URI is LetsEncrypt request, then forward to Certbot else redirect rest to HTTPS
 frontend  https
   bind  :80
-  #bind :443 ssl crt /certs/wildcard.pem
+  bind  :443 ssl crt /certs/wildcard.pem
 
   # Add X-Headers necessary for HTTPS; include:[port] if not running on port 443
-  #http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-  #http-request set-header X-Forwarded-Proto https
+  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+  http-request set-header X-Forwarded-Proto https
 
+  acl is_letsencrypt path_beg /.well-known/acme-challenge/
+  use_backend LetsEncrypt if is_letsencrypt
   # (OPTIONAL) Force HTTPS
   #redirect scheme https if !{ ssl_fc }
 
-  default_backend backend_default
+  default_backend Default
 
-backend         backend_default
-#  server x printatestpage.com:80
-  server  local-server 127.0.0.1:8080
+backend Default
+  server mini_httpd 127.0.0.1:8080
+
+backend LetsEncrypt
+  errorfile 503 /errors/certbot.http
+  server certbot 127.0.0.1:8888
diff --git a/wildcard.cnf b/wildcard.cnf
@@ -5,7 +5,7 @@ x509_extensions     = v3_ca
 prompt              = no
 
 [ req_dn ]
-C = US
+C = CH
 ST = State
 L = Location
 O = Secure Trust
@@ -14,8 +14,12 @@ CN = Local Certification Authority
 emailAddress = ssl@domain.com
 
 [ v3_ca ]
-subjectAltName      = @alt_names
-nsComment           = "Local Generated Certificate"
+basicConstraints        = CA:FALSE
+keyUsage                = nonRepudiation, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+authorityKeyIdentifier  = keyid,issuer
+subjectAltName          = @alt_names
+nsComment               = "Local Generated Certificate"
 
 [ alt_names ]
-DNS.1 = *.corp.local
+DNS.1 = local
+DNS.2 = *.local