1
0
Fork 0

add haproxy with ssl termination

This commit is contained in:
ibizaman 2022-09-13 23:47:49 -07:00
parent 6ae0c69fa5
commit 66c20993a9
5 changed files with 195 additions and 2 deletions

View file

@ -11,6 +11,10 @@ let
self = rec { self = rec {
PostgresDB = callPackage ./postgresdb {}; PostgresDB = callPackage ./postgresdb {};
HaproxyConfig = callPackage ./haproxy/config.nix {inherit utils;};
HaproxyService = callPackage ./haproxy/unit.nix {inherit utils;};
mkHaproxySiteConfig = callPackage ./haproxy/siteconfig.nix {};
CaddyConfig = callPackage ./caddy/config.nix {inherit utils;}; CaddyConfig = callPackage ./caddy/config.nix {inherit utils;};
CaddyService = callPackage ./caddy/unit.nix {inherit utils;}; CaddyService = callPackage ./caddy/unit.nix {inherit utils;};
CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;}; CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;};

View file

@ -8,14 +8,15 @@
, siteRoot , siteRoot
, siteSocket ? "" , siteSocket ? ""
}: }:
{ rec {
inherit name; inherit name;
caddySocket = "${CaddyService.runtimeDirectory}/${siteName}.sock";
pkg = CaddySiteConfig rec { pkg = CaddySiteConfig rec {
inherit (CaddyConfig) siteConfigDir; inherit (CaddyConfig) siteConfigDir;
portBinding = port; portBinding = port;
bindService = siteName; bindService = siteName;
siteSocket = "${CaddyService.runtimeDirectory}/${siteName}.sock"; siteSocket = caddySocket;
serviceRoot = siteRoot; serviceRoot = siteRoot;
phpFpmSiteSocket = siteSocket; phpFpmSiteSocket = siteSocket;
}; };

93
haproxy/config.nix Normal file
View file

@ -0,0 +1,93 @@
{ stdenv
, pkgs
, lib
, utils
}:
{ configDir ? "/etc/haproxy"
, configFile ? "haproxy.cfg"
, acls ? []
, backends ? []
, certPath
, user ? "haproxy"
, group ? "haproxy"
, statsEnable ? false
, statsPort ? 8404
, statsUri ? "/stats"
, statsRefresh ? "10s"
, prometheusStatsUri ? null
}:
let
stats = if statsEnable then "" else ''
frontend stats
bind localhost:${builtins.toString statsPort}
mode http
stats enable
# stats hide-version
stats uri ${statsUri}
stats refresh ${statsRefresh}
'' + (if prometheusStatsUri == null then "" else ''
http-request use-service prometheus-exporter if { path ${prometheusStatsUri} }
'');
indent = spaces: content:
lib.strings.concatMapStrings
(x: spaces + x + "\n")
(lib.strings.splitString "\n" content);
acls_str = lib.strings.concatMapStrings (acl: indent " " acl) acls;
backends_str = builtins.concatStringsSep "\n" backends;
in
utils.mkConfigFile {
name = configFile;
dir = configDir;
content = ''
global
# Load the plugin handling Let's Encrypt request
# lua-load /etc/haproxy/plugins/haproxy-acme-validation-plugin-0.1.1/acme-http01-webroot.lua
# Silence a warning issued by haproxy. Using 2048
# instead of the default 1024 makes the connection stronger.
tune.ssl.default-dh-param 2048
maxconn 20000
user ${user}
group ${group}
log /dev/log local0 info
defaults
log global
option httplog
timeout connect 10s
timeout client 15s
timeout server 30s
timeout queue 100s
frontend http-to-https
mode http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
${stats}
frontend https
mode http
bind *:443 ssl crt ${certPath}
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-For %[src]
http-request add-header X-Forwarded-Proto https
http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
${acls_str}
${backends_str}
'';
}

20
haproxy/siteconfig.nix Normal file
View file

@ -0,0 +1,20 @@
{ stdenv
, pkgs
}:
{ serviceName
, serviceSocket
}:
{
acl = ''
acl acl_${serviceName} hdr_beg(host) ${serviceName}.
use_backend ${serviceName} if acl_${serviceName}
'';
backend = ''
backend ${serviceName}
mode http
option forwardfor
server ${serviceName}1 ${serviceSocket}
'';
}

75
haproxy/unit.nix Normal file
View file

@ -0,0 +1,75 @@
{ stdenv
, pkgs
, utils
}:
{ configDir ? "/etc/haproxy"
, configFile ? "haproxy.cfg"
, pidfile ? "/run/haproxy/haproxy.pid"
, socket ? "/run/haproxy/haproxy.sock"
}:
{...}:
# User and group are set in config.nix
utils.systemd.mkService rec {
name = "haproxy";
content = ''
[Unit]
Description=HAProxy Load Balancer
Documentation=https://www.haproxy.com/documentation/hapee/latest/onepage/
After=network.target network-online.target
Wants=network-online.target systemd-networkd-wait-online.target
StartLimitInterval=14400
StartLimitBurst=10
[Service]
Environment="CONFIG=${configDir}/${configFile}" "PIDFILE=${pidfile}" "EXTRAOPTS=-S ${socket}"
ExecStart=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
ExecReload=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS
ExecReload=${pkgs.coreutils}/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
SuccessExitStatus=143
Type=notify
# Restart=on-abnormal
RuntimeDirectory=haproxy
# KillMode=mixed
# KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=true
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# AmbientCapabilities=CAP_NET_BIND_SERVICE
# ProtectSystem=strict
# ReadWritePaths=/var/lib/haproxy /var/log/haproxy
[Install]
WantedBy=multi-user.target
'';
}