Commit ef211c97 authored by Lukáš Lalinský's avatar Lukáš Lalinský

Generate haproxy config

parent 4227a833
Pipeline #20196 passed with stage
in 34 seconds
......@@ -64,65 +64,51 @@ type siteRouteInfo struct {
}
const haproxyConfigTemplate = `
resolver {{.Resolver}};
upstream letsencrypt_master {
server {{.LetsEncrypt.Master.Host}}:{{.LetsEncrypt.Master.Port}};
}
{{range $site := .Sites}}
{{range .Backends}}
upstream {{$site.Name}}_backend_{{.Name}} {
{{range .Servers -}}
{{"\t"}}server {{.Host}}:{{.Port}};
{{- end}}
}
global
maxconn 1024
defaults
log global
mode http
timeout connect 60s
timeout client 1h
timeout server 1h
resolvers main
nameserver dns1 {{$.Resolver}}
frontend fe_http
bind *:80
acl is_letsencrypt path_beg /.well-known/acme-challenge
use_backend be_letsencrypt if is_letsencrypt
redirect scheme https code 301
frontend fe_https
bind *:443 ssl crt {{$.SSLDir}}
acl is_letsencrypt path_beg /.well-known/acme-challenge
use_backend be_letsencrypt if is_letsencrypt
{{range $site := .Sites -}}
{{"\t"}}acl is_from_{{.Name}} req.ssl_sni -m dom {{$site.Domain}}
{{range .Routes -}}
{{"\t"}}use_backend backend_{{$site.Name}}_{{.Backend}} if { is_from_{{$site.Name}} path_beg {{.Path}} }
{{end}}
server {
listen 80;
listen [::]:80;
server_name {{.Domain}};
location /.well-known/acme-challenge {
proxy_pass http://letsencrypt_master;
}
location / {
return 302 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{.Domain}};
ssl_certificate {{.SSL.CertificatePath}};
ssl_certificate_key {{.SSL.PrivateKeyPath}};
client_max_body_size 0;
location /.well-known/acme-challenge {
proxy_pass http://letsencrypt_master;
}
{{range .Routes}}
location {{.Path}} {
proxy_pass http://{{$site.Name}}_backend_{{.Backend}};
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 3600;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
}
{{- end}}
backend be_letsencrypt
balance roundrobin
server-template srv 100 {{.LetsEncrypt.Master.Host}}:{{.LetsEncrypt.Master.Port}} check resolvers main
{{range $site := .Sites -}}
{{range $backend := .Backends}}
backend be_{{$site.Name}}_{{.Name}}
balance roundrobin
{{- if .HealthCheck.Path}}
option httpchk GET {{.HealthCheck.Path}}
http-check expect status 200
{{end -}}
{{range $i, $server := .Servers -}}
{{"\t"}}server-template srv{{$i}} 100 {{.Host}}:{{.Port}} check resolvers main
{{end -}}
{{end -}}
{{end -}}
}
{{end}}
`
type sslCertInfo struct {
......@@ -164,22 +150,25 @@ type ProxyServer struct {
SitesDir string
LetsEncrypt *letsEncryptInfo
Resolver string
SSLDir string
}
// NewProxyServer creates a new ProxyServer instance.
func NewProxyServer() *ProxyServer {
le := &letsEncryptInfo{
Master: letsEncryptServerInfo{
Host: defaultLetsEncryptServerHost,
Port: defaultLetsEncryptServerPort,
},
}
return &ProxyServer{
exitCh: make(chan bool),
haproxy: NewHAProxy(haproxyConfigFile),
haproxyConfigTmpl: template.Must(template.New("config").Parse(haproxyConfigTemplate)),
Resolver: defaultResolver,
SitesDir: defaultSitesDir,
LetsEncrypt: &letsEncryptInfo{
Master: letsEncryptServerInfo{
Host: defaultLetsEncryptServerHost,
Port: defaultLetsEncryptServerPort,
},
},
LetsEncrypt: le,
SSLDir: haproxySSLDir,
}
}
......
......@@ -87,127 +87,56 @@ func TestRenderTemplate(t *testing.T) {
}
output := builder.String()
expectedOutput := `
resolver 127.0.0.11;
upstream letsencrypt_master {
server localhost:12812;
}
upstream example_backend_web {
server srv1.example.com:8080;
}
upstream example_backend_api {
server srv-api1.example.com:8081;
}
server {
listen 80;
listen [::]:80;
server_name example.com;
location /.well-known/acme-challenge {
proxy_pass http://letsencrypt_master;
}
location / {
return 302 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/example.pem;
ssl_certificate_key /etc/ssl/private/example.key;
client_max_body_size 0;
location /.well-known/acme-challenge {
proxy_pass http://letsencrypt_master;
}
location /api {
proxy_pass http://example_backend_api;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 3600;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
}
location / {
proxy_pass http://example_backend_web;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 3600;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
}
}
upstream example2_backend_default {
server srv1.example2.com:8090;
}
server {
listen 80;
listen [::]:80;
server_name example2.com;
location /.well-known/acme-challenge {
proxy_pass http://letsencrypt_master;
}
location / {
return 302 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example2.com;
ssl_certificate /etc/ssl/example2.pem;
ssl_certificate_key /etc/ssl/private/example2.key;
client_max_body_size 0;
location /.well-known/acme-challenge {
proxy_pass http://letsencrypt_master;
}
location / {
proxy_pass http://example2_backend_default;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 3600;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
}
}
global
maxconn 1024
defaults
log global
mode http
timeout connect 60s
timeout client 1h
timeout server 1h
resolvers main
nameserver dns1 127.0.0.11
frontend fe_http
bind *:80
acl is_letsencrypt path_beg /.well-known/acme-challenge
use_backend be_letsencrypt if is_letsencrypt
redirect scheme https code 301
frontend fe_https
bind *:443 ssl crt /etc/haproxy/ssl/
acl is_letsencrypt path_beg /.well-known/acme-challenge
use_backend be_letsencrypt if is_letsencrypt
acl is_from_example req.ssl_sni -m dom example.com
use_backend backend_example_api if { is_from_example path_beg /api }
use_backend backend_example_web if { is_from_example path_beg / }
acl is_from_example2 req.ssl_sni -m dom example2.com
use_backend backend_example2_default if { is_from_example2 path_beg / }
backend be_letsencrypt
balance roundrobin
server-template srv 100 localhost:12812 check resolvers main
backend be_example_web
balance roundrobin
option httpchk GET /_health
http-check expect status 200
server-template srv0 100 srv1.example.com:8080 check resolvers main
backend be_example_api
balance roundrobin
option httpchk GET /_health
http-check expect status 200
server-template srv0 100 srv-api1.example.com:8081 check resolvers main
backend be_example2_default
balance roundrobin
option httpchk GET /_health
http-check expect status 200
server-template srv0 100 srv1.example2.com:8090 check resolvers main
`
assertLongStringEqual(t, output, expectedOutput)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment