caddy-frontend: Put haproxy just before the backend

ae95e8a4 · Łukasz Nowak · e80729b3 · ae95e8a4 · ae95e8a4 · ae95e8a4
Commit ae95e8a4 authored May 27, 2020 by Łukasz Nowak
6 changed files
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -40,6 +40,14 @@ md5sum = 7e3ee70c447f8203273d78f66ab519c3
 _update_hash_filename_ = templates/Caddyfile.in
 md5sum = f0faf6d2e6c187df7e25bf717676f9df

+[template-backend-haproxy-configuration]
+_update_hash_filename_ = templates/backend-haproxy.cfg.in
+md5sum = 47048189fe1c3e02533d3db1146a55d5
+
+[template-backend-haproxy-slave]
+_update_hash_filename_ = templates/backend-haproxy-slave.cfg.in
+md5sum = c4a7bff5c74fd98aa15ae8180d504c73
+
 [caddy-backend-url-validator]
 filename = templates/caddy-backend-url-validator.in
 md5sum = 0979a03476e86bf038516c9565dadc17

--- a/software/caddy-frontend/common.cfg
+++ b/software/caddy-frontend/common.cfg
@@ -10,6 +10,7 @@ extends =
  ../../component/trafficserver/buildout.cfg
  ../../component/6tunnel/buildout.cfg
  ../../component/xz-utils/buildout.cfg
+  ../../component/haproxy/buildout.cfg

  ../../stack/caucase/buildout.cfg
 # Monitoring stack (keep on bottom)
@@ -94,6 +95,7 @@ bin_directory = ${buildout:bin-directory}
 sixtunnel = ${6tunnel:location}
 caddy = ${caddy:output}
 caddy_location = ${caddy:location}
+haproxy_executable = ${haproxy2:location}/sbin/haproxy
 curl = ${curl:location}
 dash = ${dash:location}
 gzip = ${gzip:location}
@@ -110,6 +112,8 @@ xz_location = ${xz-utils:location}
 monitor_template = ${monitor-template:output}
 template_cached_slave_virtualhost = ${template-cached-slave-virtualhost:target}
 template_caddy_frontend_configuration = ${template-caddy-frontend-configuration:target}
+template_backend_haproxy_configuration = ${template-backend-haproxy-configuration:target}
+template_backend_haproxy_slave = ${template-backend-haproxy-slave:target}
 template_graceful_script = ${template-graceful-script:target}
 template_validate_script = ${template-validate-script:target}
 template_rotate_script = ${template-rotate-script:target}
@@ -178,6 +182,12 @@ mode = 640
 [template-caddy-frontend-configuration]
 <=download-template

+[template-backend-haproxy-configuration]
+<=download-template
+
+[template-backend-haproxy-slave]
+<=download-template
+
 [template-not-found-html]
 <=download-template


--- a/software/caddy-frontend/instance-apache-frontend.cfg.in
+++ b/software/caddy-frontend/instance-apache-frontend.cfg.in
@@ -37,6 +37,8 @@ parts =
  trafficserver-promise-listen-port
  trafficserver-promise-cache-availability
  cron-entry-logrotate-trafficserver
+## Backend haproxy
+  backend-haproxy
 ## Monitor for Caddy
  monitor-base
  monitor-ats-cache-stats-wrapper
@@ -73,6 +75,9 @@ csr_id = ${:srv}/csr_id
 caddy-csr_id = ${:etc}/caddy-csr_id
 caddy-csr_id-log = ${:log}/httpd-csr_id

+# backend-haproxy
+backend-haproxy-configuration = ${:etc}/backend-haproxy.d
+
 [switch-caddy-softwaretype]
 recipe = slapos.cookbook:softwaretype
 single-default = ${dynamic-custom-personal-template-slave-list:rendered}
@@ -150,6 +155,7 @@ template-empty = {{ parameter_dict['template_empty'] }}
 template-default-slave-virtualhost = {{ parameter_dict['template_default_slave_virtualhost'] }}
 template-cached-slave-virtualhost = {{ parameter_dict['template_cached_slave_virtualhost'] }}
 caddy-location = {{ parameter_dict['caddy_location'] }}
+template-backend-haproxy-slave = {{ parameter_dict['template_backend_haproxy_slave'] }}

 [kedifa-login-config]
 d = ${directory:ca-dir}
@@ -212,7 +218,9 @@ kedifa-updater-mapping-file = ${directory:etc}/kedifa_updater_mapping.txt
 kedifa-updater-state-file = ${directory:srv}/kedifa_updater_state.json
 kedifa-csr = {{ parameter_dict['kedifa-csr'] }}
 service_directory = ${directory:service}
+haproxy_executable = {{ parameter_dict['haproxy_executable'] }}
 extra-context =
+    import urlparse_module urlparse
    key kedifa_caucase_ca_certificate kedifa-login-config:ca-certificate
    key kedifa_login_certificate kedifa-login-config:certificate
    key caddy_configuration_directory caddy-directory:slave-configuration
@@ -275,6 +283,10 @@ extra-context =
    key bbb_ssl_directory directory:bbb-ssl-dir
    key apache_certificate apache-certificate:rendered
 # BBB: SlapOS Master non-zero knowledge END
+## backend haproxy
+    key haproxy_executable :haproxy_executable
+    key template_backend_haproxy_slave_configuration software-release-path:template-backend-haproxy-slave
+    key backend_haproxy_configuration_directory backend-haproxy-config:configuration-directory

 # Deploy Caddy Frontend with Jinja power
 [dynamic-caddy-frontend-template]
@@ -368,6 +380,8 @@ master-certificate = ${caddy-directory:master-autocert-dir}/master.pem
 cache-port = ${trafficserver-variable:input-port}
 cache-through-port = 26011
 ssl-cache-through-port = 26012
+backend-haproxy-port = 21080
+backend-haproxy-https-port = 21081

 # BBB: SlapOS Master non-zero knowledge BEGIN
 [get-self-signed-fallback-access]
@@ -728,6 +742,41 @@ extra-context =
    key http_port configuration:plain_http_port
    key https_port configuration:port

+##<Backend haproxy>
+[backend-haproxy-base-configuration]
+< = jinja2-template-base
+template = {{ parameter_dict['template_backend_haproxy_configuration'] }}
+rendered = ${backend-haproxy-config:base-configuration}
+extra-context =
+
+[backend-haproxy-config]
+base-configuration = ${directory:etc}/backend-haproxy.cfg
+configuration-directory = ${directory:backend-haproxy-configuration}
+pid-file = ${directory:var}/backend-haproxy.pid
+
+[backend-haproxy-wrapper]
+recipe = slapos.recipe.template:jinja2
+template = inline:
+  #!/bin/sh
+  ulimit -n $(ulimit -Hn)
+  exec {{ parameter_dict['haproxy_executable'] }} \
+  -f ${backend-haproxy-config:base-configuration} \
+  -f ${backend-haproxy-config:configuration-directory} \
+   "$@"
+rendered = ${directory:bin}/backend-haproxy-wrapper
+mode = 0755
+
+[backend-haproxy]
+depends =
+  ${backend-haproxy-base-configuration:rendered}
+recipe = slapos.cookbook:wrapper
+command-line = ${backend-haproxy-wrapper:rendered} -p ${backend-haproxy-config:pid-file}
+wrapper-path = ${directory:service}/backend-haproxy
+hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
+hash-files = ${backend-haproxy-wrapper:rendered}
+
+##<Backend haproxy>
+
 [configuration]
 {%- for key, value in instance_parameter.iteritems() -%}
 {%-   if key.startswith('configuration.') %}

--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
@@ -6,10 +6,14 @@
 {% set cache_port = caddy_configuration.get('cache-port') %}
 {% set cached_port = caddy_configuration.get('cache-through-port') %}
 {% set ssl_cached_port = caddy_configuration.get('ssl-cache-through-port') %}
+{% set backend_haproxy_port = caddy_configuration.get('backend-haproxy-port') %}
+{% set backend_haproxy_https_port = caddy_configuration.get('backend-haproxy-https-port') %}
+{% set backend_haproxy_url = 'http://%s:%s' % (local_ipv4, backend_haproxy_port) %}
+{% set backend_haproxy_https_url = 'http://%s:%s' % (local_ipv4, backend_haproxy_https_port) %}
 {% set cache_access = "http://%s:%s" % (local_ipv4, cache_port) %}
 {% set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) %}
 {% set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
-{% set generic_instance_parameter_dict = { 'cache_access': cache_access, 'local_ipv4': local_ipv4, 'http_port': http_port, 'https_port': https_port} %}
+{% set generic_instance_parameter_dict = { 'cache_access': cache_access, 'local_ipv4': local_ipv4, 'http_port': http_port, 'https_port': https_port, 'backend_haproxy_url': backend_haproxy_url, 'backend_haproxy_https_url': backend_haproxy_https_url } %}
 {% set slave_log_dict = {} %}
 {% if extra_slave_instance_list %}
 {%   set slave_instance_information_list = [] %}
@@ -51,6 +55,19 @@ create = true

 {# Loop thought slave list to set up slaves #}
 {% for slave_instance in slave_instance_list %}
+{# prepare everything #}
+{%- set url_parsed = urlparse_module.urlparse(slave_instance.get('url', '')) %}
+{%- do slave_instance.__setitem__('url_scheme', url_parsed.scheme) %}
+{%- do slave_instance.__setitem__('url_hostname', url_parsed.hostname) %}
+{%- do slave_instance.__setitem__('url_port', url_parsed.port) %}
+{%- do slave_instance.__setitem__('url_path', url_parsed.path) %}
+{%- do slave_instance.__setitem__('url_fragment', url_parsed.fragment) %}
+{%- set https_url_parsed = urlparse_module.urlparse(slave_instance.get('https-url', '')) %}
+{%- do slave_instance.__setitem__('https_url_scheme', https_url_parsed.scheme) %}
+{%- do slave_instance.__setitem__('https_url_hostname', https_url_parsed.hostname) %}
+{%- do slave_instance.__setitem__('https_url_port', https_url_parsed.port) %}
+{%- do slave_instance.__setitem__('https_url_path', https_url_parsed.path) %}
+{%- do slave_instance.__setitem__('https_url_fragment', https_url_parsed.fragment) %}
 {#   Manage ciphers #}
 {%   set slave_ciphers = slave_instance.get('ciphers', '').strip().split() %}
 {%   if slave_ciphers %}
@@ -69,6 +86,7 @@ create = true
 {%     set key_download_url = 'notreadyyet' %}
 {%   endif %}
 {%   set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference %}
+{%   set slave_backend_haproxy_section_title = 'dynamic-template-slave-backend-haproxy-%s' % slave_reference %}
 {%   set slave_parameter_dict = generic_instance_parameter_dict.copy() %}
 {%   set slave_publish_dict = {} %}
 {%   set slave_configuration_section_name = 'slave-instance-%s-configuration' % slave_reference %}
@@ -80,6 +98,7 @@ create = true
 {#   extend parts #}
 {%   do part_list.extend([slave_ln_section]) %}
 {%   do part_list.extend([slave_logrotate_section, slave_section_title]) %}
+{%   do part_list.extend([slave_logrotate_section, slave_backend_haproxy_section_title]) %}

 {%   set slave_log_folder = '${logrotate-directory:logrotate-backup}/' + slave_reference + "-logs" %}
 {%   if enable_cache %}
@@ -234,6 +253,10 @@ http_port = {{ dumps('' ~ http_port) }}
 local_ipv4 = {{ dumps('' ~ local_ipv4) }}
 cached_port = {{ dumps('' ~ cached_port) }}
 ssl_cached_port = {{ ('' ~ ssl_cached_port) }}
+backend_haproxy_port = {{ ('' ~ backend_haproxy_port) }}
+backend_haproxy_url = {{ ('' ~ backend_haproxy_url) }}
+backend_haproxy_https_port = {{ ('' ~ backend_haproxy_https_port) }}
+backend_haproxy_https_url = {{ ('' ~ backend_haproxy_https_url) }}
 request_timeout = {{ ('' ~ request_timeout) }}
 {%     for key, value in slave_instance.iteritems() %}
 {%       if value is not none %}
@@ -254,6 +277,15 @@ filename = {{ '%s.conf' % slave_reference }}
 {{ '\n' }}


+[{{ slave_backend_haproxy_section_title }}]
+<= jinja2-template-base
+filename = {{ '%s.cfg' % slave_reference }}
+rendered = {{ backend_haproxy_configuration_directory }}/${:filename}
+template = {{ template_backend_haproxy_slave_configuration }}
+extra-context =
+  section slave_parameter {{ slave_configuration_section_name }}
+  import urlparse_module urlparse
+
 {%   set monitor_ipv6_test = slave_instance.get('monitor-ipv6-test', '') %}
 {%   if monitor_ipv6_test %}
 {%     set monitor_ipv6_section_title = 'check-%s-ipv6-packet-list-test' % slave_instance.get('slave_reference') %}

--- a/software/caddy-frontend/templates/backend-haproxy-slave.cfg.in
+++ b/software/caddy-frontend/templates/backend-haproxy-slave.cfg.in
+{%- set host_list = slave_parameter.get('server-alias', '').split() %}
+{#- support https-url #}
+{%- set url = slave_parameter.get('backend_url', slave_parameter.get('url', '')) %}
+{%- set parsed = urlparse_module.urlparse(url) %}
+{%- set backend_host = parsed.hostname %}
+{%- set backend_port = parsed.port %}
+{%- if parsed.scheme == 'https' %}
+{#-   support ssl_proxy_verify #}
+{%-   set ssl = 'ssl verify none' %}
+{%- else %}
+{%-   set ssl = '' %}
+{%- endif %}
+{%- set https_url = slave_parameter.get('https_backend_url', slave_parameter.get('https-url', '')) %}
+{%- set https_parsed = urlparse_module.urlparse(https_url) %}
+{%- set https_backend_host = https_parsed.hostname %}
+{%- set https_backend_port = https_parsed.port %}
+{%- if https_parsed.scheme == 'https' %}
+{#-   support ssl_proxy_verify #}
+{%-   set https_ssl = 'ssl verify none' %}
+{%- else %}
+{%-   set https_ssl = '' %}
+{%- endif %}
+{%- if slave_parameter.get('custom_domain') not in host_list %}
+{%-   do host_list.append(slave_parameter.get('custom_domain')) %}
+{%- endif %}
+frontend {{ slave_parameter['slave_reference'] }}
+  bind {{ slave_parameter['local_ipv4'] }}:{{ slave_parameter['backend_haproxy_port'] }}
+{%- for host in host_list %}
+  acl is_{{ slave_parameter['slave_reference'] }} hdr_beg(host) -i {{ host }}
+{%- endfor %}
+  use_backend {{ slave_parameter['slave_reference'] }} if is_{{ slave_parameter['slave_reference'] }}
+
+backend {{ slave_parameter['slave_reference'] }}
+{%- if backend_host and backend_port %}
+  server backend {{ backend_host }}:{{ backend_port }} {{ ssl }}
+{%- endif %}
+
+frontend {{ slave_parameter['slave_reference'] }}-https
+  bind {{ slave_parameter['local_ipv4'] }}:{{ slave_parameter['backend_haproxy_https_port'] }}
+{%- for host in host_list %}
+  acl is_{{ slave_parameter['slave_reference'] }}-https hdr_beg(host) -i {{ host }}
+{%- endfor %}
+  use_backend {{ slave_parameter['slave_reference'] }}-https if is_{{ slave_parameter['slave_reference'] }}-https
+
+backend {{ slave_parameter['slave_reference'] }}-https
+{%- if https_backend_host and https_backend_port %}
+  server backend {{ https_backend_host }}:{{ https_backend_port }} {{ https_ssl }}
+{%- endif %}
--- a/software/caddy-frontend/templates/backend-haproxy.cfg.in
+++ b/software/caddy-frontend/templates/backend-haproxy.cfg.in
+# NON PROD CONFIG
+global
+  maxconn 4096
+log stderr local0
+defaults
+  log global
+  mode http
+  option httplog
+  option dontlognull
+  retries 1
+  option redispatch
+  maxconn 2000
+  cookie SERVERID rewrite
+  balance roundrobin
+  stats uri /haproxy
+  stats realm Global\ statistics
+  timeout server 305s
+  timeout queue 60s
+  timeout connect 5s
+  timeout client 305s
+  option httpclose