.gitignore

+certs/*
+haproxy/certs/*
+haproxy/haproxy.cfg
+acme-challenge/*

README.md

@@ -19,20 +19,32 @@ Each time you add a container with the environment variable `VIRTUAL_HOST` it wi
  - docker
  - docker-compose
 
-## Get started
+## Get started ( for libre.sh  )
 
 ```
-git clone https://github.com/indiehosters/haproxy.git
+# docker network create lb_web (already done when you install libre.sh )
+cd /system/
+git clone https://lab.libreho.st/libre.sh/compose/haproxy
 cd haproxy
-docker-compose up -d
+libre enable
+libre start
 ```
 
-And profit!
+In these commands, we just created one network (lb_web) to isolate HAProxy with the web servers, and then, we started the containers of HAProxy and companions.
 
 ```
-docker run -e HOST=example.org nginx
+docker run --network=lb_web -e VIRTUAL_HOST=example.org nginx
 ```
 
+Here, we just started the most simple web server, and added to the lb_web network.
+The only thing that HAProxy needs to see and connect to this container are the following:
+ - expose a port 80
+ - have a VIRTUAL_HOST variable setup with the domain name
+ - be in the lb_web network
+ 
+And finally for HAProxy to be able to provision the Let's encrypt certificate, you need to configure your DNS for example.org to point to the IP of HAProxy.
+
+
 ## Contributing
 
 If you have any issue (something not working, missing doc), please do report an issue here! Thanks

clean-certs.sh

+#!/bin/bash -eux
+grep -wvFf <(ls /data/domains/) <(ls certs/*/*.csr | grep -vf <(echo -e "node-exporter\ncadvisor") | cut -d"/" -f2) | xargs -i% rm -rf /system/haproxy/certs/%

docker-compose.yml

-discovery:
-  image: jwilder/docker-gen
-  volumes:
+version: '2'
+
+networks:
+  lb_web:
+    external: true
+
+services:
+  discovery:
+    image: jwilder/docker-gen
+    volumes:
     - "/var/run/docker.sock:/tmp/docker.sock:ro"
     - "./templates:/etc/docker-gen/templates"
     - "./haproxy:/etc/haproxy"
-  command: "-watch /etc/docker-gen/templates/haproxy.cfg.tmpl /etc/haproxy/haproxy.cfg"
-haproxy:
-  image: indiehosters/haproxy
-  volumes:
+    command: "-watch /etc/docker-gen/templates/haproxy.cfg.tmpl /etc/haproxy/haproxy.cfg"
+  haproxy:
+    image: indiehosters/haproxy
+    volumes:
     - "./haproxy:/etc/haproxy"
     - "/dev/log:/dev/log"
-  links:
+    links:
     - letsencrypt
-  ports:
+    ports:
     - "80:80"
     - "443:443"
-letsencrypt:
-  image: nginx
-  volumes:
+    networks:
+    - lb_web
+  letsencrypt-web:
+    image: nginx
+    volumes:
     - "./acme-challenge:/usr/share/nginx/html/.well-known/acme-challenge:ro"
-letsencrypt-watch:
-  image: indiehosters/letsencrypt
-  volumes:
+    networks:
+    - lb_web
+  letsencrypt:
+    image: libresh/letsencrypt
+    volumes:
     - "./haproxy:/etc/haproxy"
     - "./acme-challenge:/html-root/.well-known/acme-challenge/"
-ocsp:
-  image: indiehosters/ocsp
-  volumes:
+    - "./certs:/var/certs"
+  ocsp:
+    image: indiehosters/ocsp
+    volumes:
     - "./haproxy:/etc/haproxy"

templates/haproxy.cfg.tmpl

 global
   log /dev/log local0 info
   log /dev/log local0 notice
+  ca-base /etc/ssl/certs
   maxconn 4096
   tune.ssl.default-dh-param 2048
   ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
@@ -18,7 +19,7 @@ defaults
   compression type text/html text/plain text/css application/javascript
   timeout connect 5000
   timeout client 50000
-  timeout server 50000
+  timeout server 500000
 
 frontend http-in
   bind *:80
@@ -29,25 +30,62 @@ frontend http-in
 
 frontend https-in
 mode http
-  bind *:443 ssl no-sslv3 crt /etc/haproxy/certs
-  reqadd X-Forwarded-Proto:\ https
+  bind    *:443 ssl no-sslv3 crt /etc/haproxy/certs
+  reqadd  X-Forwarded-Proto:\ https
   rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspidel X-Powered-By
 
-  use_backend letsencrypt if { path_beg /.well-known/acme }
+  acl acme path_beg /.well-known/acme
+
+{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+  {{ $reverseProxyFor := (first (groupByKeys $containers "Env.REVERSE_PROXY_FOR")) }}
+  {{ if $reverseProxyFor }}
+  use_backend {{ $host }}-acme if acme { hdr(host) -i {{ $host }} }
+  {{end}}
+{{end}}
+  use_backend letsencrypt-web if acme
+{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
+  use_backend webhook if { path_beg /XxosJDdRpo7Rww87VkJGzv1QLegnhh-uniq-libresh }
+{{end}}
 {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
   use_backend {{ $host}} if { hdr(host) -i {{ $host }} }
+  use_backend {{ $host}} if { hdr(host) -i {{ $host }}:443 }
 {{end}}
 
 {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+  {{ $reverseProxyFor := (first (groupByKeys $containers "Env.REVERSE_PROXY_FOR")) }}
+  {{ if $reverseProxyFor }}
+backend {{ $host }}-acme
+  server Server {{ $reverseProxyFor }}:80
+  {{end}}
 backend {{ $host }}
   option http-server-close
   cookie SERVERID insert nocache indirect
   {{ range $container := $containers }}
-  {{ $network := index $container.Networks 0 }}
+    {{ $networkLen := len $container.Networks }}
+    {{ if $reverseProxyFor }}
+  http-request set-header Host {{ $host }}
+  server Server {{ $reverseProxyFor }}:443 ssl sni str({{ $host }}) ca-file ca-certificates.crt
+    {{ else }}
+      {{ if eq $networkLen 1 }}
+        {{ $network := index $container.Networks 0 }}
+  server Server {{ $network.IP }}:80 cookie Server
+      {{ else }}
+        {{ range $network := $container.Networks }}
+          {{ if eq $network.Name "lb_web" }}
   server Server {{ $network.IP }}:80 cookie Server
+          {{end}}
+        {{end}}
+      {{end}}
+    {{end}}
   {{end}}
 {{end}}
 
-backend letsencrypt
+backend letsencrypt-web
   cookie SERVERID insert nocache indirect
-  server Server letsencrypt:80 cookie Server
+  server Server letsencrypt-web:80 cookie Server
+{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
+backend webhook
+  cookie SERVERID insert nocache indirect
+  server Server webhook:80 cookie Server
+{{end}}