Pierre Ozoux · Pierre Ozoux · Pierre Ozoux · Pierre Ozoux · Pierre Ozoux · Pierre Ozoux
--- a/.gitignore
+++ b/.gitignore
+certs/*
+haproxy/certs/*
+haproxy/haproxy.cfg
+acme-challenge/*
--- a/README.md
+++ b/README.md
@@ -19,20 +19,32 @@ Each time you add a container with the environment variable `VIRTUAL_HOST` it wi
 - docker
 - docker-compose

-## Get started
+## Get started ( for libre.sh  )

 ```
-git clone https://github.com/indiehosters/haproxy.git
+# docker network create lb_web (already done when you install libre.sh )
+cd /system/
+git clone https://lab.libreho.st/libre.sh/compose/haproxy
 cd haproxy
-docker-compose up -d
+libre enable
+libre start
 ```

-And profit!
+In these commands, we just created one network (lb_web) to isolate HAProxy with the web servers, and then, we started the containers of HAProxy and companions.

 ```
-docker run -e VIRTUAL_HOST=example.org nginx
+docker run --network=lb_web -e VIRTUAL_HOST=example.org nginx
 ```

+Here, we just started the most simple web server, and added to the lb_web network.
+The only thing that HAProxy needs to see and connect to this container are the following:
+ - expose a port 80
+ - have a VIRTUAL_HOST variable setup with the domain name
+ - be in the lb_web network
+ 
+And finally for HAProxy to be able to provision the Let's encrypt certificate, you need to configure your DNS for example.org to point to the IP of HAProxy.
+
+
 ## Contributing

 If you have any issue (something not working, missing doc), please do report an issue here! Thanks

--- a/clean-certs.sh
+++ b/clean-certs.sh
+#!/bin/bash -eux
+grep -wvFf <(ls /data/domains/) <(ls certs/*/*.csr | grep -vf <(echo -e "node-exporter\ncadvisor") | cut -d"/" -f2) | xargs -i% rm -rf /system/haproxy/certs/%
--- a/docker-compose.yml
+++ b/docker-compose.yml
 version: '2'

 networks:
-  web:
-    driver: bridge
+  lb_web:
+    external: true

 services:
  discovery:
    image: jwilder/docker-gen
    volumes:
-      - "/var/run/docker.sock:/tmp/docker.sock:ro"
-      - "./templates:/etc/docker-gen/templates"
-      - "./haproxy:/etc/haproxy"
+    - "/var/run/docker.sock:/tmp/docker.sock:ro"
+    - "./templates:/etc/docker-gen/templates"
+    - "./haproxy:/etc/haproxy"
    command: "-watch /etc/docker-gen/templates/haproxy.cfg.tmpl /etc/haproxy/haproxy.cfg"
  haproxy:
    image: indiehosters/haproxy
    volumes:
-      - "./haproxy:/etc/haproxy"
-      - "/dev/log:/dev/log"
+    - "./haproxy:/etc/haproxy"
+    - "/dev/log:/dev/log"
    links:
-      - letsencrypt
+    - letsencrypt
    ports:
-      - "80:80"
-      - "443:443"
+    - "80:80"
+    - "443:443"
    networks:
-    - web
+    - lb_web
  letsencrypt-web:
    image: nginx
    volumes:
-      - "./acme-challenge:/usr/share/nginx/html/.well-known/acme-challenge:ro"
+    - "./acme-challenge:/usr/share/nginx/html/.well-known/acme-challenge:ro"
    networks:
-    - web
+    - lb_web
  letsencrypt:
-    image: indiehosters/letsencrypt
+    image: libresh/letsencrypt
    volumes:
-      - "./haproxy:/etc/haproxy"
-      - "./acme-challenge:/html-root/.well-known/acme-challenge/"
-      - "./certs:/var/certs"
+    - "./haproxy:/etc/haproxy"
+    - "./acme-challenge:/html-root/.well-known/acme-challenge/"
+    - "./certs:/var/certs"
  ocsp:
    image: indiehosters/ocsp
    volumes:
-      - "./haproxy:/etc/haproxy"
+    - "./haproxy:/etc/haproxy"
--- a/env
+++ b/env
-COMPOSE_PROJECT_NAME=lb
--- a/templates/haproxy.cfg.tmpl
+++ b/templates/haproxy.cfg.tmpl
 global
  log /dev/log local0 info
  log /dev/log local0 notice
+  ca-base /etc/ssl/certs
  maxconn 4096
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
@@ -18,7 +19,7 @@ defaults
  compression type text/html text/plain text/css application/javascript
  timeout connect 5000
  timeout client 50000
-  timeout server 50000
+  timeout server 500000

 frontend http-in
  bind *:80
@@ -29,25 +30,62 @@ frontend http-in

 frontend https-in
 mode http
-  bind *:443 ssl no-sslv3 crt /etc/haproxy/certs
-  reqadd X-Forwarded-Proto:\ https
+  bind    *:443 ssl no-sslv3 crt /etc/haproxy/certs
+  reqadd  X-Forwarded-Proto:\ https
  rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspidel X-Powered-By

-  use_backend letsencrypt-web if { path_beg /.well-known/acme }
+  acl acme path_beg /.well-known/acme
+
+{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+  {{ $reverseProxyFor := (first (groupByKeys $containers "Env.REVERSE_PROXY_FOR")) }}
+  {{ if $reverseProxyFor }}
+  use_backend {{ $host }}-acme if acme { hdr(host) -i {{ $host }} }
+  {{end}}
+{{end}}
+  use_backend letsencrypt-web if acme
+{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
+  use_backend webhook if { path_beg /XxosJDdRpo7Rww87VkJGzv1QLegnhh-uniq-libresh }
+{{end}}
 {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
  use_backend {{ $host}} if { hdr(host) -i {{ $host }} }
+  use_backend {{ $host}} if { hdr(host) -i {{ $host }}:443 }
 {{end}}

 {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+  {{ $reverseProxyFor := (first (groupByKeys $containers "Env.REVERSE_PROXY_FOR")) }}
+  {{ if $reverseProxyFor }}
+backend {{ $host }}-acme
+  server Server {{ $reverseProxyFor }}:80
+  {{end}}
 backend {{ $host }}
  option http-server-close
  cookie SERVERID insert nocache indirect
  {{ range $container := $containers }}
-  {{ $network := index $container.Networks 0 }}
+    {{ $networkLen := len $container.Networks }}
+    {{ if $reverseProxyFor }}
+  http-request set-header Host {{ $host }}
+  server Server {{ $reverseProxyFor }}:443 ssl sni str({{ $host }}) ca-file ca-certificates.crt
+    {{ else }}
+      {{ if eq $networkLen 1 }}
+        {{ $network := index $container.Networks 0 }}
+  server Server {{ $network.IP }}:80 cookie Server
+      {{ else }}
+        {{ range $network := $container.Networks }}
+          {{ if eq $network.Name "lb_web" }}
  server Server {{ $network.IP }}:80 cookie Server
+          {{end}}
+        {{end}}
+      {{end}}
+    {{end}}
  {{end}}
 {{end}}

 backend letsencrypt-web
  cookie SERVERID insert nocache indirect
  server Server letsencrypt-web:80 cookie Server
+{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
+backend webhook
+  cookie SERVERID insert nocache indirect
+  server Server webhook:80 cookie Server
+{{end}}