diff options
Diffstat (limited to 'aai-common-docker/aai-haproxy-image/src/main')
5 files changed, 257 insertions, 0 deletions
diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile b/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile new file mode 100644 index 00000000..7bf9b20a --- /dev/null +++ b/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile @@ -0,0 +1,25 @@ +FROM haproxy:1.7-alpine + +# Set up your corporate proxy if there is +ENV HTTP_PROXY "" +ENV HTTPS_PROXY "" +ENV http_proxy "" +ENV https_proxy "" + +RUN apk add --no-cache \ + ca-certificates \ + curl \ + openssl + +RUN mkdir -p /etc/ssl/certs/ && mkdir -p /etc/ssl/private + +COPY aai.pem /etc/ssl/private/aai.pem +COPY docker-entrypoint.sh /docker-entrypoint.sh +COPY resolvers.conf /usr/local/etc/haproxy/resolvers.conf +COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg + +RUN chmod +x /docker-entrypoint.sh + +ENTRYPOINT [ "/docker-entrypoint.sh" ] +CMD [ "haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg", "-f", "/usr/local/etc/haproxy/resolvers.conf" ] +EXPOSE 8443 diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/aai.pem b/aai-common-docker/aai-haproxy-image/src/main/docker/aai.pem new file mode 100644 index 00000000..c17dcf8b --- /dev/null +++ b/aai-common-docker/aai-haproxy-image/src/main/docker/aai.pem @@ -0,0 +1,84 @@ +-----BEGIN CERTIFICATE----- +MIIFEjCCA/qgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEN +MAsGA1UECgwET05BUDEOMAwGA1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVk +aWF0ZUNBXzEwHhcNMTgwNjA1MTIxOTU5WhcNMTkwNTMxMTIxOTU5WjBVMQswCQYD +VQQGEwJVUzENMAsGA1UECgwET05BUDEZMBcGA1UECwwQYWFpQGFhaS5vbmFwLm9y +ZzEOMAwGA1UECwwFT1NBQUYxDDAKBgNVBAMMA2FhaTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMqVPBjn6pxPhAwRov+ApKxJkuSo/UNbwmc7eYC+eYiY +SB35uI7Bt8UHWxxBNZdHpFbZUOuL2wWb7JYycML8gbsY2YF440K+X+TVTiVGSkv0 +L8MYwDTuCOn9YtlTEkKE6Wth4WPyEN3ZrQD7j7YGNr/3tK61Eeq/A/qhhksbpuTu +ReRDdsXzXTwX2sjZXdixv25YJUStH1pSrAHLzM/meeuRoGxq29lj2b5HUW5epc+Y +D9hd4sKn7Irsv+cLQ1fVtYUSm/kFdygJQGiyi9Bst5ysY2/h+4AWVxzLQ4jjd1NJ +LM6v8wfV4eTw2qO5+Gd1Bjax13YySKIRnlOffySOtZ0CAwEAAaOCAfkwggH1MAkG +A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgbAMDMGCWCGSAGG+EIBDQQmFiRPcGVu +U1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFL+SSLja +c4UNR6q1VUmj+jcRNbeJMFQGA1UdIwRNMEuAFBrUV3JwStNnqevh3GIxsofQ/u+q +oTCkLjAsMQ4wDAYDVQQLDAVPU0FBRjENMAsGA1UECgwET05BUDELMAkGA1UEBhMC +VVOCAQIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjCB+wYDVR0RBIHzMIHwgghhYWkub25hcIIXYWFpLnNpbXBsZWRlbW8ub25h +cC5vcmeCG2FhaS5hcGkuc2ltcGxlZGVtby5vbmFwLm9yZ4IaYWFpLnVpLnNpbXBs +ZWRlbW8ub25hcC5vcmeCJWFhaS5zZWFyY2hzZXJ2aWNlLnNpbXBsZWRlbW8ub25h +cC5vcmeCHWFhaS5oYmFzZS5zaW1wbGVkZW1vLm9uYXAub3JngiVhYWkuZ3JlbWxp +bnNlcnZlci5zaW1wbGVkZW1vLm9uYXAub3JngiVhYWkuZWxhc3RpY3NlYXJjaC5z +aW1wbGVkZW1vLm9uYXAub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQAXeS3TQ9gtJxxz +vSXrfXdTnCLWMD7qGJqTKpMxDymBrUyyfb630ndGXaU1JVUNgKBD3PufOFxwlR1C +QH5SLAEnbY+53tUYBeN2NQXwEkX/iReHIKAMGHOuY8IglE7DxBQRhj3v29E6dgQj +6GlRaDOIvrM9W+rUiQ7xG9ge8S9xo6hkXMvwIuecoUmlHB4/JV3VTeoguxlYhQfz +f+hetvmOm082i9ZBh7w6KjSUpg8i+zFp1O1l/AbvgKZWwngrNX/MYkSFwZkPWVuD +D8+Bi7ZQdHOT6anGrK4zGATGkkrPJjhWj7oiEVdgOeOPU8J0v5jZbAJV2e9y7wjp +ohqJpNC2 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEVDCCAjygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB +RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwNjA1MDg1MTQxWhcN +MjMwNjA1MDg1MTQxWjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG +A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzEwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOXCdZIoWM0EnEEw3qPiVMhAgNolWCTaLt +eI2TjlTQdGDIcXdBZukHdNeOKYzOXRsLt6bLRtd5yARpn53EbzS/dgAyHuaz1HjE +5IPWSFRg9SulfHUmcS+GBt1+KiMJTlOsw6wSA73H/PjjXBbWs/uRJTnaNmV3so7W +DhNW6fHOrbom4p+3FucbB/QAM9b/3l/1LKnRgdXx9tekDnaKN5u3HVBmyOlRhaRp +tscLUCT3jijoGAPRcYZybgrpa0z3iCWquibTO/eLwuO/Dn7yHWau9ZZAHGPBSn9f +TiLKRYV55mNjr3zvs8diTPECFPW8w8sRIH3za1aKHgUC1gd87Yr3AgMBAAGjZjBk +MB0GA1UdDgQWBBQa1FdycErTZ6nr4dxiMbKH0P7vqjAfBgNVHSMEGDAWgBRTVTPy +S+vQUbHBeJrBKDF77+rtSTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE +AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAlA/RTPy5i09fJ4ytSAmAdytMwEwRaU9F +dshG7LU9q95ODsuM79yJvV9+ISIJZRsBqf5PDv93bUCKKHIYGvR6kNd+n3yx/fce +txDkC/tMj1T9D8TuDKAclGEO9K5+1roOQQFxr4SE6XKb/wjn8OMrCoJ75S0F3htF +LKL85T77JeGeNgSk8JEsZvQvj32m0gv9rxi5jM/Zi5E2vxrBR9T1v3kVvlt6+PSF +BoHXROk5HQmdHxnH+VYQtDHSwj9Xe9aoJMyL0WjYKd//8NUO+VACDOtK4Nia6gy9 +m/n9kMASMw6f9iF4n6t4902RWrRKTYM1CVu5wyVklVbEdE9i6Db4CpL9E8HpBUAP +t44JiNzuFkDmSE/z5XuQIimDt6nzOaSF8pX2KHY2ICDLwpMNUvxzqXD9ECbdspiy +JC2RGq8uARGGl6kQQBKDNO8SrO7rSBPANd1+LgqrKbCrHYfvFgkZPgT5MlQi+E1G +LNT+i6fzZha9ed/L6yjl5Em71flJGFwRZl2pfErZRxp8pLPcznYyIpSjcwnqNCRC +orhlp8nheiODC3oO3AFHDiFgUqvm8hgpnT2cPk2lpU2VY1TcZ8sW5qUDCxINIPcW +u1SAsa87IJK3vEzPZfTCs/S6XThoqRfXj0c0Rahj7YFRi/PqIPY0ejwdtmZ9m9pZ +8Lb0GYmlo44= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKlTwY5+qcT4QM +EaL/gKSsSZLkqP1DW8JnO3mAvnmImEgd+biOwbfFB1scQTWXR6RW2VDri9sFm+yW +MnDC/IG7GNmBeONCvl/k1U4lRkpL9C/DGMA07gjp/WLZUxJChOlrYeFj8hDd2a0A ++4+2Bja/97SutRHqvwP6oYZLG6bk7kXkQ3bF8108F9rI2V3Ysb9uWCVErR9aUqwB +y8zP5nnrkaBsatvZY9m+R1FuXqXPmA/YXeLCp+yK7L/nC0NX1bWFEpv5BXcoCUBo +sovQbLecrGNv4fuAFlccy0OI43dTSSzOr/MH1eHk8NqjufhndQY2sdd2MkiiEZ5T +n38kjrWdAgMBAAECggEBAKEMKo6SMAy7mfoOO0prdn4Qr1pgjZZy6AUxXtJemjdg ++FP8JiA3GGTmCCRaIsR1C8yPTqkysZev8VEmIEaifm/CvYcUF3cD6S/98vXm/0GK +ij3K+2IYqbV63o5uX+HJz9ayJYBS+92iIsrZMdI+9l9+CIGrKOc5m2wv5JbpELCE +4asHyZE8jKvzmpOQsYtuKSgzGn4tfx7sRjD3ADEb+djgJ1uhQrCCdUSe17iHAhvX +Bv2fqmAGlJlBhZfxwJgEfpjcu4nDIrPdFNHtQfIQijI0H1KMLb2hUWf2NAeYRBEa +VJSZYLUfD8zUkds2Hr4Xa49OzumCiMqJ5ZoXn/b9yYECgYEA5XXSirWKPCNV+so+ +Giu1nCHGoEwduIji2Pwfjo9fAaoDckhTCoAa20NkUHeyg/CNDV28hHeeP+1zHX4B +x4VZTYKmXxfpjZ6pMmSHlHMrcrNg1GXw4UHY7L6LBKhNWVDdpY5lydRD/PD6I6tr +JeLVTzIVDW/f1EIS4NJYUdshYFkCgYEA4gOXj1lHeKy8GpGvTncnFIHexKAne1ri +P1UDIUzpI10zD49EG441hwE5ing4tUQe3dH2QZRTI8f/QF3MQdo0cDLf3QMUG2y4 +Ud5XpD+ppyueI7ZLbufm+s2JZlWvv5UcCYbH4mnMPnrUxyCFabgbqvTWgOiJ1GbS +VwvMCAJO9uUCgYEA3jg9/4GS72zVPr0Qaa39AskfIGy2t9kxwCxjr1+gBe+NyObM +LTYlTEW258sUQnz7TX+DK9Lgmk6ullhLBtxYwR0PXLa+xB1tBNWhDB6BbGLWGrzj +DHQFzjk2TvtjdWVAUq5WW6FLerIxvcusSBOmuzzocIvw/BJFUB/F0vhiGXkCgYAw +nLUsj/dfbUfILy2Vous07foMMKZNUe730EEsGG7MvG8PGbF8e8nnj8vgjJsl4dEB +xPdCg7SeLZYpMgOM5nIA7/BWiSL6AxhiA4C2QzsqSadp5vuyjw6PQ0YaTLPQcTHm +mqbDfB4CEklRyxzm8EKDMsYwU9PRa4wyTMdFsblqQQKBgAwy06uFXXdXnoA3PI7J +EJwRkChV4kR0dspAhIZsdfY6yw606IB+NvT48S5gLvMpxC8JGrCjKUkcw4e7lO+c +oxIjEwLmqqYRktRTfWU6SeqrGiiS6/+jERVdVxJysF/0havDkXr27rymiCKb2k2F +82R57RzJC+AYRYrpsJH8dMuA +-----END PRIVATE KEY----- diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh b/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh new file mode 100644 index 00000000..9095b3d1 --- /dev/null +++ b/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh @@ -0,0 +1,22 @@ +#!/bin/sh +set -e + +# first arg is `-f` or `--some-option` +if [ "${1#-}" != "$1" ]; then + set -- haproxy "$@" +fi + +NAMESERVER_IP=$(cat /etc/resolv.conf | grep 'nameserver' | head -1 | awk '{ print $2; }'); + +sed -i 's/${ONAP_NAMESERVER_CLUSTER_IP}/'${NAMESERVER_IP}'/g' /usr/local/etc/haproxy/resolvers.conf || { + echo "Unable to overwrite the nameserver in the haproxy configuration file"; + exit 1; +} + +if [ "$1" = 'haproxy' ]; then + # if the user wants "haproxy", let's use "haproxy-systemd-wrapper" instead so we can have proper reloadability implemented by upstream + shift # "haproxy" + set -- "$(which haproxy-systemd-wrapper)" -p /run/haproxy.pid "$@" +fi + +exec "$@" diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg b/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg new file mode 100644 index 00000000..8a4001e9 --- /dev/null +++ b/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg @@ -0,0 +1,123 @@ +global + log /dev/log local0 + stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin + stats timeout 30s + user root + group root + daemon + ################################# + # Default SSL material locations# + ################################# + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + tune.ssl.default-dh-param 2048 + ssl-default-bind-options force-tlsv12 no-tls-tickets + ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + tune.ssl.maxrecord 1400 + +defaults + log global + mode http + option httplog +# option dontlognull +# errorfile 400 /etc/haproxy/errors/400.http +# errorfile 403 /etc/haproxy/errors/403.http +# errorfile 408 /etc/haproxy/errors/408.http +# errorfile 500 /etc/haproxy/errors/500.http +# errorfile 502 /etc/haproxy/errors/502.http +# errorfile 503 /etc/haproxy/errors/503.http +# errorfile 504 /etc/haproxy/errors/504.http + + option http-server-close + option forwardfor except 127.0.0.1 + retries 6 + option redispatch + maxconn 50000 + timeout connect 50000 + timeout client 480000 + timeout server 480000 + timeout http-keep-alive 30000 + + +frontend IST_8443 + mode http + bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem +# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" + option httplog + log global + option logasap + option forwardfor + capture request header Host len 100 + capture response header Host len 100 + option log-separate-errors + option forwardfor + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } + http-request set-header X-AAI-SSL %[ssl_fc] + http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] + http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] + http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] + http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] + http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] + http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] + http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] + http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] + http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] + http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] + http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] + http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] + reqadd X-Forwarded-Proto:\ https + reqadd X-Forwarded-Port:\ 8443 + +####################### +#ACLS FOR PORT 8446#### +####################### + + acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ + acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ + acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_named-query path_beg -i /aai/search/named-query + acl is_search-model path_beg -i /aai/search/model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model + + default_backend IST_Default_8447 + + +####################### +#DEFAULT BACKEND 847### +####################### + +backend IST_Default_8447 + balance roundrobin + http-request set-header X-Forwarded-Port %[src_port] + http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; + server aai-resources.api.simpledemo.onap.org aai-resources.api.simpledemo.onap.org:8447 port 8447 ssl verify none + +####################### +# BACKEND 8446######### +####################### + +backend IST_AAI_8446 + balance roundrobin + http-request set-header X-Forwarded-Port %[src_port] + http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; + server aai-traversal.api.simpledemo.onap.org aai-traversal.api.simpledemo.onap.org:8446 port 8446 ssl verify none + +listen IST_AAI_STATS + mode http + bind *:8080 + stats uri /stats + stats enable + stats refresh 30s + stats hide-version + stats auth admin:admin + stats show-legends + stats show-desc IST AAI APPLICATION NODES + stats admin if TRUE diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/resolvers.conf b/aai-common-docker/aai-haproxy-image/src/main/docker/resolvers.conf new file mode 100644 index 00000000..f996fa76 --- /dev/null +++ b/aai-common-docker/aai-haproxy-image/src/main/docker/resolvers.conf @@ -0,0 +1,3 @@ +resolvers kubernetes + nameserver dns1 ${ONAP_NAMESERVER_CLUSTER_IP}:53 + hold valid 1s |