summaryrefslogtreecommitdiffstats
path: root/local-setup/src/main/docker/haproxy
diff options
context:
space:
mode:
Diffstat (limited to 'local-setup/src/main/docker/haproxy')
-rw-r--r--local-setup/src/main/docker/haproxy/Dockerfile9
-rw-r--r--local-setup/src/main/docker/haproxy/aai.pem84
-rw-r--r--local-setup/src/main/docker/haproxy/haproxy.cfg120
3 files changed, 213 insertions, 0 deletions
diff --git a/local-setup/src/main/docker/haproxy/Dockerfile b/local-setup/src/main/docker/haproxy/Dockerfile
new file mode 100644
index 0000000..121b698
--- /dev/null
+++ b/local-setup/src/main/docker/haproxy/Dockerfile
@@ -0,0 +1,9 @@
+FROM haproxy:1.6-alpine
+
+WORKDIR app/
+
+COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+
+COPY aai.pem /etc/ssl/private/aai.pem
+
+RUN chmod 640 /etc/ssl/private/aai.pem && chown root:root /etc/ssl/private/aai.pem \ No newline at end of file
diff --git a/local-setup/src/main/docker/haproxy/aai.pem b/local-setup/src/main/docker/haproxy/aai.pem
new file mode 100644
index 0000000..ce97d30
--- /dev/null
+++ b/local-setup/src/main/docker/haproxy/aai.pem
@@ -0,0 +1,84 @@
+-----BEGIN CERTIFICATE-----
+MIIFEjCCA/qgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEN
+MAsGA1UECgwET05BUDEOMAwGA1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVk
+aWF0ZUNBXzEwHhcNMTgwNjA1MTIxOTU5WhcNMTkwNTMxMTIxOTU5WjBVMQswCQYD
+VQQGEwJVUzENMAsGA1UECgwET05BUDEZMBcGA1UECwwQYWFpQGFhaS5vbmFwLm9y
+ZzEOMAwGA1UECwwFT1NBQUYxDDAKBgNVBAMMA2FhaTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMqVPBjn6pxPhAwRov+ApKxJkuSo/UNbwmc7eYC+eYiY
+SB35uI7Bt8UHWxxBNZdHpFbZUOuL2wWb7JYycML8gbsY2YF440K+X+TVTiVGSkv0
+L8MYwDTuCOn9YtlTEkKE6Wth4WPyEN3ZrQD7j7YGNr/3tK61Eeq/A/qhhksbpuTu
+ReRDdsXzXTwX2sjZXdixv25YJUStH1pSrAHLzM/meeuRoGxq29lj2b5HUW5epc+Y
+D9hd4sKn7Irsv+cLQ1fVtYUSm/kFdygJQGiyi9Bst5ysY2/h+4AWVxzLQ4jjd1NJ
+LM6v8wfV4eTw2qO5+Gd1Bjax13YySKIRnlOffySOtZ0CAwEAAaOCAfkwggH1MAkG
+A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgbAMDMGCWCGSAGG+EIBDQQmFiRPcGVu
+U1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFL+SSLja
+c4UNR6q1VUmj+jcRNbeJMFQGA1UdIwRNMEuAFBrUV3JwStNnqevh3GIxsofQ/u+q
+oTCkLjAsMQ4wDAYDVQQLDAVPU0FBRjENMAsGA1UECgwET05BUDELMAkGA1UEBhMC
+VVOCAQIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+BQcDAjCB+wYDVR0RBIHzMIHwgghhYWkub25hcIIXYWFpLnNpbXBsZWRlbW8ub25h
+cC5vcmeCG2FhaS5hcGkuc2ltcGxlZGVtby5vbmFwLm9yZ4IaYWFpLnVpLnNpbXBs
+ZWRlbW8ub25hcC5vcmeCJWFhaS5zZWFyY2hzZXJ2aWNlLnNpbXBsZWRlbW8ub25h
+cC5vcmeCHWFhaS5oYmFzZS5zaW1wbGVkZW1vLm9uYXAub3JngiVhYWkuZ3JlbWxp
+bnNlcnZlci5zaW1wbGVkZW1vLm9uYXAub3JngiVhYWkuZWxhc3RpY3NlYXJjaC5z
+aW1wbGVkZW1vLm9uYXAub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQAXeS3TQ9gtJxxz
+vSXrfXdTnCLWMD7qGJqTKpMxDymBrUyyfb630ndGXaU1JVUNgKBD3PufOFxwlR1C
+QH5SLAEnbY+53tUYBeN2NQXwEkX/iReHIKAMGHOuY8IglE7DxBQRhj3v29E6dgQj
+6GlRaDOIvrM9W+rUiQ7xG9ge8S9xo6hkXMvwIuecoUmlHB4/JV3VTeoguxlYhQfz
+f+hetvmOm082i9ZBh7w6KjSUpg8i+zFp1O1l/AbvgKZWwngrNX/MYkSFwZkPWVuD
+D8+Bi7ZQdHOT6anGrK4zGATGkkrPJjhWj7oiEVdgOeOPU8J0v5jZbAJV2e9y7wjp
+ohqJpNC2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEVDCCAjygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB
+RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwNjA1MDg1MTQxWhcN
+MjMwNjA1MDg1MTQxWjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG
+A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOXCdZIoWM0EnEEw3qPiVMhAgNolWCTaLt
+eI2TjlTQdGDIcXdBZukHdNeOKYzOXRsLt6bLRtd5yARpn53EbzS/dgAyHuaz1HjE
+5IPWSFRg9SulfHUmcS+GBt1+KiMJTlOsw6wSA73H/PjjXBbWs/uRJTnaNmV3so7W
+DhNW6fHOrbom4p+3FucbB/QAM9b/3l/1LKnRgdXx9tekDnaKN5u3HVBmyOlRhaRp
+tscLUCT3jijoGAPRcYZybgrpa0z3iCWquibTO/eLwuO/Dn7yHWau9ZZAHGPBSn9f
+TiLKRYV55mNjr3zvs8diTPECFPW8w8sRIH3za1aKHgUC1gd87Yr3AgMBAAGjZjBk
+MB0GA1UdDgQWBBQa1FdycErTZ6nr4dxiMbKH0P7vqjAfBgNVHSMEGDAWgBRTVTPy
+S+vQUbHBeJrBKDF77+rtSTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAlA/RTPy5i09fJ4ytSAmAdytMwEwRaU9F
+dshG7LU9q95ODsuM79yJvV9+ISIJZRsBqf5PDv93bUCKKHIYGvR6kNd+n3yx/fce
+txDkC/tMj1T9D8TuDKAclGEO9K5+1roOQQFxr4SE6XKb/wjn8OMrCoJ75S0F3htF
+LKL85T77JeGeNgSk8JEsZvQvj32m0gv9rxi5jM/Zi5E2vxrBR9T1v3kVvlt6+PSF
+BoHXROk5HQmdHxnH+VYQtDHSwj9Xe9aoJMyL0WjYKd//8NUO+VACDOtK4Nia6gy9
+m/n9kMASMw6f9iF4n6t4902RWrRKTYM1CVu5wyVklVbEdE9i6Db4CpL9E8HpBUAP
+t44JiNzuFkDmSE/z5XuQIimDt6nzOaSF8pX2KHY2ICDLwpMNUvxzqXD9ECbdspiy
+JC2RGq8uARGGl6kQQBKDNO8SrO7rSBPANd1+LgqrKbCrHYfvFgkZPgT5MlQi+E1G
+LNT+i6fzZha9ed/L6yjl5Em71flJGFwRZl2pfErZRxp8pLPcznYyIpSjcwnqNCRC
+orhlp8nheiODC3oO3AFHDiFgUqvm8hgpnT2cPk2lpU2VY1TcZ8sW5qUDCxINIPcW
+u1SAsa87IJK3vEzPZfTCs/S6XThoqRfXj0c0Rahj7YFRi/PqIPY0ejwdtmZ9m9pZ
+8Lb0GYmlo44=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKlTwY5+qcT4QM
+EaL/gKSsSZLkqP1DW8JnO3mAvnmImEgd+biOwbfFB1scQTWXR6RW2VDri9sFm+yW
+MnDC/IG7GNmBeONCvl/k1U4lRkpL9C/DGMA07gjp/WLZUxJChOlrYeFj8hDd2a0A
++4+2Bja/97SutRHqvwP6oYZLG6bk7kXkQ3bF8108F9rI2V3Ysb9uWCVErR9aUqwB
+y8zP5nnrkaBsatvZY9m+R1FuXqXPmA/YXeLCp+yK7L/nC0NX1bWFEpv5BXcoCUBo
+sovQbLecrGNv4fuAFlccy0OI43dTSSzOr/MH1eHk8NqjufhndQY2sdd2MkiiEZ5T
+n38kjrWdAgMBAAECggEBAKEMKo6SMAy7mfoOO0prdn4Qr1pgjZZy6AUxXtJemjdg
++FP8JiA3GGTmCCRaIsR1C8yPTqkysZev8VEmIEaifm/CvYcUF3cD6S/98vXm/0GK
+ij3K+2IYqbV63o5uX+HJz9ayJYBS+92iIsrZMdI+9l9+CIGrKOc5m2wv5JbpELCE
+4asHyZE8jKvzmpOQsYtuKSgzGn4tfx7sRjD3ADEb+djgJ1uhQrCCdUSe17iHAhvX
+Bv2fqmAGlJlBhZfxwJgEfpjcu4nDIrPdFNHtQfIQijI0H1KMLb2hUWf2NAeYRBEa
+VJSZYLUfD8zUkds2Hr4Xa49OzumCiMqJ5ZoXn/b9yYECgYEA5XXSirWKPCNV+so+
+Giu1nCHGoEwduIji2Pwfjo9fAaoDckhTCoAa20NkUHeyg/CNDV28hHeeP+1zHX4B
+x4VZTYKmXxfpjZ6pMmSHlHMrcrNg1GXw4UHY7L6LBKhNWVDdpY5lydRD/PD6I6tr
+JeLVTzIVDW/f1EIS4NJYUdshYFkCgYEA4gOXj1lHeKy8GpGvTncnFIHexKAne1ri
+P1UDIUzpI10zD49EG441hwE5ing4tUQe3dH2QZRTI8f/QF3MQdo0cDLf3QMUG2y4
+Ud5XpD+ppyueI7ZLbufm+s2JZlWvv5UcCYbH4mnMPnrUxyCFabgbqvTWgOiJ1GbS
+VwvMCAJO9uUCgYEA3jg9/4GS72zVPr0Qaa39AskfIGy2t9kxwCxjr1+gBe+NyObM
+LTYlTEW258sUQnz7TX+DK9Lgmk6ullhLBtxYwR0PXLa+xB1tBNWhDB6BbGLWGrzj
+DHQFzjk2TvtjdWVAUq5WW6FLerIxvcusSBOmuzzocIvw/BJFUB/F0vhiGXkCgYAw
+nLUsj/dfbUfILy2Vous07foMMKZNUe730EEsGG7MvG8PGbF8e8nnj8vgjJsl4dEB
+xPdCg7SeLZYpMgOM5nIA7/BWiSL6AxhiA4C2QzsqSadp5vuyjw6PQ0YaTLPQcTHm
+mqbDfB4CEklRyxzm8EKDMsYwU9PRa4wyTMdFsblqQQKBgAwy06uFXXdXnoA3PI7J
+EJwRkChV4kR0dspAhIZsdfY6yw606IB+NvT48S5gLvMpxC8JGrCjKUkcw4e7lO+c
+oxIjEwLmqqYRktRTfWU6SeqrGiiS6/+jERVdVxJysF/0havDkXr27rymiCKb2k2F
+82R57RzJC+AYRYrpsJH8dMuA
+-----END PRIVATE KEY----- \ No newline at end of file
diff --git a/local-setup/src/main/docker/haproxy/haproxy.cfg b/local-setup/src/main/docker/haproxy/haproxy.cfg
new file mode 100644
index 0000000..0fecea0
--- /dev/null
+++ b/local-setup/src/main/docker/haproxy/haproxy.cfg
@@ -0,0 +1,120 @@
+global
+ log /dev/log local0
+ stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
+ stats timeout 30s
+ user root
+ group root
+ daemon
+ #################################
+ # Default SSL material locations#
+ #################################
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+ # Default ciphers to use on SSL-enabled listening sockets.
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ # An alternative list with additional directives can be obtained from
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+ tune.ssl.default-dh-param 2048
+
+defaults
+ log global
+ mode http
+ option httplog
+# option dontlognull
+# errorfile 400 /etc/haproxy/errors/400.http
+# errorfile 403 /etc/haproxy/errors/403.http
+# errorfile 408 /etc/haproxy/errors/408.http
+# errorfile 500 /etc/haproxy/errors/500.http
+# errorfile 502 /etc/haproxy/errors/502.http
+# errorfile 503 /etc/haproxy/errors/503.http
+# errorfile 504 /etc/haproxy/errors/504.http
+
+ option http-server-close
+ option forwardfor except 127.0.0.1
+ retries 6
+ option redispatch
+ maxconn 50000
+ timeout connect 50000
+ timeout client 480000
+ timeout server 480000
+ timeout http-keep-alive 30000
+
+
+frontend IST_8443
+ mode http
+ bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ option httplog
+ log global
+ option logasap
+ option forwardfor
+ capture request header Host len 100
+ capture response header Host len 100
+ option log-separate-errors
+ option forwardfor
+ http-request set-header X-Forwarded-Proto https if { ssl_fc }
+ http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
+ http-request set-header X-AAI-SSL %[ssl_fc]
+ http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
+ http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
+ http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
+ http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
+ http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
+ http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
+ http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
+ http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
+ http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
+ http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
+ http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
+ http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
+ reqadd X-Forwarded-Proto:\ https
+ reqadd X-Forwarded-Port:\ 8443
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+ acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_named-query path_beg -i /aai/search/named-query
+ acl is_search-model path_beg -i /aai/search/model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
+
+ default_backend IST_Default_8447
+
+
+#######################
+#DEFAULT BACKEND 847###
+#######################
+
+backend IST_Default_8447
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-resources.api.simpledemo.openecomp.org localhost:8447 port 8447 ssl verify none
+
+#######################
+# BACKEND 8446#########
+#######################
+
+backend IST_AAI_8446
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-traversal.api.simpledemo.openecomp.org localhost:8446 port 8446 ssl verify none
+
+listen IST_AAI_STATS
+ mode http
+ bind *:8080
+ stats uri /stats
+ stats enable
+ stats refresh 30s
+ stats hide-version
+ stats auth admin:admin
+ stats show-legends
+ stats show-desc IST AAI APPLICATION NODES
+ stats admin if TRUE \ No newline at end of file