From 440cc02d7c2618c2d4104603b71eeab5b4acf697 Mon Sep 17 00:00:00 2001 From: Maurizio Pillitu Date: Fri, 19 Sep 2014 22:47:47 +0200 Subject: [PATCH] adding haproxy configuration; working on enabling https - issue #18 Former-commit-id: 7cfc7c25cc4292f08d0ce3362b0672478ad69ce8 [formerly 8937183aae0108ce08e999ec4aa2a0cf03a95a52] Former-commit-id: 261ae5ef484100625e591eb8261daebff0bac2bc Former-commit-id: a5be96f75a10c42b3f4e4a0063c7a61a7ec746b5 --- common/haproxy/browser.pem | 59 ++++++++++++++++ common/haproxy/haproxy.cfg | 93 +++++++++++++++++++++----- docker/scripts/run/distributed-arch.sh | 6 +- 3 files changed, 141 insertions(+), 17 deletions(-) create mode 100644 common/haproxy/browser.pem diff --git a/common/haproxy/browser.pem b/common/haproxy/browser.pem new file mode 100644 index 0000000..d2feb73 --- /dev/null +++ b/common/haproxy/browser.pem @@ -0,0 +1,59 @@ +Bag Attributes + friendlyName: ssl.repo + localKeyID: 54 69 6D 65 20 31 33 34 34 37 35 38 38 33 38 35 39 33 +Key Attributes: +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQCX67H7604bPWaBpmfSrQMlQamw/25gGpH9skaKOIv0gHDXzYRY +KRvGusQwHEDpf2IE5PoSPcsbmc7T6fqHsCcUjtE5qTv56i+qTz6FBFoh5VWZjBJG +HRs6VLQ8Jk9Emz73cgod9fUR+xqquGQ59SYce0yrnCIuseytGW3irqYKiwIDAQAB +AoGARvYdCOL8dNTVULH9xPZzha+KJ9boI5PFpY7kTCPlm6tzChpBOzzYcJdElIRd +/bM2gbrC5Epg2N+bMHkWQNMTLVgUISR0pSeqGgCDEdbRVnk8xxRnwdEwQbu+fv95 +PNCmZkVb5Wvlqr4afpYspzsZ1C/aU0cDoVsyLUhO6ql/YsECQQDqmDVNnCo3HgHj +D5bcygwypTbRiUojGyS10Syt1fw2Snbwj7+T0mgAgPcTnDJx3aUTOlT70Hrwv4Th +6bQ84YP5AkEApchYFKjuEgJKPIG8Mk61+S0nrYhL8yiz8aSEiEtJDC7Q4/B+f3rA +bSjVH1oZCw0yhFmhLVuADJy2Qx9EwLHbowJBAN0lZvomgNU8gGLfy0OPZDhJ7odQ +eIbni4+qBAhLdFppj/3uRJbA/jGbYU8nK5aTbo3Vq09GlN5mbInamYHaxWECQDdE +StjYWEV4rfbt6Sd8Rf4Dp66aOXeeoh50kho9vuRo1wqmKgWljnDVo/cHukGM7MJi +fvD4CAAsXjaSPgFfSbECQF7s1WinVNcNiRB2+Lt1XQuZLmadHDR1E7MoVqpUkG7K +TISWmCrQOIakdAwfKJNvt0akKb0BB1450cE6XbqVLUM= +-----END RSA PRIVATE KEY----- +Bag Attributes + friendlyName: CN=Alfresco Repository,OU=Unknown,O=Alfresco Software Ltd.,L=Maidenhead,ST=UK,C=GB + localKeyID: 54 69 6D 65 20 31 33 34 34 37 35 38 38 33 38 35 39 33 +subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository +issuer=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA +-----BEGIN CERTIFICATE----- +MIICYDCCAckCCQD/87za5Xu6IjANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJH +QjELMAkGA1UECAwCVUsxEzARBgNVBAcMCk1haWRlbmhlYWQxHzAdBgNVBAoMFkFs +ZnJlc2NvIFNvZnR3YXJlIEx0ZC4xFDASBgNVBAMMC0FsZnJlc2NvIENBMCAXDTEy +MDgxMDE2MjEwMFoYDzIxMTIwNzE3MTYyMTAwWjCBgDELMAkGA1UEBhMCR0IxCzAJ +BgNVBAgTAlVLMRMwEQYDVQQHEwpNYWlkZW5oZWFkMR8wHQYDVQQKExZBbGZyZXNj +byBTb2Z0d2FyZSBMdGQuMRAwDgYDVQQLEwdVbmtub3duMRwwGgYDVQQDExNBbGZy +ZXNjbyBSZXBvc2l0b3J5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX67H7 +604bPWaBpmfSrQMlQamw/25gGpH9skaKOIv0gHDXzYRYKRvGusQwHEDpf2IE5PoS +Pcsbmc7T6fqHsCcUjtE5qTv56i+qTz6FBFoh5VWZjBJGHRs6VLQ8Jk9Emz73cgod +9fUR+xqquGQ59SYce0yrnCIuseytGW3irqYKiwIDAQABMA0GCSqGSIb3DQEBBQUA +A4GBAGAN0/9mLAmCF6LgYFumyoDYZmzqUGDTvaCyIBC56stSe4Z+WuM0/oaTzwxg +KfksudPBGAbfBKkH0rNQbLhh4YIUxdsgNHojVSUBK5qzd10xykKH/70uHIE2ZZ3u +FnFUvKYPPlOh6doy0bkeZhDgjUK587YT19L/URAGuvd4osgz +-----END CERTIFICATE----- +Bag Attributes + friendlyName: CN=Alfresco CA,O=Alfresco Software Ltd.,L=Maidenhead,ST=UK,C=GB +subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA +issuer=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA +-----BEGIN CERTIFICATE----- +MIICnDCCAgWgAwIBAgIJAILUY/ZsJjzXMA0GCSqGSIb3DQEBBQUAMGYxCzAJBgNV +BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE +CgwWQWxmcmVzY28gU29mdHdhcmUgTHRkLjEUMBIGA1UEAwwLQWxmcmVzY28gQ0Ew +IBcNMTIwODEwMTYxNzM0WhgPMjExMjA3MTcxNjE3MzRaMGYxCzAJBgNVBAYTAkdC +MQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UECgwWQWxm +cmVzY28gU29mdHdhcmUgTHRkLjEUMBIGA1UEAwwLQWxmcmVzY28gQ0EwgZ8wDQYJ +KoZIhvcNAQEBBQADgY0AMIGJAoGBAOoocnTBBh88zAbSNUb292F4Hgwe/4jqyBnU +I/uj2Js6247Sulcm9IjgbijK1y6ZC+sGeTwBQoJ67/tNS4f/Gibc4SuUnIooFvnP +NbpRnebzWKcUxiK9gApzRtmqAJrgaTOBIBV3P0QB5snD8Uc5ZwhCgf3joXtn73Kj +yZFgJXnXAgMBAAGjUDBOMB0GA1UdDgQWBBQDGp8/OEY7gLx9BhR/2wiMheoV2TAf +BgNVHSMEGDAWgBQDGp8/OEY7gLx9BhR/2wiMheoV2TAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBBQUAA4GBAKKwXcAeLn+viE+iXTIN1SHxRBDJ4+zW2N7ClheJ1om3 +ONNWBo3HlDZFYoL3kjm5UC25KF0/wxEBg6Fb6On+j7AqgXXsYbLTqrtJP57qLTja +gyoEHBezH1+ZLVOqZ+934/5yO7qNdH/6cu38VCtGbQfrqfwxgCJ5L5OpK2U3sVrk +-----END CERTIFICATE----- diff --git a/common/haproxy/haproxy.cfg b/common/haproxy/haproxy.cfg index 1fbc573..edd41b7 100644 --- a/common/haproxy/haproxy.cfg +++ b/common/haproxy/haproxy.cfg @@ -1,19 +1,80 @@ global - daemon - maxconn 256 + pidfile /var/run/haproxy.pid + log 127.0.0.1 local2 info + stats socket /var/run/haproxy.stat mode 600 level admin + daemon + maxconn 256 defaults - mode http - timeout connect 5000ms - timeout client 50000ms - timeout server 50000ms - -frontend http-in - bind *:80 - default_backend static - -backend static - mode http - balance roundrobin - server share1 share1.alfresco-share.demo.acme.com:8080 maxconn 32 - server share2 share2.alfresco-share.demo.acme.com:8080 maxconn 32 + mode http + log global + + timeout http-request 10s + timeout queue 1m + timeout connect 5s + timeout client 2m + timeout server 2m + timeout http-keep-alive 10s + timeout check 5s + retries 3 + + option httplog + option dontlognull + option forwardfor + option http-server-close + option redispatch + option tcp-smart-accept + option tcp-smart-connect + + compression algo gzip + compression type text/html text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint + +# Front end for http to https redirect +frontend http + bind *:80 +# redirect location https://lb.haproxy.demo.acme.com/share/ + default_backend share + +# Main front end for all services +# frontend https +# bind *:443 ssl crt /haproxy-override/browser.pem +# capture request header X-Forwarded-For len 64 +# capture request header User-agent len 256 +# capture request header Cookie len 64 +# capture request header Accept-Language len 64 + + # ACL for backend mapping based on url paths + acl robots path_reg ^/robots.txt$ + acl alfresco_path path_reg ^/alfresco/.* + acl share_path path_reg ^/share/.*/proxy/alfresco/api/solr/.* + acl share_redirect path_reg ^$|^/$ + + # Changes to header responses + rspadd Strict-Transport-Security:\ max-age=15768000 + +backend share + stats enable + stats hide-version + stats auth : + stats uri /monitor + stats refresh 2s + + mode http + + option httpchk GET /share + balance leastconn + cookie JSESSIONID prefix + server share1 share1.alfresco-share.demo.acme.com:8080 cookie share1 check inter 5000 + server share2 share2.alfresco-share.demo.acme.com:8080 cookie share2 check inter 5000 + +#backend webdav +# option httpchk GET /alfresco +# reqrep ^([^\ ]*)\ /(.*) \1\ /alfresco/webdav/\2 +# server share1 share1.alfresco-share.demo.acme.com:8080 check inter 5000 +# server share2 share2.alfresco-share.demo.acme.com:8080 check inter 5000 + +#backend sharepoint +# balance url_param VTISESSIONID check_post +# cookie VTISESSIONID prefix +# server tomcat1 server1:7070 cookie share1 check inter 5000 +# server tomcat2 server2:7070 cookie share2 check inter 5000 diff --git a/docker/scripts/run/distributed-arch.sh b/docker/scripts/run/distributed-arch.sh index 3dfbd8e..fca6b54 100755 --- a/docker/scripts/run/distributed-arch.sh +++ b/docker/scripts/run/distributed-arch.sh @@ -32,4 +32,8 @@ docker run --name share2 --dns $DNS_IP -d -p 8082:8080 -p 5701 -v /alfboxes/dock docker run --name solr1 --dns $DNS_IP -d -p 8083:8080 -p 5701 -v /alfboxes/docker/license/alf42.lic:/alflicense/alf42.lic --volumes-from data maoo/alfresco-solr:latest /bin/sh -c "/etc/init.d/tomcat7 start ; sleep 1 ; tail -f /var/log/tomcat7/catalina.out" # Using HA Proxy balancer -# docker run --name lb --dns $DNS_IP -d -v /alfboxes/common/haproxy:/haproxy-override -p 80:80 dockerfile/haproxy:latest +docker run --name lb --dns $DNS_IP -d -v /alfboxes/common/haproxy:/haproxy-override -p 80:80 dockerfile/haproxy /bin/sh -c "chmod +x /haproxy-start; /haproxy-start ; tail -f /var/log/bootstrap.log" + +# Debugging +# docker run --name lb --dns $DNS_IP -t -i -v /alfboxes/common/haproxy:/haproxy-override -p 80:80 dockerfile/haproxy /bin/bash +# docker run --name share3 --dns $DNS_IP -t -i -p 8084:8080 -p 5701 -v /alfboxes/docker/license/alf42.lic:/alflicense/alf42.lic --volumes-from data maoo/alfresco-share:latest /bin/bash