ENH: HTTPS support without HTTP

DFP can now listen to HTTPS without needing listen to HTTP

Author: thomasjpfan

actions/reconfigure_test.go

@@ -160,14 +160,14 @@ backend myService-be2222_1
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server myService myService:2222
-backend https-myService-be1111_0
+backend https-myService-be3333_0
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server myService myService:3333
     acl myServiceUsersAcl http_auth(myServiceUsers)
     http-request auth realm myServiceRealm if !myServiceUsersAcl
     http-request del-header Authorization
-backend https-myService-be2222_1
+backend https-myService-be3333_1
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server myService myService:3333`
@@ -262,7 +262,7 @@ backend myService-be1234_2
     acl valid_allowed_method method GET DELETE
     http-request deny unless valid_allowed_method
     server myService myService:1234
-backend https-myService-be1234_2
+backend https-myService-be4321_2
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     acl valid_allowed_method method GET DELETE
@@ -286,7 +286,7 @@ backend myService-be1234_5
     acl valid_denied_method method GET DELETE
     http-request deny if valid_denied_method
     server myService myService:1234
-backend https-myService-be1234_5
+backend https-myService-be4321_5
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     acl valid_denied_method method GET DELETE
@@ -309,7 +309,7 @@ backend myService-be1234_32
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     http-request deny if !{ ssl_fc }
     server myService myService:1234
-backend https-myService-be1234_32
+backend https-myService-be4321_32
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server myService myService:4321`
@@ -370,7 +370,7 @@ backend myService-be1234_3
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server myService myService:1234
-backend https-myService-be1234_3
+backend https-myService-be4321_3
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server myService myService:4321`
@@ -389,7 +389,7 @@ backend myService-be1234_0
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server-template myService 7 myService:1234 check
-backend https-myService-be1234_0
+backend https-myService-be4321_0
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server-template myService 7 myService:4321 check`
@@ -421,7 +421,7 @@ backend myService-be1234_0
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server-template myService 3 myService:1234 check
-backend https-myService-be1234_0
+backend https-myService-be4321_0
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server-template myService 3 myService:4321 check`
@@ -462,7 +462,7 @@ backend myService-be1234_1
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server myService acme.com:1234
-backend https-myService-be1234_1
+backend https-myService-be4321_1
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     server myService acme.com:4321`
@@ -750,7 +750,7 @@ backend my-service-be1111_0
     cookie my-service insert indirect nocache
     server my-service_0 1.2.3.4:1111 check cookie my-service_0
     server my-service_1 4.3.2.1:1111 check cookie my-service_1
-backend https-my-service-be1111_0
+backend https-my-service-be2222_0
     mode http
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     balance roundrobin

docs/config.md

@@ -11,7 +11,7 @@ The following environment variables can be used to configure the *Docker Flow Pr
 
 |Variable           |Description                                               |
 |-------------------|----------------------------------------------------------|
-|BIND_PORTS         |Ports to bind in addition to `80` and `443`. Multiple values can be separated with comma. If a port is specified with the `srcPort` reconfigure parameter, it is not required to specify it in this environment variable. Those values will be used as default ports used for services that do not specify `srcPort`. Please note that all binded ports need to be published on the service level (usually defined in a Compose stack file). If a port should be for SSL connections, append it with `:ssl`. Additional binding options can be added after a port. For example, `80 accept-proxy,443 accept-proxy:ssl` adds `accept-proxy` to the defalt binding options.<br>**Example:** `8085,8086:ssl`|
+|BIND_PORTS         |Ports to bind in addition to `80` and `443`. Multiple values can be separated with comma. If a port is specified with the `srcPort` reconfigure parameter, it is not required to specify it in this environment variable for `tcp` and `sni` mode. In `http` mode, this environment variable **is** required. Those values will be used as default ports used for services that do not specify `srcPort`. Please note that all binded ports need to be published on the service level (usually defined in a Compose stack file). If a port should be for SSL connections, append it with `:ssl`. Additional binding options can be added after a port. For example, `80 accept-proxy,443 accept-proxy:ssl` adds `accept-proxy` to the defalt binding options.<br>**Example:** `8085,8086:ssl`|
 |CA_FILE            |Path to a PEM file from which to load CA certificates that will be used to verify client's certificate. Preferably, the file should be provided as a Docker secret.<br>**Example:** /run/secrets/ca-file|
 |CAPTURE_REQUEST_HEADER|Allows capturing specific request headers. This feature is useful if debugging is enabled (e.g. `DEBUG=true`) and the format is customized with `DEBUG_HTTP_FORMAT` or `DEBUG_TCP_FORMAT` to output headers. Header name and lenght in bytes must be separated with colon (e.g. `Host:15`). Multiple headers should be separated with colon (e.g. `Host:15,X-Forwarded-For:20`).<br>**Example:** `Host:15,X-Forwarded-For:20,Referer:15`|
 |CFG_TEMPLATE_PATH  |Path to the configuration template. The path can be absolute (starting with `/`) or relative to `/cfg/tmpl`.<br>**Default value:** `/cfg/tmpl/haproxy.tmpl`|

proxy/ha_proxy_test.go

@@ -794,10 +794,12 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsServicePathExclude(
 		`%s
     acl url_my-service-11111_0 path_beg /path-1
     acl url_exclude_my-service-11111_0 path_beg /path-2 path_beg /path-3
+    acl url_https_my-service-12222_0 path_beg /path-1
+    acl url_exclude_https_my-service-12222_0 path_beg /path-2 path_beg /path-3
     acl srcPort_my-service-180_0 dst_port 80
     acl srcHttpsPort_my-service-1443_0 dst_port 443
     use_backend my-service-1-be1111_0 if url_my-service-11111_0 !url_exclude_my-service-11111_0 srcPort_my-service-180_0
-    use_backend https-my-service-1-be1111_0 if url_my-service-11111_0 !url_exclude_my-service-11111_0 srcHttpsPort_my-service-1443_0%s`,
+    use_backend https-my-service-1-be2222_0 if url_https_my-service-12222_0 !url_exclude_https_my-service-12222_0 srcHttpsPort_my-service-1443_0%s`,
 		tmpl,
 		s.ServicesContent,
 	)
@@ -1651,8 +1653,8 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsDomainsForEachServi
     acl url_my-service1111_1 path_beg /path
     acl domain_my-service1111_1 hdr_beg(host) -i domain-1-1.com domain-1-2.com
     acl url_my-service2222_45 path_beg /path
-    acl srcPort_my-service4321_45 dst_port 4321
     acl domain_my-service2222_45 hdr_beg(host) -i domain-2-1.com domain-2-2.com
+    acl srcPort_my-service4321_45 dst_port 4321
     use_backend my-service-be1111_1 if url_my-service1111_1 domain_my-service1111_1
     use_backend my-service-be2222_45 if url_my-service2222_45 domain_my-service2222_45 srcPort_my-service4321_45%s`,
 		tmpl,
@@ -1808,7 +1810,9 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsContentFrontEndWith
 	tmpl := s.TemplateContent
 	expectedData := fmt.Sprintf(
 		`%s
-    acl domain_my-service_0 hdr_end(host) -i domain-1%s`,
+    acl url_my-service8080_0
+    acl domain_my-service8080_0 hdr_end(host) -i domain-1
+    use_backend my-service-be8080_0 if url_my-service8080_0 domain_my-service8080_0%s`,
 		tmpl,
 		s.ServicesContent,
 	)
@@ -1820,7 +1824,8 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsContentFrontEndWith
 	service1 := Service{
 		ServiceName: "my-service",
 		ServiceDest: []ServiceDest{
-			{ServiceDomain: []string{"*domain-1"}},
+			{ServiceDomain: []string{"*domain-1"},
+				Port: "8080"},
 		},
 	}
 	p.AddService(service1)
@@ -1836,10 +1841,11 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsContentFrontEndWith
 	expectedData := fmt.Sprintf(
 		`%s
     acl url_my-service1111_0 path_beg /path
+    acl url_https_my-service2222_0 path_beg /path
     acl srcPort_my-service80_0 dst_port 80
     acl srcHttpsPort_my-service443_0 dst_port 443
     use_backend my-service-be1111_0 if url_my-service1111_0 srcPort_my-service80_0
-    use_backend https-my-service-be1111_0 if url_my-service1111_0 srcHttpsPort_my-service443_0%s`,
+    use_backend https-my-service-be2222_0 if url_https_my-service2222_0 srcHttpsPort_my-service443_0%s`,
 		tmpl,
 		s.ServicesContent,
 	)
@@ -1870,10 +1876,11 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsContentFrontEndWith
 	expectedData := fmt.Sprintf(
 		`%s
     acl url_my-service1111_0 path_beg /path
+    acl url_https_my-service2222_0 path_beg /path
     acl srcPort_my-service8080_0 dst_port 8080
     acl srcHttpsPort_my-service443_0 dst_port 443
     use_backend my-service-be1111_0 if url_my-service1111_0 srcPort_my-service8080_0
-    use_backend https-my-service-be1111_0 if url_my-service1111_0 srcHttpsPort_my-service443_0%s`,
+    use_backend https-my-service-be2222_0 if url_https_my-service2222_0 srcHttpsPort_my-service443_0%s`,
 		tmpl,
 		s.ServicesContent,
 	)

proxy/template.go

@@ -19,11 +19,28 @@ func getFrontTemplate(s Service) string {
     compression type {{$.CompressionType}}
             {{- end}}
         {{- end}}
-        {{- if ne .Port ""}}
-    acl url_{{$.AclName}}{{.Port}}_{{.Index}}{{range .ServicePath}} {{if eq $.PathType ""}}path_beg{{end}}{{if ne $.PathType ""}}{{$.PathType}}{{end}} {{.}}{{end}}
+        {{- if ne $sd.Port ""}}
+    acl url_{{$.AclName}}{{$sd.Port}}_{{.Index}}{{range .ServicePath}} {{if eq $.PathType ""}}path_beg{{end}}{{if ne $.PathType ""}}{{$.PathType}}{{end}} {{.}}{{end}}
+            {{- if .ServicePathExclude}}
+    acl url_exclude_{{$.AclName}}{{$sd.Port}}_{{.Index}}{{range .ServicePathExclude}} {{if eq $.PathType ""}}path_beg{{end}}{{if ne $.PathType ""}}{{$.PathType}}{{end}} {{.}}{{end}}
+            {{- end}}
+            {{- if $sd.ServiceDomain}}
+    acl domain_{{$.AclName}}{{$sd.Port}}_{{$sd.Index}} {{$.ServiceDomainAlgo}} -i{{range $sd.ServiceDomain}} {{.}}{{end}}
+            {{- end}}
+            {{- if $sd.ServiceHeader}}{{$skIndex := 0}}
+                {{- range $key, $value := $sd.ServiceHeader}}
+    acl hdr_{{$.AclName}}{{$sd.Port}}_{{incIndex}} hdr({{$key}}) {{$value}}
+                {{- end}}
+            {{- end}}
         {{- end}}
-        {{- if .ServicePathExclude}}
-    acl url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{range .ServicePathExclude}} {{if eq $.PathType ""}}path_beg{{end}}{{if ne $.PathType ""}}{{$.PathType}}{{end}} {{.}}{{end}}
+        {{- if gt $sd.HttpsPort 0}}
+    acl url_https_{{$.AclName}}{{$sd.HttpsPort}}_{{.Index}}{{range .ServicePath}} {{if eq $.PathType ""}}path_beg{{end}}{{if ne $.PathType ""}}{{$.PathType}}{{end}} {{.}}{{end}}
+            {{- if .ServicePathExclude}}
+    acl url_exclude_https_{{$.AclName}}{{$sd.HttpsPort}}_{{.Index}}{{range .ServicePathExclude}} {{if eq $.PathType ""}}path_beg{{end}}{{if ne $.PathType ""}}{{$.PathType}}{{end}} {{.}}{{end}}
+            {{- end}}
+            {{- if $sd.ServiceDomain}}
+    acl domain_https_{{$.AclName}}{{$sd.HttpsPort}}_{{$sd.Index}} {{$.ServiceDomainAlgo}} -i{{range $sd.ServiceDomain}} {{.}}{{end}}
+            {{- end}}
         {{- end}}
         {{- if $sd.IncludeSrcPortACL }}
     {{$sd.SrcPortAcl}}
@@ -35,14 +52,6 @@ func getFrontTemplate(s Service) string {
     acl user_agent_{{$.AclName}}_{{.UserAgent.AclName}}_{{.Index}} hdr_sub(User-Agent) -i{{range .UserAgent.Value}} {{.}}{{end}}
         {{- end}}
     {{- end}}
-    {{- if .ServiceDomain}}
-    acl domain_{{$.AclName}}{{.Port}}_{{.Index}} {{$.ServiceDomainAlgo}} -i{{range .ServiceDomain}} {{.}}{{end}}
-    {{- end}}
-    {{- if .ServiceHeader}}{{$skIndex := 0}}
-        {{- range $key, $value := .ServiceHeader}}
-    acl hdr_{{$.AclName}}{{$sd.Port}}_{{incIndex}} hdr({{$key}}) {{$value}}
-        {{- end}}
-    {{- end}}
     {{- range $rd := $sd.RedirectFromDomain}}
     http-request redirect code 301 prefix http://{{index $sd.ServiceDomain 0}} if { hdr_beg(host) -i {{$rd}} }
     {{- end}}
@@ -58,16 +67,17 @@ func getFrontTemplate(s Service) string {
     {{- end}}
 {{- end}}
 {{- range $sd := .ServiceDest}}
-    {{- if eq .ReqMode "http"}}{{- if ne .Port ""}}
-    use_backend {{$.AclName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceHeader}}{{resetIndex}}{{range $key, $value := .ServiceHeader}} hdr_{{$.AclName}}{{$sd.Port}}_{{incIndex}}{{end}}{{end}}{{.SrcPortAclName}}
-        {{- if gt $sd.HttpsPort 0 }}
-    use_backend https-{{$.AclName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{.SrcHttpsPortAclName}}
-        {{- end}}
-    {{- $length := len .UserAgent.Value}}{{if gt $length 0}} user_agent_{{$.AclName}}_{{.UserAgent.AclName}}_{{.Index}}{{end}}
-        {{- if $.IsDefaultBackend}}
+    {{- if eq .ReqMode "http" }}
+        {{- if ne .Port ""}}
+    use_backend {{$.AclName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceHeader}}{{resetIndex}}{{range $key, $value := .ServiceHeader}} hdr_{{$.AclName}}{{$sd.Port}}_{{incIndex}}{{end}}{{end}}{{.SrcPortAclName}}{{ $length := len .UserAgent.Value}}{{if gt $length 0}} user_agent_{{$.AclName}}_{{.UserAgent.AclName}}_{{.Index}}{{end}}
+            {{- if $.IsDefaultBackend}}
     default_backend {{$.AclName}}-be{{.Port}}_{{$sd.Index}}
+            {{- end}}
+        {{- end }}
+        {{- if gt $sd.HttpsPort 0 }}
+    use_backend https-{{$.AclName}}-be{{.HttpsPort}}_{{.Index}} if url_https_{{$.AclName}}{{.HttpsPort}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_https_{{$.AclName}}{{.HttpsPort}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_https{{$.AclName}}{{.HttpsPort}}_{{.Index}}{{end}}{{.SrcHttpsPortAclName}}{{ $length := len .UserAgent.Value}}{{if gt $length 0}} user_agent_{{$.AclName}}_{{.UserAgent.AclName}}_{{.Index}}{{end}}
         {{- end}}
-    {{- end}}{{- end}}
+    {{- end}}
 {{- end}}`
 	return templateToString(tmplString, s)
 }
@@ -300,7 +310,7 @@ backend {{$.AclName}}-be{{$sd.Port}}_{{.Index}}
 {{- end}}
 {{- range $sd := .ServiceDest}}
     {{- if gt $sd.HttpsPort 0}}
-backend https-{{$.AclName}}-be{{.Port}}_{{.Index}}
+backend https-{{$.AclName}}-be{{.HttpsPort}}_{{.Index}}
     mode {{.ReqModeFormatted}}
             {{- if eq .ReqModeFormatted "http"}}
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
@@ -323,8 +333,8 @@ backend https-{{$.AclName}}-be{{.Port}}_{{.Index}}
     http-request set-path %[path,regsub({{.}})]
             {{- end}}
             {{- if eq .VerifyClientSsl true}}
-    acl valid_client_cert_{{$.ServiceName}}{{.Port}} ssl_c_used ssl_c_verify 0
-    http-request deny unless valid_client_cert_{{$.ServiceName}}{{.Port}}
+    acl valid_client_cert_{{$.ServiceName}}{{.HttpsPort}} ssl_c_used ssl_c_verify 0
+    http-request deny unless valid_client_cert_{{$.ServiceName}}{{.HttpsPort}}
             {{- end}}
             {{- if .AllowedMethods}}
     acl valid_allowed_method method{{range .AllowedMethods}} {{.}}{{end}}