ENH: Adds srcHttpsPort

Author: thomasjpfan

docs/usage.md

@@ -36,6 +36,7 @@ The following query parameters can be used to send a *reconfigure* request to *D
 |setReqHeader   |Additional headers that will be set to the request before forwarding it to the service. If a specified header exists, it will be replaced with the new one. Multiple headers should be separated with comma (`,`). Change the environment variable `SEPARATOR` if comma is to be used for other purposes. Please consult [Set a header to the request](https://www.haproxy.com/doc/aloha/7.0/haproxy/http_rewriting.html#set-a-header-in-the-request) for more info.<br>**Example:** `X-Forwarded-Port %[dst_port],X-Forwarded-Ssl on if { ssl_fc }`|
 |setResHeader   |Additional headers that will be set to the response before forwarding it to the client. If a specified header exists, it will be replaced with the new one. Multiple headers should be separated with comma (`,`). Change the environment variable `SEPARATOR` if comma is to be used for other purposes. Please consult [Set a header to the response](https://www.haproxy.com/doc/aloha/7.0/haproxy/http_rewriting.html#set-a-header-in-the-response) for more info.<br>**Example:** `X-Via %[env(HOSTNAME)],Server haproxy`|
 |srcPort        |The source (entry) port of a service. The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `srcPort.1`, `srcPort.2`, and so on). The parameter is mandatory when specifying multiple destinations of a single service. If this parameter is used with `http` mode, the port needs to be specified with the environment variable `BIND_PORTS` (see [Environment Variables](http://proxy.dockerflow.com/config/#environment-variables) for more info) and the port needs to be published on service level.<br>**Example:** `80`|
+|srcHttpsPort   |The source (entry) port of a https service. The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `srcHttpsPort.1`, `srcHttpsPort.2`, and so on). The parameter is mandatory when specifying multiple destinations of a single service. The ports needs to be specified with the environment variable `BIND_PORTS` (see [Environment Variables](http://proxy.dockerflow.com/config/#environment-variables) for more info) and the port needs to be published on service level.<br>**Example:** `4443`|
 |timeoutServer  |The server timeout in seconds.<br>**Default:** `20`<br>**Example:** `60`|
 |timeoutTunnel  |The tunnel timeout in seconds.<br>**Default:** `3600`<br>**Example:** `3600`|
 |userDef        |User defined value. This value is not used with current template. It is designed as a way to provide additional data that can be used with **custom templates**. The parameter must be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `userDef.1`, `userDef.2`, and so on).|
@@ -152,6 +153,7 @@ The map between the HTTP query parameters and environment variables is as follow
 |setReqHeader         |SET_REQ_HEADER          |
 |setResHeader         |SET_RES_HEADER          |
 |srcPort              |SRC_PORT                |
+|srcHttpsPort         |SRC_HTTPS_PORT          |
 |sslVerifyNone        |SSL_VERIFY_NONE         |
 |templateBePath       |TEMPLATE_BE_PATH        |
 |templateFePath       |TEMPLATE_FE_PATH        |

proxy/ha_proxy_test.go

@@ -795,9 +795,9 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsServicePathExclude(
     acl url_my-service-11111_0 path_beg /path-1
     acl url_exclude_my-service-11111_0 path_beg /path-2 path_beg /path-3
     acl srcPort_my-service-180_0 dst_port 80
-    acl https_my-service-1_0 dst_port 443
+    acl srcHttpsPort_my-service-1443_0 dst_port 443
     use_backend my-service-1-be1111_0 if url_my-service-11111_0 !url_exclude_my-service-11111_0 srcPort_my-service-180_0
-    use_backend https-my-service-1-be1111_0 if url_my-service-11111_0 !url_exclude_my-service-11111_0 https_my-service-1_0%s`,
+    use_backend https-my-service-1-be1111_0 if url_my-service-11111_0 !url_exclude_my-service-11111_0 srcHttpsPort_my-service-1443_0%s`,
 		tmpl,
 		s.ServicesContent,
 	)
@@ -1837,9 +1837,9 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsContentFrontEndWith
 		`%s
     acl url_my-service1111_0 path_beg /path
     acl srcPort_my-service80_0 dst_port 80
-    acl https_my-service_0 dst_port 443
+    acl srcHttpsPort_my-service443_0 dst_port 443
     use_backend my-service-be1111_0 if url_my-service1111_0 srcPort_my-service80_0
-    use_backend https-my-service-be1111_0 if url_my-service1111_0 https_my-service_0%s`,
+    use_backend https-my-service-be1111_0 if url_my-service1111_0 srcHttpsPort_my-service443_0%s`,
 		tmpl,
 		s.ServicesContent,
 	)
@@ -1871,9 +1871,9 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsContentFrontEndWith
 		`%s
     acl url_my-service1111_0 path_beg /path
     acl srcPort_my-service8080_0 dst_port 8080
-    acl https_my-service_0 dst_port 443
+    acl srcHttpsPort_my-service443_0 dst_port 443
     use_backend my-service-be1111_0 if url_my-service1111_0 srcPort_my-service8080_0
-    use_backend https-my-service-be1111_0 if url_my-service1111_0 https_my-service_0%s`,
+    use_backend https-my-service-be1111_0 if url_my-service1111_0 srcHttpsPort_my-service443_0%s`,
 		tmpl,
 		s.ServicesContent,
 	)

proxy/template.go

@@ -27,6 +27,9 @@ func getFrontTemplate(s Service) string {
         {{- end}}
         {{- if $sd.IncludeSrcPortACL }}
     {{$sd.SrcPortAcl}}
+        {{- end }}
+        {{- if $sd.IncludeSrcHttpsPortACL }}
+    {{$sd.SrcHttpsPortAcl}}
         {{- end }}
         {{- $length := len .UserAgent.Value}}{{if gt $length 0}}
     acl user_agent_{{$.AclName}}_{{.UserAgent.AclName}}_{{.Index}} hdr_sub(User-Agent) -i{{range .UserAgent.Value}} {{.}}{{end}}
@@ -40,9 +43,6 @@ func getFrontTemplate(s Service) string {
     acl hdr_{{$.AclName}}{{$sd.Port}}_{{incIndex}} hdr({{$key}}) {{$value}}
         {{- end}}
     {{- end}}
-    {{- if gt $sd.HttpsPort 0 }}
-    acl https_{{$.ServiceName}}_{{.Index}} dst_port 443
-    {{- end}}
     {{- range $rd := $sd.RedirectFromDomain}}
     http-request redirect code 301 prefix http://{{index $sd.ServiceDomain 0}} if { hdr_beg(host) -i {{$rd}} }
     {{- end}}
@@ -61,7 +61,7 @@ func getFrontTemplate(s Service) string {
     {{- if eq .ReqMode "http"}}{{- if ne .Port ""}}
     use_backend {{$.AclName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceHeader}}{{resetIndex}}{{range $key, $value := .ServiceHeader}} hdr_{{$.AclName}}{{$sd.Port}}_{{incIndex}}{{end}}{{end}}{{.SrcPortAclName}}
         {{- if gt $sd.HttpsPort 0 }}
-    use_backend https-{{$.AclName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}} https_{{$.ServiceName}}_{{.Index}}
+    use_backend https-{{$.AclName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{.SrcHttpsPortAclName}}
         {{- end}}
     {{- $length := len .UserAgent.Value}}{{if gt $length 0}} user_agent_{{$.AclName}}_{{.UserAgent.AclName}}_{{.Index}}{{end}}
         {{- if $.IsDefaultBackend}}
@@ -401,6 +401,21 @@ func FormatServiceForTemplates(sr *Service) {
 		}
 		sr.ServiceDest[i].SrcPort = srcPort
 
+		// Handle https port
+		srcHttpsPort := sd.SrcHttpsPort
+		if sd.HttpsPort > 0 && srcHttpsPort == 0 {
+			srcHttpsPort = 443
+		}
+		if srcHttpsPort > 0 {
+			sr.ServiceDest[i].SrcHttpsPortAclName = fmt.Sprintf(" srcHttpsPort_%s%d_%d", sr.AclName, srcHttpsPort, sd.Index)
+			sr.ServiceDest[i].SrcHttpsPortAcl = fmt.Sprintf("acl srcHttpsPort_%s%d_%d dst_port %d", sr.AclName, srcHttpsPort, sd.Index, srcHttpsPort)
+		}
+
+		if srcHttpsPort > 0 && sd.HttpsPort > 0 {
+			sr.ServiceDest[i].IncludeSrcHttpsPortACL = true
+		}
+		sr.ServiceDest[i].SrcHttpsPort = srcHttpsPort
+
 	}
 }
 

proxy/template_test.go

@@ -71,5 +71,47 @@ func (s *TemplateTestSuite) Test_FormatData_SrcPort_DefinesSrcPortAclNameAndSrcP
 
 	s.Equal(" srcPort_my-service-14480_0", sd.SrcPortAclName)
 	s.Equal("acl srcPort_my-service-14480_0 dst_port 4480", sd.SrcPortAcl)
+	s.True(sd.IncludeSrcPortACL)
+}
+
+func (s *TemplateTestSuite) Test_FormatData_SrcHttpsPort_DefinesSrcHttpsPortAclNameAndSrcPortAcl() {
+
+	service := Service{
+		ServiceName: "my-service-1",
+		ServiceDest: []ServiceDest{
+			{SrcPort: 4480, Port: "1111",
+				SrcHttpsPort: 4443,
+				HttpsPort:    4443,
+				ServicePath:  []string{"/path-1"}}}}
+
+	FormatServiceForTemplates(&service)
+
+	s.Require().Len(service.ServiceDest, 1)
+	sd := service.ServiceDest[0]
+
+	s.Equal(" srcHttpsPort_my-service-14443_0", sd.SrcHttpsPortAclName)
+	s.Equal("acl srcHttpsPort_my-service-14443_0 dst_port 4443", sd.SrcHttpsPortAcl)
+	s.True(sd.IncludeSrcHttpsPortACL)
+
+}
+func (s *TemplateTestSuite) Test_FormatData_DefinesSrcPortAclNameAndSrcPortAcl_DefaultsToPort80_443() {
+
+	service := Service{
+		ServiceName: "my-service-1",
+		ServiceDest: []ServiceDest{
+			{Port: "1111",
+				HttpsPort:   443,
+				ServicePath: []string{"/path-1"}}}}
+
+	FormatServiceForTemplates(&service)
+
+	s.Require().Len(service.ServiceDest, 1)
+	sd := service.ServiceDest[0]
 
+	s.Equal(" srcPort_my-service-180_0", sd.SrcPortAclName)
+	s.Equal("acl srcPort_my-service-180_0 dst_port 80", sd.SrcPortAcl)
+	s.Equal(" srcHttpsPort_my-service-1443_0", sd.SrcHttpsPortAclName)
+	s.Equal("acl srcHttpsPort_my-service-1443_0 dst_port 443", sd.SrcHttpsPortAcl)
+	s.True(sd.IncludeSrcPortACL)
+	s.True(sd.IncludeSrcHttpsPortACL)
 }

proxy/types.go

@@ -65,10 +65,17 @@ type ServiceDest struct {
 	// The source (entry) port of a service.
 	// Useful only when specifying multiple destinations of a single service.
 	SrcPort int
+	// The source (entry) port of a https service.
+	// Useful only when specifying multiple destinations of a single service.
+	SrcHttpsPort int
 	// Internal use only. Do not modify.
 	SrcPortAcl string
 	// Internal use only. Do not modify.
 	SrcPortAclName string
+	// Internal use only. Do not modify.
+	SrcHttpsPortAcl string
+	// Internal use only. Do not modify.
+	SrcHttpsPortAclName string
 	// If set to true, server certificates are not verified. This flag should be set for SSL enabled backend services.
 	SslVerifyNone bool
 	// The server timeout in seconds
@@ -91,6 +98,8 @@ type ServiceDest struct {
 	ReqPathSearchReplaceFormatted []string
 	// Internal use only
 	IncludeSrcPortACL bool
+	// Internal use only
+	IncludeSrcHttpsPortACL bool
 }
 
 // UserAgent holds data used to generate proxy configuration. It is extracted as a separate struct since each user agent needs an ACL identifier. If specified, only requests with the same agent will be forwarded to the backend.
@@ -407,6 +416,7 @@ func getServiceDest(sr *Service, provider ServiceParameterProvider, index int) S
 		reqMode = "http"
 	}
 	srcPort, _ := strconv.Atoi(getFromString(provider, "srcPort", suffix))
+	srcHttpsPort, _ := strconv.Atoi(getFromString(provider, "srcHttpsPort", suffix))
 	httpsPort, _ := strconv.Atoi(getFromString(provider, "httpsPort", suffix))
 	headerString := getFromString(provider, "serviceHeader", suffix)
 	header := map[string]string{}
@@ -460,6 +470,7 @@ func getServiceDest(sr *Service, provider ServiceParameterProvider, index int) S
 		ServicePath:                   getSliceFromString(provider, "servicePath", suffix),
 		ServicePathExclude:            getSliceFromString(provider, "servicePathExclude", suffix),
 		SrcPort:                       srcPort,
+		SrcHttpsPort:                  srcHttpsPort,
 		SslVerifyNone:                 getBoolParam(provider, "sslVerifyNone", suffix),
 		TimeoutClient:                 getFromString(provider, "timeoutClient", suffix),
 		TimeoutServer:                 getFromString(provider, "timeoutServer", suffix),

server/server.go

@@ -245,6 +245,7 @@ func (m *serve) getServiceFromEnvVars(prefix string) (proxy.Service, error) {
 	path := getSliceFromString(os.Getenv(prefix + "_SERVICE_PATH"))
 	port := os.Getenv(prefix + "_PORT")
 	srcPort, _ := strconv.Atoi(os.Getenv(prefix + "_SRC_PORT"))
+	srcHttpsPort, _ := strconv.Atoi(os.Getenv(prefix + "_SRC_HTTPS_PORT"))
 	reqMode := os.Getenv(prefix + "_REQ_MODE")
 	domain := getSliceFromString(os.Getenv(prefix + "_SERVICE_DOMAIN"))
 	// TODO: Remove.
@@ -296,6 +297,7 @@ func (m *serve) getServiceFromEnvVars(prefix string) (proxy.Service, error) {
 				ServicePath:                   path,
 				ServicePathExclude:            servicePathExclude,
 				SrcPort:                       srcPort,
+				SrcHttpsPort:                  srcHttpsPort,
 				SslVerifyNone:                 sslVerifyNone,
 				TimeoutServer:                 timeoutServer,
 				TimeoutTunnel:                 timeoutTunnel,
@@ -322,6 +324,7 @@ func (m *serve) getServiceFromEnvVars(prefix string) (proxy.Service, error) {
 			reqMode = "http"
 		}
 		srcPort, _ := strconv.Atoi(os.Getenv(fmt.Sprintf("%s_SRC_PORT_%d", prefix, i)))
+		srcHttpsPort, _ := strconv.Atoi(os.Getenv(fmt.Sprintf("%s_SRC_HTTPS_PORT_%d", prefix, i)))
 		allowedMethods := getSliceFromString(os.Getenv(fmt.Sprintf("%s_ALLOWED_METHODS_%d", prefix, i)))
 		deniedMethods := getSliceFromString(os.Getenv(fmt.Sprintf("%s_DENIED_METHODS_%d", prefix, i)))
 		redirectFromDomain := getSliceFromString(os.Getenv(fmt.Sprintf("%s_REDIRECT_FROM_DOMAIN_%d", prefix, i)))
@@ -350,6 +353,7 @@ func (m *serve) getServiceFromEnvVars(prefix string) (proxy.Service, error) {
 					ReqPathSearchReplaceFormatted: reqPathSearchReplaceFormatted,
 					ServiceDomain:                 domain,
 					SrcPort:                       srcPort,
+					SrcHttpsPort:                  srcHttpsPort,
 					ServicePath:                   path,
 					ServicePathExclude:            servicePathExclude,
 					TimeoutServer:                 timeoutServer,