Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#92 Add HAProxy as a private gateway #96

Merged
merged 3 commits into from
Jan 24, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions backend/haproxy/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
FROM haproxy:latest

COPY ./config/itmo-dating-backend.pem /usr/local/etc/haproxy/itmo-dating-backend.pem
COPY ./config/itmo-dating-backend-ca.crt /usr/local/etc/haproxy/itmo-dating-backend-ca.crt

COPY ./config/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
55 changes: 55 additions & 0 deletions backend/haproxy/config/haproxy.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
global
log stdout format raw local0 debug

defaults
log global
option httplog
option dontlognull
option logasap
mode http

timeout client 10s
timeout connect 5s
timeout server 10s
timeout http-request 10s

default-server check inter 10s fall 2 rise 1

frontend internal
bind :8445 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
bind :8446 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
bind :8455 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
bind :8456 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
bind :8457 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem

use_backend vault if { dst_port 8445 }
use_backend consul if { dst_port 8446 }
use_backend authik if { dst_port 8455 }
use_backend matchmaker if { dst_port 8456 }
use_backend people if { dst_port 8457 }

backend vault
option httpchk GET /v1/sys/health?standbycode=200&sealedcode=200&uninitcode=200&drsecondarycode=200&performancestandbycode=200
server vault vault.dating.se.ifmo.ru:8200 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt

backend consul
option httpchk GET /ui
server consul server.dc1.consul:8500 check init-addr last,libc,none

backend authik
balance roundrobin
option httpchk GET /actuator/health
server authik-0 authik-0.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
server authik-1 authik-1.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt

backend matchmaker
balance roundrobin
option httpchk GET /actuator/health
server matchmaker-0 matchmaker-0.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
server matchmaker-1 matchmaker-1.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt

backend people
balance roundrobin
option httpchk GET /actuator/health
server people-0 people-0.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
server people-1 people-1.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
20 changes: 16 additions & 4 deletions backend/script/crypto/keys.bash
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ STARTER_SERVICE_DISCOVERY_INSTALL_PATH="starter-service-discovery/$INTERNAL_INST
GATEWAY_INSTALL_PATH="gateway/$INTERNAL_INSTALL_PATH"
CONSUL_INSTALL_PATH="consul/config"
VAULT_INSTALL_PATH="vault/config"
HAPROXY_INSTALL_PATH="haproxy/config"

function generate() {
echo "Phase: Generate"
Expand Down Expand Up @@ -74,8 +75,11 @@ function generate() {
-destkeystore "$ALIAS_BACKEND.jks" \
-deststorepass "$PASSWORD"

echo "Copying PKCS12 as external certificate"
echo "Copying PKCS12 as external certificate..."
cp "$ALIAS_BACKEND.p12" "$ALIAS_EXTERNAL.p12"

echo "Creating unified .pem..."
cat "$ALIAS_BACKEND.crt" "$ALIAS_BACKEND.key" > "$ALIAS_BACKEND.pem"
}

function copy() {
Expand Down Expand Up @@ -107,6 +111,10 @@ function distribute() {
copy "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND.key"
copy "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND.crt"
copy "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"

echo "Copying keys to the HAProxy..."
copy "$HAPROXY_INSTALL_PATH" "$ALIAS_BACKEND.pem"
copy "$HAPROXY_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"
}

function remove() {
Expand All @@ -126,19 +134,23 @@ function clear() {
echo "Removing package from the starter-service-discovery..."
remove "$STARTER_SERVICE_DISCOVERY_INSTALL_PATH" "$ALIAS_BACKEND.jks"

echo "Removing package from the gateway..."
echo "Removing package from the Gateway..."
remove "$GATEWAY_INSTALL_PATH" "$ALIAS_EXTERNAL.p12"

echo "Removing keys from the consul..."
echo "Removing keys from the Consul..."
remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND.key"
remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND.crt"
remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"

echo "Removing keys from the vault..."
echo "Removing keys from the Vault..."
remove "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND.key"
remove "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND.crt"
remove "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"

echo "Removing keys from the HAProxy..."
remove "$HAPROXY_INSTALL_PATH" "$ALIAS_BACKEND.pem"
remove "$HAPROXY_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"

echo "Removing local outputs..."
rm -rf "$ALIAS_BACKEND.crt"
rm -rf "$ALIAS_BACKEND.csr"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
client:
ssl:
key-store-password: testing-keystore-password
server:
ssl:
key-store-password: testing-keystore-password
2 changes: 1 addition & 1 deletion backend/starter-tls/src/main/resources/application-tls.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ client:
ssl:
key-store-type: PKCS12
key-store: classpath:keystore/itmo-dating-backend.p12
key-store-password: ${server.ssl.key-store-password}
key-store-password: ${ITMO_DATING_KEY_STORE_PASSWORD}
protocol: TLSv1.3
34 changes: 13 additions & 21 deletions compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,6 @@ services:
ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
tty: true
hostname: authik-0.dating.se.ifmo.ru
ports:
- "127.0.0.1:18000:8080"
depends_on:
database:
condition: service_healthy
Expand All @@ -21,8 +19,6 @@ services:
extends:
service: authik-0
hostname: authik-1.dating.se.ifmo.ru
ports:
- "127.0.0.1:18001:8080"
profiles:
- reliability
matchmaker-0:
Expand All @@ -34,8 +30,6 @@ services:
ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
tty: true
hostname: matchmaker-0.dating.se.ifmo.ru
ports:
- "127.0.0.1:18010:8080"
depends_on:
database:
condition: service_healthy
Expand All @@ -45,8 +39,6 @@ services:
extends:
service: matchmaker-0
hostname: matchmaker-1.dating.se.ifmo.ru
ports:
- "127.0.0.1:18011:8080"
profiles:
- reliability
people-0:
Expand All @@ -58,8 +50,6 @@ services:
ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
tty: true
hostname: people-0.dating.se.ifmo.ru
ports:
- "127.0.0.1:18020:8080"
depends_on:
database:
condition: service_healthy
Expand All @@ -71,8 +61,6 @@ services:
extends:
service: people-0
hostname: people-1.dating.se.ifmo.ru
ports:
- "127.0.0.1:18021:8080"
profiles:
- reliability
object-storage:
Expand All @@ -93,8 +81,6 @@ services:
timeout: 5s
retries: 5
hostname: object-storage.dating.se.ifmo.ru
ports:
- "127.0.0.1:9001:9001"
database:
image: postgres
environment:
Expand All @@ -115,9 +101,10 @@ services:
build:
context: ./backend/gateway
environment:
ITMO_DATING_EXT_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
ITMO_DATING_EXT_KEY_STORE_PASSWORD: ${ITMO_DATING_EXT_KEY_STORE_PASSWORD?:err}
ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
tty: true
hostname: gateway.dating.se.ifmo.ru
ports:
- "444:8080"
config:
Expand All @@ -128,8 +115,6 @@ services:
ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
tty: true
hostname: config.dating.se.ifmo.ru
ports:
- "127.0.0.1:445:8080"
depends_on:
vault:
condition: service_started
Expand All @@ -143,17 +128,24 @@ services:
- consul-data:/opt/consul/data
tty: true
hostname: server.dc1.consul
ports:
- "127.0.0.1:8500:8500"
- "127.0.0.1:8501:8501"
vault:
image: ghcr.io/secs-dev/itmo-dating-vault:latest
build:
context: ./backend/vault
tty: true
hostname: vault.dating.se.ifmo.ru
haproxy:
image: ghcr.io/secs-dev/itmo-dating-haproxy:latest
build:
context: ./backend/haproxy
tty: true
hostname: haproxy.dating.se.ifmo.ru
ports:
- "127.0.0.1:8200:8200"
- "127.0.0.1:8445:8445"
- "127.0.0.1:8446:8446"
- "127.0.0.1:8455:8455"
- "127.0.0.1:8456:8456"
- "127.0.0.1:8457:8457"
tg-miniapp:
image: ghcr.io/secs-dev/itmo-dating-tg-miniapp:latest
build:
Expand Down
Loading