adapt docker swarm proxy setup

docker/docker-swarm.yaml

@@ -8,7 +8,6 @@ services:
       - source: mytoken_config
         target: /etc/mytoken/config.yaml
     volumes:
-      - ${MYTOKEN_CERTCHAIN}:/mytoken/certchain.pem:ro
       - ${MYTOKEN_GEOIPDB}:/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN:ro
       - ${MYTOKEN_LOGS_DIR}:/mytoken/logs
     secrets:
@@ -17,25 +16,13 @@ services:
       - ssh_host_ed25519_key
       - ssh_host_rsa_key
       - db_password
-      - cert
     networks:
       - frontend
       - backend
-    ports:
-      - target: 80
-        published: 80
-        mode: host
-      - target: 443
-        published: 443
-        mode: host
-      - target: 2222
-        published: 2222
-        mode: host
-    #    environment:
-    #      - WAIT_FOR_NODES=db:3306
+      - proxy
     deploy:
       mode: replicated
-      #      replicas: 3
+      replicas: 2
       placement:
         max_replicas_per_node: 1
       restart_policy:
@@ -111,7 +98,7 @@ services:
       - db_replication_password
     deploy:
       mode: replicated
-      #      replicas: 3
+      replicas: 2
       placement:
         max_replicas_per_node: 1
       restart_policy:
@@ -128,7 +115,43 @@ services:
       interval: 15s
       timeout: 5s
       retries: 6
-    command: ["/opt/bitnami/scripts/mariadb-galera/entrypoint.sh", "/opt/bitnami/scripts/mariadb-galera/run.sh"]
+    command: [ "/opt/bitnami/scripts/mariadb-galera/entrypoint.sh", "/opt/bitnami/scripts/mariadb-galera/run.sh" ]
+
+  proxy:
+    image: haproxy
+    sysctls:
+      - net.ipv4.ip_unprivileged_port_start=0
+    configs:
+      - source: haproxy_config
+        target: /usr/local/etc/haproxy/haproxy.cfg
+    secrets:
+      - cert_full
+    networks:
+      - proxy
+    ports:
+      - target: 80
+        published: 80
+        mode: host
+      - target: 443
+        published: 443
+        mode: host
+    deploy:
+      mode: replicated
+      replicas: 2
+      placement:
+        max_replicas_per_node: 1
+      restart_policy:
+        condition: any
+        delay: 10s
+        window: 60s
+      rollback_config:
+        parallelism: 1
+        delay: 15s
+      update_config:
+        parallelism: 1
+        delay: 30s
+        monitor: 15s
+        failure_action: rollback
 
   migrate:
     image: oidcmytoken/mytoken-migratedb
@@ -166,14 +189,21 @@ services:
 networks:
   frontend:
   backend:
+  proxy:
 
 configs:
   mytoken_config:
     file: ${MYTOKEN_CONFIG_FILE}
+  haproxy_config:
+    file: ${HAPROXY_CONFIG_FILE}
 
 secrets:
-  cert:
-    file: ${SECRET_CERT}
+  cert_key:
+    file: ${SECRET_CERT_KEY}
+  cert_chain:
+    file: ${CERT_CHAIN}
+  cert_full:
+    file: ${SECRET_CERT_FULL}
   mytoken_signing_key:
     file: ${SECRET_MYTOKEN_SIGNING_KEY}
   db_password:

docker/example-.env

@@ -6,9 +6,10 @@ DB_DATA_DIR=/home/mytoken/mytoken/db
 MYTOKEN_CONFIG_FILE=/home/mytoken/mytoken/config.yaml
 MYTOKEN_GEOIPDB=/home/mytoken/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN
 MYTOKEN_LOGS_DIR=/home/mytoken/mytoken/logs
-MYTOKEN_CERTCHAIN=/home/mytoken/mytoken/certchain.pem
 
-SECRET_CERT=/home/mytoken/mytoken/cert.key.pem
+CERT_CHAIN=/home/mytoken/mytoken/certchain.pem
+SECRET_CERT_KEY=/home/mytoken/mytoken/cert.key.pem
+SECRET_CERT_FULL=/home/mytoken/mytoken/cert.full.pem
 SECRET_MYTOKEN_SIGNING_KEY=/home/mytoken/mytoken/mytoken.signing.key
 SECRET_SSH_HOST_ECDSA_KEY=/home/mytoken/mytoken/ssh_host_ecdsa_key
 SECRET_SSH_HOST_ED25519_KEY=/home/mytoken/mytoken/ssh_host_ed25519_key

docker/example-docker-config.yaml

@@ -21,11 +21,11 @@ server:
     # Unless false port 80 is redirected to 443
     redirect_http: true
     # The TLS certificate file
-    cert: /mytoken/certchain.pem
+    #cert: /mytoken/certchain.pem
     # The TLS certificate key file
-    key: /run/secrets/cert
+    #key: /run/secrets/cert
   # If behind a load balancer or reverse proxy, set this option. Mytoken will read the client's ip address from this header.
-  #  proxy_header: "X-FORWARDED-FOR"
+  proxy_header: "X-FORWARDED-FOR"
   # Configure the request limits (these are per IP)
   request_limits:
     # Unless false request limits are enabled
@@ -177,7 +177,7 @@ features:
     enabled: true
     # If true the haproxy proxy protocl (https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt) is used to
     # receive client information, i.e. the client's ip from the proxy; the proxy must support this
-    use_proxy_protocol: false
+    use_proxy_protocol: true
     # The ssh private key files of the server
     keys:
       - /run/secrets/ssh_host_ecdsa_key

docker/haproxy/example-haproxy.cfg

@@ -34,7 +34,7 @@ defaults
 
 frontend fe_mytoken
     mode    http
-    bind    :443 ssl crt /run/secrets/cert alpn h2,http/1.1
+    bind    :443 ssl crt /run/secrets/cert_full alpn h2,http/1.1
     bind    :80
     redirect scheme https code 301 if !{ ssl_fc }
     http-response set-header Strict-Transport-Security max-age=63072000
@@ -52,18 +52,12 @@ frontend fe_mytoken_ssh
     tcp-request content accept if { req_ssl_hello_type 1 }
 
 backend be_mytoken
-    balance roundrobin
     option forwardfor
-    server mytoken_1 mytoken_1:80 check resolvers docker init-addr libc,none
-    server mytoken_2 mytoken_2:80 check resolvers docker init-addr libc,none
-    server mytoken_3 mytoken_3:80 check resolvers docker init-addr libc,none
+    server mytoken mytoken:80 check resolvers docker init-addr libc,none
 
 backend be_mytoken_ssh
     mode tcp
-    balance roundrobin
-    server mytoken_ssh_1 mytoken_1:2222 check resolvers docker init-addr libc,none send-proxy
-    server mytoken_ssh_2 mytoken_2:2222 check resolvers docker init-addr libc,none send-proxy
-    server mytoken_ssh_3 mytoken_3:2222 check resolvers docker init-addr libc,none send-proxy
+    server mytoken_ssh mytoken:2222 check resolvers docker init-addr libc,none send-proxy
 
 frontend stat
     bind :8888