Merge branch 'add_X-Forwarded-For_header' into 'master'

Add x forwarded for header See merge request !3
2016-12-30 10:46:17 +01:00 · 2016-12-30 10:46:17 +01:00 · 2daf41afdc
parent 6a5d02cc41 810436a2f5
commit 2daf41afdc
4 changed files with 27 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@ This image translates between plain http and https using HAProxy.
    +---+                         |          +------------+-+             +-------------+
 --->+ 80|                         |          |              |             |             |
    +---+                         |      +---+ docker nginx |        +----+             |
-        |                         +----->+ 80|  auto proxy  +-------->  80|  Wordpress  |
+        |    SSL Proxy            +----->+ 80|  auto proxy  +-------->  80|  Wordpress  |
    +---+                         |      +---+              |        +----+             |
 --->+443|                         |          |              |             |             |
    +---+                         |          +--+---------+-+             +-------------+
--- a/haproxy.conf
+++ b/haproxy.conf
@ -23,6 +23,10 @@ defaults

 frontend http
        bind *:80
+
+        # add X-Forwarded-For Header to request
+        http-request add-header X-Forwarded-For %[src]
+        
        reqadd X-Forwarded-Proto:\ http
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
--- a/haproxy_ssl.conf
+++ b/haproxy_ssl.conf
@ -23,17 +23,30 @@ defaults

 frontend http
        bind *:80
+
+        # add X-Forwarded-For Header to request
+        http-request add-header X-Forwarded-For %[src]
+
        reqadd X-Forwarded-Proto:\ http
-        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+
        redirect scheme https code 301 if !{ ssl_fc }
+
+        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
+
        default_backend www-backend

 frontend https
        bind *:443 ssl crt /data/haproxy/cert.pem
+
+        # add X-Forwarded-For Header to request
+        http-request add-header X-Forwarded-For %[src]
+
        reqadd X-Forwarded-Proto:\ https
+
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
+
        default_backend www-backend

 backend www-backend
--- a/start.py
+++ b/start.py
@ -122,12 +122,20 @@ def create_haproxy_cert():
    logging.info('using %s as base dir', youngest_directory)

    # read fullchain.pem and privkey.pem
+    if not os.path.exists(youngest_directory + '/fullchain.pem') or not os.path.exists(youngest_directory + '/privkey.pem'):
+        logging.info('either fullchain.pem or privkey.pem is missing.')
+        return
+
    fullchain = read_file(youngest_directory + '/fullchain.pem')
    privkey = read_file(youngest_directory + '/privkey.pem')
    write_file(cert_file, fullchain + privkey)
    logging.info('file written')

 def create_cert_data_standalone(domains):
+    if len(domains) == 0:
+        logging.info('no domains for SSL found.')
+        return
+
    domains = " -d ".join(domains)

    # we should use tls-sni-01 if ssl is already running!