-
Notifications
You must be signed in to change notification settings - Fork 7
/
start-haproxy.sh
173 lines (147 loc) · 5.69 KB
/
start-haproxy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
#!/bin/bash
set -e
echo "=> Configuring Haproxy"
cp -v /etc/haproxy/haproxy.cfg.template /etc/haproxy/haproxy.cfg
sed -i -e "s/<--MODE-->/${MODE}/g" /etc/haproxy/haproxy.cfg
sed -i -e "s/<--RETRIES-->/${RETRIES:-3}/g" /etc/haproxy/haproxy.cfg
# check if we have server certificate
if [ "${CERTIFICATE}" != "" ]; then
# check if we have server ca
if [ "${CA}" != "" ]; then
echo " bind *:${LISTENPORT} ssl crt /usr/local/etc/haproxy/certs/${CERTIFICATE} /usr/local/etc/haproxy/certs/${CA} verify ${VERIFY}" >> /etc/haproxy/haproxy.cfg
else
echo " bind *:${LISTENPORT} ssl crt /usr/local/etc/haproxy/certs/${CERTIFICATE}" >> /etc/haproxy/haproxy.cfg
fi
else
echo " bind *:${LISTENPORT}" >> /etc/haproxy/haproxy.cfg
fi
# remove headers that expose security-sensitive information
if [ "${MODE}" == "http" ]; then
echo " # remove backend headers" >> /etc/haproxy/haproxy.cfg
echo " rspidel ^Server:.*$" >> /etc/haproxy/haproxy.cfg
echo " rspidel ^X-Powered-By:.*$" >> /etc/haproxy/haproxy.cfg
echo " rspidel ^X-AspNet-Version:.*$" >> /etc/haproxy/haproxy.cfg
echo "" >> /etc/haproxy/haproxy.cfg
fi
# add custom log format
if [ "${LOGFORMAT}" != "" ]; then
echo " # add custom log format" >> /etc/haproxy/haproxy.cfg
echo " log-format \"${LOGFORMAT}\"" >> /etc/haproxy/haproxy.cfg
echo "" >> /etc/haproxy/haproxy.cfg
unset LOGFORMAT
fi
# check if we have default backend
if [ "${DEFAULT}" != "" ]; then
echo "" >> /etc/haproxy/haproxy.cfg
echo " default_backend ${DEFAULT}" >> /etc/haproxy/haproxy.cfg
echo "" >> /etc/haproxy/haproxy.cfg
unset DEFAULT
fi
# generate acl rules
for BACKEND in $( env |grep BACKEND_ |sort |awk 'match($0, /BACKEND_[0-9]+/) { print substr( $0, RSTART, RLENGTH )}' |uniq )
do
ACL=$( env |grep ${BACKEND} |grep ACL |sed 's/^[^=]*=//' )
if [ "${ACL}" != "" ]; then
echo " acl is_${BACKEND} ${ACL}" >> /etc/haproxy/haproxy.cfg
echo " use_backend ${BACKEND} if is_${BACKEND}" >> /etc/haproxy/haproxy.cfg
echo "" >> /etc/haproxy/haproxy.cfg
fi
done
for BACKEND in $( env |grep BACKEND_ |sort |awk 'match($0, /BACKEND_[0-9]+/) { print substr( $0, RSTART, RLENGTH )}' |uniq )
do
echo "backend ${BACKEND}" >> /etc/haproxy/haproxy.cfg
unset ADDRESS PORT CERTIFICATE OVERRIDE_HOST SSL
for ELEMENT in $( env |grep ${BACKEND} |sort )
do
case "$ELEMENT" in
*ADDRESS*)
ADDRESS=$( echo $ELEMENT |sed 's/^[^=]*=//' )
;;
*PORT*)
PORT=$( echo $ELEMENT |sed 's/^[^=]*=//' )
;;
*CERTIFICATE*)
CERTIFICATE=$( echo $ELEMENT |sed 's/^[^=]*=//' )
;;
*OVERRIDE_HOST*)
OVERRIDE_HOST=$( echo $ELEMENT |sed 's/^[^=]*=//' )
;;
*SSL*)
SSL=$( echo $ELEMENT |sed 's/^[^=]*=//' )
;;
esac
done
# check if cert was provided
CERT_PATH="/usr/local/etc/haproxy/certs/${CERTIFICATE}"
if [ "$CERTIFICATE" != "" ]; then
CERT="crt ${CERT_PATH}"
else
unset CERT CERTIFICATE
fi
if [ "${SSL}" == "true" ] || [ "$CERTIFICATE" != "" ]; then
PARAMS="ssl verify none"
else
unset PARAMS
fi
if [ "$( env |grep RESOLVER_ | wc -l )" != "0" ]; then
DNS="resolvers docker resolve-prefer ipv4"
fi
# # health checking
# if [ "${MODE}" == "tcp" ]; then
# echo " option tcp-check" >> /etc/haproxy/haproxy.cfg
# elif [ "${SSL}" == "true" ] || [ "$CERTIFICATE" != "" ]; then
# echo " option ssl-hello-chk" >> /etc/haproxy/haproxy.cfg
# else
# echo " option httpchk" >> /etc/haproxy/haproxy.cfg
# fi
# echo " # test each 3 secs - down after 3 fails, up after 2 checks" >> /etc/haproxy/haproxy.cfg
# echo " default-server inter 3s fall 3 rise 2" >> /etc/haproxy/haproxy.cfg
# generate reqrep rules
REQREP1=$( env |grep ${BACKEND} |grep REQREP_1 |sed 's/^[^=]*=//' )
if [ "${REQREP1}" != "" ]; then
echo " ${REQREP1}" >> /etc/haproxy/haproxy.cfg
fi
REQREP2=$( env |grep ${BACKEND} |grep REQREP_2 |sed 's/^[^=]*=//' )
if [ "${REQREP2}" != "" ]; then
echo " ${REQREP2}" >> /etc/haproxy/haproxy.cfg
fi
REQREP3=$( env |grep ${BACKEND} |grep REQREP_3 |sed 's/^[^=]*=//' )
if [ "${REQREP3}" != "" ]; then
echo " ${REQREP3}" >> /etc/haproxy/haproxy.cfg
fi
# override host header
if [ "${OVERRIDE_HOST}" != "" ]; then
echo " reqirep ^Host: Host:\ ${OVERRIDE_HOST}" >> /etc/haproxy/haproxy.cfg
fi
echo " server ${BACKEND} ${ADDRESS}:${PORT} check ${PARAMS} ${CERT} ${DNS}" >> /etc/haproxy/haproxy.cfg
echo "" >> /etc/haproxy/haproxy.cfg
done
if [ "$( env |grep RESOLVER_ | wc -l )" != "0" ]; then
echo "resolvers docker" >> /etc/haproxy/haproxy.cfg
for RESOLVER in $( env |grep RESOLVER_ |sort |awk 'match($0, /RESOLVER_[0-9]+/) { print substr( $0, RSTART, RLENGTH )}' |uniq )
do
for ELEMENT in $( env |grep ${RESOLVER} |sort )
do
case "$ELEMENT" in
*VALUE*)
VALUE=$( echo $ELEMENT |sed 's/^[^=]*=//' )
;;
esac
done
echo " nameserver ${RESOLVER} ${VALUE}" >> /etc/haproxy/haproxy.cfg
done
echo " resolve_retries 3" >> /etc/haproxy/haproxy.cfg
echo " timeout retry 1s" >> /etc/haproxy/haproxy.cfg
echo " hold valid 10s" >> /etc/haproxy/haproxy.cfg
echo "" >> /etc/haproxy/haproxy.cfg
fi
# should we enable logging
if [ "${LOGGING}" == "enabled" ]; then
(rsyslogd -n &)
fi
# should we pring config
if [ "${PRINT_CONFIG}" == "enabled" ]; then
env | grep BACKEND_ | sort
cat /etc/haproxy/haproxy.cfg
fi
exec haproxy -db -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid