Update haproxy dockerfile for newer lua and fix ca-certificate installation

Add verify_none option in server registration (for development testing of SSL backends)
2025-05-09 02:05:37 +00:00 · 2025-03-16 22:49:00 +11:00
parent fdbd19ba30
commit 842df64c5e
6 changed files with 29 additions and 14 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -27,7 +27,8 @@ services:
      - HAPROXY_CONTINENT=OC
      - HCAPTCHA_SITEKEY=20000000-ffff-ffff-ffff-000000000002
      - HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000
-      # - VERIFY_BACKEND_SSL=1
+      - VERIFY_BACKEND_SSL_VERIFYNONE=1
+      - VERIFY_BACKEND_SSL=1
      #- RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
      #- RECAPTCHA_SITEKEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
      - CAPTCHA_COOKIE_SECRET=changeme
--- a/haproxy/Dockerfile
+++ b/haproxy/Dockerfile
@ -5,7 +5,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #

-FROM debian:buster-slim
+FROM debian:bookworm-slim

 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
 RUN set -eux; \
@ -25,11 +25,11 @@ ENV DATAPLANEAPI_URL https://github.com/haproxytech/dataplaneapi/releases/downlo
 RUN set -eux; \
 	\
 	savedAptMark="$(apt-mark showmanual)"; \
-	apt-get update && apt-get install -y --no-install-recommends \
+	apt update -yq && apt-get install -y --no-install-recommends \
 		ca-certificates \
 		gcc \
 		libc6-dev \
-		liblua5.3-dev \
+		liblua5.4-dev \
 		libpcre2-dev \
 		libssl-dev \
 		make \
@ -37,7 +37,9 @@ RUN set -eux; \
 		zlib1g-dev \
 		luarocks \
 	; \
+	update-ca-certificates; \
 	rm -rf /var/lib/apt/lists/*; \
+	chmod 777 /etc/ssl/certs/ca-certificates.crt; \
 #	\
 #	wget -O dataplaneapi_Linux_x86_64.tar.gz "$DATAPLANEAPI_URL"; \
 #	tar -zxvf dataplaneapi_Linux_x86_64.tar.gz; \
@ -53,7 +55,7 @@ RUN set -eux; \
 	makeOpts=' \
 		TARGET=linux-glibc \
 		USE_GETADDRINFO=1 \
-		USE_LUA=1 LUA_INC=/usr/include/lua5.3 \
+		USE_LUA=1 LUA_INC=/usr/include/lua5.4 \
 		USE_OPENSSL=1 \
 		USE_PCRE2=1 USE_PCRE2_JIT=1 \
 		USE_ZLIB=1 \
@ -82,7 +84,7 @@ RUN set -eux; \
 		| sort -u \
 		| xargs -r apt-mark manual \
 	; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	# apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 # smoke test
 	haproxy -v
@ -92,13 +94,19 @@ RUN set -eux; \
 # "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
 # "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
 STOPSIGNAL SIGUSR1
-
+RUN update-ca-certificates
+RUN chmod 777 /etc/ssl/certs/ca-certificates.crt
 ADD haproxy/dataplaneapi.yml /etc/haproxy/dataplaneapi.yml
 ADD haproxy/docker-entrypoint.sh /usr/local/bin/
 RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-RUN apt update && apt install -y git lua5.3 liblua5.3-dev argon2 libargon2-dev luarocks
+RUN lua -v
+RUN apt update && apt install -y git lua5.4 liblua5.4-dev argon2 libargon2-dev luarocks
 RUN git config --global url."https://".insteadOf git://
 RUN luarocks install argon2
+RUN luarocks install --lua-version 5.4 argon2
+RUN luarocks install --lua-version 5.4 argon2 ARGON2_DIR=/usr ARGON2_LIBDIR=/usr/lib/x86_64-linux-gnu
+
+
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

 # no USER for backwards compatibility (to try to avoid breaking existing users)
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@ -169,6 +169,7 @@ backend haproxy-to-varnish-cache

 backend servers
 	balance roundrobin
+	default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)
 	use-server %[lua.get_server_names] if TRUE

 backend bot_check_post_throttle
--- a/haproxy/map/hosts.map
+++ b/haproxy/map/hosts.map
@ -1,2 +0,0 @@
-localhost 127.0.0.1:1082|XX
-localhost 127.0.0.1:1083|XX
--- a/src/lua/scripts/register-servers.lua
+++ b/src/lua/scripts/register-servers.lua
@ -19,6 +19,7 @@ function setup_servers()
 	local handle = io.open("/etc/haproxy/map/hosts.map", "r")
 	local line = handle:read("*line")
 	local verify_backend_ssl = os.getenv("VERIFY_BACKEND_SSL")
+	local verify_none = os.getenv("VERIFY_BACKEND_SSL_VERIFYNONE")
 	local counter = 1
 	-- NOTE: using tcp socket to interact with runtime API because lua can't add servers
 	local tcp = core.tcp();
@ -40,9 +41,15 @@ function setup_servers()
 		local server_name = "servers/websrv" .. counter
 		--NOTE: if you have a proper CA setup,
 		if verify_backend_ssl ~= nil then
-			tcp:send(string.format(
-				"add server %s %s check ssl verify required ca-file ca-certificates.crt sni req.hdr(Host);",
-				server_name, backend_host))
+			if verify_none ~= nil then -- for development use only
+				tcp:send(string.format(
+					"add server %s %s check ssl verify none ca-file ca-certificates.crt sni req.hdr(Host);",
+					server_name, backend_host))
+			else
+				tcp:send(string.format(
+					"add server %s %s check ssl verify required ca-file ca-certificates.crt sni req.hdr(Host);",
+					server_name, backend_host))
+			end
 		else
 			tcp:send(string.format("add server %s %s;", server_name, backend_host))
 		end
--- a/src/lua/scripts/templates.lua
+++ b/src/lua/scripts/templates.lua
@ -49,7 +49,7 @@ _M.body = string.format([[
 			%%s
 		</noscript>
 		<div class="powstatus"></div>
-		<canvas id="canvas" width="250" height="40"></canvas>
+		<!-- <canvas id="canvas" width="250" height="40"></canvas> -->
 		<footer>
 			<p>Node: <code>%%s</code></p>
 			<p>%%s</p>