Test with http3 quic and updated dockerfile with haproxy 2.8

docker-compose.yml

@@ -5,12 +5,14 @@ services:
     network_mode: host
     ports:
       - 80:80
+      - 443:80
       - 2001:2001 #dataplaneapi
     build:
       context: ./
       dockerfile: haproxy/Dockerfile
     volumes:
       - ./haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg
+      - ./haproxy/haproxy.pem:/etc/haproxy/certs/haproxy.pem
       - ./haproxy/dataplaneapi.hcl:/etc/haproxy/dataplaneapi.hcl
       - ./haproxy/errors/:/etc/haproxy/errors/
       - ./haproxy/map/:/etc/haproxy/map/
@@ -39,12 +41,12 @@ services:
       - POW_TYPE=argon2
       - TOR_CONTROL_PORT_PASSWORD=changeme
 
-  # nginx:
+  nginx:
-    # ports:
+    ports:
-      # - 81:80
+      - 81:80
-    # image: "nginx:latest"
+    image: "nginx:latest"
-    # volumes:
+    volumes:
-      # - ./nginx:/usr/share/nginx/html
+      - ./nginx:/usr/share/nginx/html
 
 #  tor:
 #    build:

haproxy/Dockerfile

@@ -1,96 +1,89 @@
+FROM golang:latest AS dataplaneapi-builder
 
-#
+ENV DATAPLANE_MINOR 2.7.5
-# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+ENV DATAPLANE_URL https://github.com/haproxytech/dataplaneapi.git
-#
-# PLEASE DO NOT EDIT IT DIRECTLY.
-#
 
-FROM debian:buster-slim
+RUN git clone "${DATAPLANE_URL}" "${GOPATH}/src/github.com/haproxytech/dataplaneapi"
+RUN cd "${GOPATH}/src/github.com/haproxytech/dataplaneapi" && \
+    git checkout "v${DATAPLANE_MINOR}" && \
+    make build && cp build/dataplaneapi /dataplaneapi
 
-# roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+FROM debian:bullseye-slim AS openssl-builder
-RUN set -eux; \
-	groupadd --gid 99 --system haproxy; \
-	useradd \
-		--gid haproxy \
-		--home-dir /var/lib/haproxy \
-		--no-create-home \
-		--system \
-		--uid 99 \
-		haproxy
 
-ENV HAPROXY_URL http://www.haproxy.org/download/2.7/src/snapshot/haproxy-ss-LATEST.tar.gz
+ENV OPENSSL_SHA256 4e23619f73688144f2cd808e9567504c3bf10cb67ad9551280530fd54ca913e1
-ENV DATAPLANEAPI_URL https://github.com/haproxytech/dataplaneapi/releases/download/v2.7.5/dataplaneapi_2.7.5_Linux_x86_64.tar.gz
+ENV OPENSSL_URL https://github.com/quictls/openssl/archive/refs/tags/OpenSSL_1_1_1t-quic1.tar.gz
 
-# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
+ENV DEBIAN_FRONTEND noninteractive
-RUN set -eux; \
+
-	\
+RUN apt-get update && \
-	savedAptMark="$(apt-mark showmanual)"; \
+    apt-get install -y --no-install-recommends build-essential ca-certificates curl && \
-	apt-get update && apt-get install -y --no-install-recommends \
+    curl -sfSL "${OPENSSL_URL}" -o openssl.tar.gz && \
-		ca-certificates \
+    mkdir -p /tmp/openssl && \
-		gcc \
+    tar -xzf openssl.tar.gz -C /tmp/openssl --strip-components=1 && \
-		libc6-dev \
+    rm -f openssl.tar.gz && \
-		liblua5.3-dev \
+    cd /tmp/openssl && \
-		libpcre2-dev \
+    ./config --libdir=lib --prefix=/opt/quictls && \
-		libssl-dev \
+    make -j $(nproc) && \
-		make \
+    make install && \
-		wget \
+    rm -rf /tmp/openssl
-		zlib1g-dev \
+
-		luarocks \
+FROM debian:bullseye-slim
-	; \
+
-	rm -rf /var/lib/apt/lists/*; \
+MAINTAINER Dinko Korunic <dkorunic@haproxy.com>
-	\
+
-	wget -O dataplaneapi_Linux_x86_64.tar.gz "$DATAPLANEAPI_URL"; \
+LABEL Name HAProxy
-	tar -zxvf dataplaneapi_Linux_x86_64.tar.gz; \
+LABEL Release Community Edition
-	chmod +x build/dataplaneapi; \
+LABEL Vendor HAProxy
-	cp build/dataplaneapi /usr/local/bin/; \
+LABEL Version 2.8.0
-	\
+LABEL RUN /usr/bin/docker -d IMAGE
-	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
+
-#	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
+ENV HAPROXY_BRANCH 2.8
-	mkdir -p /usr/src/haproxy; \
+ENV HAPROXY_MINOR 2.8.0
-	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
+ENV HAPROXY_SHA256 61cdafb5db7e9174d0757b8e4bcde938352306fb7cc8ff2b5f55c26dd48a6cf7
-	rm haproxy.tar.gz; \
+ENV HAPROXY_SRC_URL http://www.haproxy.org/download
-	\
+
-	makeOpts=' \
+ENV HAPROXY_UID haproxy
-		TARGET=linux-glibc \
+ENV HAPROXY_GID haproxy
-		USE_GETADDRINFO=1 \
+
-		USE_LUA=1 LUA_INC=/usr/include/lua5.3 \
+ENV DEBIAN_FRONTEND noninteractive
-		USE_OPENSSL=1 \
+
-		USE_PCRE2=1 USE_PCRE2_JIT=1 \
+COPY --from=dataplaneapi-builder /dataplaneapi /usr/local/bin/dataplaneapi
-		USE_ZLIB=1 \
+COPY --from=openssl-builder /opt/quictls /opt/quictls
-	'; \
+
-# https://salsa.debian.org/haproxy-team/haproxy/-/commit/53988af3d006ebcbf2c941e34121859fd6379c70
+RUN apt-get update && \
-	dpkgArch="$(dpkg --print-architecture)"; \
+    apt-get install -y --no-install-recommends procps zlib1g "libpcre2-*" liblua5.3-0 libatomic1 tar curl socat ca-certificates && \
-	case "$dpkgArch" in \
+    apt-get install -y --no-install-recommends gcc make libc6-dev libpcre2-dev zlib1g-dev liblua5.3-dev && \
-		armel) makeOpts="$makeOpts ADDLIB=-latomic" ;; \
+    curl -sfSL "${HAPROXY_SRC_URL}/${HAPROXY_BRANCH}/src/haproxy-${HAPROXY_MINOR}.tar.gz" -o haproxy.tar.gz && \
-	esac; \
+    echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c - && \
-	\
+    groupadd "$HAPROXY_GID" && \
-	nproc="$(nproc)"; \
+    useradd -g "$HAPROXY_GID" "$HAPROXY_UID" && \
-	eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \
+    mkdir -p /tmp/haproxy && \
-	eval "make -C /usr/src/haproxy install-bin $makeOpts"; \
+    tar -xzf haproxy.tar.gz -C /tmp/haproxy --strip-components=1 && \
-	\
+    rm -f haproxy.tar.gz && \
-	mkdir -p /etc/haproxy; \
+    make -C /tmp/haproxy -j"$(nproc)" TARGET=linux-glibc CPU=generic USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 \
-	cp -R /usr/src/haproxy/examples/errorfiles /etc/haproxy/errors; \
+                            USE_TFO=1 USE_LINUX_TPROXY=1 USE_LUA=1 USE_GETADDRINFO=1 \
-	rm -rf /usr/src/haproxy; \
+                            USE_PROMEX=1 USE_SLZ=1 \
-	\
+                            SSL_INC=/opt/quictls/include SSL_LIB=/opt/quictls/lib USE_QUIC=1 \
-	apt-mark auto '.*' > /dev/null; \
+                            LDFLAGS="-L/opt/quictls/lib -Wl,-rpath,/opt/quictls/lib" \
-	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
+                            all && \
-	find /usr/local -type f -executable -exec ldd '{}' ';' \
+    make -C /tmp/haproxy TARGET=linux-glibc install-bin install-man && \
-		| awk '/=>/ { print $(NF-1) }' \
+    ln -s /usr/local/sbin/haproxy /usr/sbin/haproxy && \
-		| sort -u \
+    mkdir -p /var/lib/haproxy && \
-		| xargs -r dpkg-query --search \
+    chown "$HAPROXY_UID:$HAPROXY_GID" /var/lib/haproxy && \
-		| cut -d: -f1 \
+    mkdir -p /usr/local/etc/haproxy && \
-		| sort -u \
+    ln -s /usr/local/etc/haproxy /etc/haproxy && \
-		| xargs -r apt-mark manual \
+    cp -R /tmp/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors && \
-	; \
+    rm -rf /tmp/haproxy && \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    apt-get purge -y --auto-remove gcc make libc6-dev libpcre2-dev zlib1g-dev liblua5.3-dev && \
-	\
+    apt-get clean && \
-# smoke test
+    rm -rf /var/lib/apt/lists/* && \
-	haproxy -v
+    chmod +x /usr/local/bin/dataplaneapi && \
+    ln -s /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi && \
+    touch /usr/local/etc/haproxy/dataplaneapi.hcl && \
+    chown "$HAPROXY_UID:$HAPROXY_GID" /usr/local/etc/haproxy/dataplaneapi.hcl && \
+    echo "/opt/quictls/lib" > /etc/ld.so.conf.d/quictls.conf && \
+    ldconfig
 
-# https://www.haproxy.org/download/1.8/doc/management.txt
-# "4. Stopping and restarting HAProxy"
-# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
-# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
 STOPSIGNAL SIGUSR1
 
 ADD haproxy/docker-entrypoint.sh /usr/local/bin/
@@ -98,7 +91,6 @@ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
 RUN apt update && apt install -y git lua5.3 liblua5.3-dev argon2 libargon2-dev luarocks
 RUN git config --global url."https://".insteadOf git://
 RUN luarocks install argon2
-ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 
-# no USER for backwards compatibility (to try to avoid breaking existing users)
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 CMD ["haproxy", "-f", "/etc/haproxy/haproxy.cfg"]

haproxy/haproxy.cfg

@@ -47,6 +47,9 @@ frontend http-in
 
 	# Clearnet http (you'll have to figure out https yourself)
 	bind *:80
+	bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h3,h2,http/1.1
+	bind quic4@*:443 ssl crt /etc/haproxy/certs/haproxy.pem
+	http-response set-header alt-svc "h3=\":443\";ma=900;"
 
 	# Or instead, for Tor, to use circuit IDs as "IP":
 	#bind 127.0.0.1:80 accept-proxy
@@ -76,8 +79,8 @@ frontend http-in
 
 	# acl for lua check whitelisted IPs/subnets and some excluded paths
 	acl is_excluded src,map_ip(/etc/haproxy/map/whitelist.map) -m found
-	acl is_excluded src -m found -f /etc/haproxy/map/crawler-whitelist.map
+	# acl is_excluded src -m found -f /etc/haproxy/map/crawler-whitelist.map
-	acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more
+	# acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more
 
 	# acl ORs for when ddos_mode_enabled
 	acl ddos_mode_enabled_override str("true"),map(/etc/haproxy/map/ddos_global.map) -m found
@@ -126,7 +129,7 @@ frontend http-in
 	acl can_cache var(txn.path) -i -m end .png .jpg .jpeg .jpe .ico .webmanifest .xml .apng .bmp .webp .pjpeg .jfif .gif .mp4 .webm .mov .mkv .svg .m4a .aac .flac .mp3 .ogg .wav .opus .txt .pdf .sid
 
 	# optional alt-svc header (done after cache so not set in cached responses
-	http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)]
+	# http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)]
 
 	# header checks for no caching
 	# acl auth_cookie_set res.hdr(Set-Cookie),lower -m found

haproxy/map/ddos.map

@@ -1,2 +1,4 @@
 127.0.0.1 1
 127.0.0.1/captcha 2
+localhost 1
+localhost/captcha 2

haproxy/map/ddos_config.map

@@ -1 +1 @@
-127.0.0.1 {"pd":"argon2","pt":23,"cip":false,"cex":43200}
+127.0.0.1 {"pd":23,"pt":"argon2","cip":false,"cex":43200}

haproxy/map/hosts.map

@@ -1 +1,2 @@
 127.0.0.1 127.0.0.1:81
+localhost 127.0.0.1:81