From aa786e4fdb48260c723941d4a2fe9450d403e3c0 Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Thu, 24 Jun 2021 20:29:27 +0200
Subject: [PATCH] begin phasing in haproxy

---
 apps/haproxy/README.md   | 16 ++++++++++
 apps/haproxy/haproxy.cfg | 69 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 apps/haproxy/README.md
 create mode 100644 apps/haproxy/haproxy.cfg

diff --git a/apps/haproxy/README.md b/apps/haproxy/README.md
new file mode 100644
index 0000000..cc82b48
--- /dev/null
+++ b/apps/haproxy/README.md
@@ -0,0 +1,16 @@
+## Objective
+
+Deploy a proxy to the kubernetes cluster that handles
+IPv4-to-IPv6 translations as follows:
+
+```
+Outside k8s:
+
+[ IPv4-Address ] ---- [ SIIT NAT64 mapping ]
+                               |
+                               |
+                               |
+Inside k8s:           [ haproxy container ]
+                               |
+                               |
+                      [ abc.namespacex.svc.clusterdomain ]
diff --git a/apps/haproxy/haproxy.cfg b/apps/haproxy/haproxy.cfg
new file mode 100644
index 0000000..8aa3ab3
--- /dev/null
+++ b/apps/haproxy/haproxy.cfg
@@ -0,0 +1,69 @@
+global
+    log stdout format raw local0
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+resolvers mydns
+  parse-resolv-conf
+  timeout retry   1s
+  hold valid 30s
+  hold nx 3s
+  hold other 3s
+  hold obsolete 0s
+  accepted_payload_size 8192
+
+defaults
+    retries                 3
+    log global
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+
+frontend http
+    bind :80
+    mode http
+    option                  httplog
+
+    http-request do-resolve(txn.myip,mydns,ipv6) hdr(Host),lower
+#    http-request capture var(txn.myip) len 255
+    use_backend b_503 unless { var(txn.myip) -m found }
+
+    default_backend         http
+
+# dummy backend
+backend b_503
+    mode http
+
+backend http
+    mode http
+    http-request deny unless { hdr(host) -i c2.k8s.ooo }
+    http-request set-dst var(txn.myip)
+    server http ipv6@*
+
+# # HTTPs
+frontend f_https
+    bind :443
+    mode tcp
+    option tcplog
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+    tcp-request content do-resolve(txn.myip,mydns,ipv6) req_ssl_sni,lower
+
+
+    default_backend b_https
+
+backend b_https
+    mode tcp
+
+    tcp-request content set-dst var(txn.myip)
+    server tcp_https ipv6@*
+
+#    tcp-request capture var(txn.myip) len 255
+#    tcp-request connection deny unless { hdr(host) -i c2.k8s.ooo }
+#    use_backend b_503 unless { var(txn.myip) -m found }