begin phasing in haproxy

2021-06-24 20:29:27 +02:00 · 2021-06-24 20:29:27 +02:00 · aa786e4fdb
commit aa786e4fdb
parent d0e236865b
2 changed files with 85 additions and 0 deletions
--- a/apps/haproxy/README.md
+++ b/apps/haproxy/README.md
@ -0,0 +1,16 @@
+## Objective
+
+Deploy a proxy to the kubernetes cluster that handles
+IPv4-to-IPv6 translations as follows:
+
+```
+Outside k8s:
+
+[ IPv4-Address ] ---- [ SIIT NAT64 mapping ]
+                               |
+                               |
+                               |
+Inside k8s:           [ haproxy container ]
+                               |
+                               |
+                      [ abc.namespacex.svc.clusterdomain ]
--- a/apps/haproxy/haproxy.cfg
+++ b/apps/haproxy/haproxy.cfg
@ -0,0 +1,69 @@
+global
+    log stdout format raw local0
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+resolvers mydns
+  parse-resolv-conf
+  timeout retry   1s
+  hold valid 30s
+  hold nx 3s
+  hold other 3s
+  hold obsolete 0s
+  accepted_payload_size 8192
+
+defaults
+    retries                 3
+    log global
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+
+frontend http
+    bind :80
+    mode http
+    option                  httplog
+
+    http-request do-resolve(txn.myip,mydns,ipv6) hdr(Host),lower
+#    http-request capture var(txn.myip) len 255
+    use_backend b_503 unless { var(txn.myip) -m found }
+
+    default_backend         http
+
+# dummy backend
+backend b_503
+    mode http
+
+backend http
+    mode http
+    http-request deny unless { hdr(host) -i c2.k8s.ooo }
+    http-request set-dst var(txn.myip)
+    server http ipv6@*
+
+# # HTTPs
+frontend f_https
+    bind :443
+    mode tcp
+    option tcplog
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+    tcp-request content do-resolve(txn.myip,mydns,ipv6) req_ssl_sni,lower
+
+
+    default_backend b_https
+
+backend b_https
+    mode tcp
+
+    tcp-request content set-dst var(txn.myip)
+    server tcp_https ipv6@*
+
+#    tcp-request capture var(txn.myip) len 255
+#    tcp-request connection deny unless { hdr(host) -i c2.k8s.ooo }
+#    use_backend b_503 unless { var(txn.myip) -m found }