Add TLS termination point and varnish for quicker responses

2019-08-05 14:59:55 +02:00 · 2019-08-05 14:59:55 +02:00 · 3b8f4346be
parent 310d4756c4
commit 3b8f4346be
5 changed files with 50 additions and 14 deletions
--- a/base.yml
+++ b/base.yml
@ -4,6 +4,8 @@ networks:
  frontend:
    driver: overlay
    attachable: true
+  cache:
+    driver: overlay

 secrets:
  cf_op:
@ -40,7 +42,29 @@ services:
      - cf_op
    volumes:
      - 'haproxysock:/haproxy:rw' ## Telegraf monitoring
-    ports:
-    - '443:443'
    networks:
      - frontend
+      - cache
+
+  varnish:
+    image: localhost:5000/varnish
+    deploy: *gt2
+    logging: *json-log
+    tmpfs: /usr/local/var/varnish
+    networks:
+      - cache
+
+  hitch:
+    image: zazukoians/hitch
+    deploy: *gt2
+    logging: *json-log
+    secrets:
+      - source: ssl_master
+    environment:
+      HITCH_PEM: '/run/secrets/ssl_master'
+      HITCH_PARAMS: '--backend=[varnish]:80 --frontend=[*]:443'
+      HITCH_CIPHER: 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
+    ports:
+      - '443:443'
+    networks:
+      - cache
--- a/build/HAProxy/Dockerfile
+++ b/build/HAProxy/Dockerfile
--- a/build/HAProxy/haproxy.conf
+++ b/build/HAProxy/haproxy.conf
@ -33,9 +33,8 @@ resolvers dockerdns

 frontend https
  mode http
-  bind *:443 ssl crt /run/secrets/ssl_master ciphers EECDH+AESGCM:EDH+AESGCM ca-file /run/secrets/cf_op verify required
+  bind *:80
  
-  acl secure dst_port eq 443
  acl is_cf req.hdr_ip(x-forwarded-for) -m found
  acl dav url_beg /.well-known/carddav /.well-known/caldav
  acl root url /
@ -44,14 +43,14 @@ frontend https
  acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
  acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
  
-  acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443
-  acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443
-  acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443
-  acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443
-  acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443
-  acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443
-  acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443
-  acl znc req.hdr(host) -i znc.redxen.eu or -i znc.redxen.eu:443
+  acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443 or -i yagpdb.redxen.eu:2096
+  acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443 or -i stats.redxen.eu:2096
+  acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443 or -i cloud.redxen.eu:2096
+  acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443 or -i webgit.redxen.eu:2096
+  acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443 or -i seed.redxen.eu:2096
+  acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443 or -i office.redxen.eu:2096
+  acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:2096 or -i www.redxen.eu:2096
+  acl znc req.hdr(host) -i znc.redxen.eu or -i znc.redxen.eu:443 or -i znc.redxen.eu:2096
  
  acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443
  
@ -60,8 +59,8 @@ frontend https
  redirect location /index.html code 301 if homepage root
  redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage
  
-  http-response replace-header Set-Cookie (.*) \1;\ Secure if secure
-  http-response add-header X-Forwarded-Proto https if secure
+  http-response replace-header Set-Cookie (.*) \1;\ Secure
+  http-response add-header X-Forwarded-Proto https
  
  http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res
  http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
--- a/build/Varnish/Dockerfile
+++ b/build/Varnish/Dockerfile
@ -0,0 +1,3 @@
+FROM varnish
+
+COPY varnish.vcl /etc/varnish/default.vcl
--- a/build/Varnish/varnish.vcl
+++ b/build/Varnish/varnish.vcl
@ -0,0 +1,10 @@
+vcl 4.0;
+
+backend default {
+  .host                   = "haproxy";
+  .port                   = "80";
+  .max_connections        = 300;
+  .first_byte_timeout     = 300s;
+  .connect_timeout        = 5s;
+  .between_bytes_timeout  = 2s;
+}