From 8f707e44da858b9caea3cd1c3888326d41a8ba50 Mon Sep 17 00:00:00 2001 From: Alexander Piskun <13381981+bigcat88@users.noreply.github.com> Date: Tue, 11 Jun 2024 10:56:58 +0300 Subject: [PATCH 1/2] add support for `NC_HAPROXY_PASSWORD_FILE` env variable Signed-off-by: Alexander Piskun --- README.md | 7 +++++++ start.sh | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/README.md b/README.md index 8f2dc51..40abbaa 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,13 @@ You should set `BIND_ADDRESS` to the IP on which server with ExApps can accept r `TIMEOUT_SERVER`: timeout for ExApp to start responding to NC request, default: **30s** +`NC_HAPROXY_PASSWORD_FILE`: Specifies path to a file containing the password for HAProxy. + +> [!NOTE] +> This file should be mounted into the container, and the password will be read from this file. +> If both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified, the container will exit with an error. + + #### Only for ExApp installs with TLS: * `EX_APPS_NET`: determines destination of requests to ExApps for HaProxy. Default:`localhost` diff --git a/start.sh b/start.sh index f61898f..0056a13 100644 --- a/start.sh +++ b/start.sh @@ -1,5 +1,15 @@ #!/bin/sh +# Check if both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified +if [ -n "$NC_HAPROXY_PASSWORD" ] && [ -f "$NC_HAPROXY_PASSWORD_FILE" ]; then + echo "Error: Both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified. Please specify only one." + exit 1 +fi + +if [ -f "$NC_HAPROXY_PASSWORD_FILE" ]; then + NC_HAPROXY_PASSWORD=$(cat "$NC_HAPROXY_PASSWORD_FILE") +fi + sed -i "s|NC_PASSWORD_PLACEHOLDER|$NC_HAPROXY_PASSWORD|" /haproxy.cfg sed -i "s|TIMEOUT_CONNECT|$TIMEOUT_CONNECT|" /haproxy.cfg sed -i "s|TIMEOUT_CLIENT|$TIMEOUT_CLIENT|" /haproxy.cfg From 44040f0de125a17ea850a49e72ad256fc3efbdb0 Mon Sep 17 00:00:00 2001 From: Alexander Piskun <13381981+bigcat88@users.noreply.github.com> Date: Tue, 11 Jun 2024 14:30:48 +0300 Subject: [PATCH 2/2] not create the "haproxy.cfg" each time. replaced the "insecure password" with "password" Signed-off-by: Alexander Piskun --- Dockerfile | 7 +-- README.md | 1 - haproxy.cfg => haproxy.cfg.template | 8 +-- ...x_apps.cfg => haproxy_ex_apps.cfg.template | 0 start.sh | 53 ++++++++++++------- 5 files changed, 41 insertions(+), 28 deletions(-) rename haproxy.cfg => haproxy.cfg.template (95%) rename haproxy_ex_apps.cfg => haproxy_ex_apps.cfg.template (100%) diff --git a/Dockerfile b/Dockerfile index 8b98472..181c438 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,12 +19,13 @@ RUN set -ex; \ openssl \ bind-tools \ nano \ - vim; \ + vim \ + envsubst; \ chmod -R 777 /tmp COPY --chmod=775 *.sh / -COPY --chmod=664 haproxy.cfg /haproxy.cfg -COPY --chmod=664 haproxy_ex_apps.cfg /haproxy_ex_apps.cfg +COPY --chmod=664 haproxy.cfg.template /haproxy.cfg.template +COPY --chmod=664 haproxy_ex_apps.cfg.template /haproxy_ex_apps.cfg.template WORKDIR / ENTRYPOINT ["/bin/bash", "start.sh"] diff --git a/README.md b/README.md index 40abbaa..f9e3553 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,6 @@ You should set `BIND_ADDRESS` to the IP on which server with ExApps can accept r > This file should be mounted into the container, and the password will be read from this file. > If both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified, the container will exit with an error. - #### Only for ExApp installs with TLS: * `EX_APPS_NET`: determines destination of requests to ExApps for HaProxy. Default:`localhost` diff --git a/haproxy.cfg b/haproxy.cfg.template similarity index 95% rename from haproxy.cfg rename to haproxy.cfg.template index e2e296f..8d51ab8 100644 --- a/haproxy.cfg +++ b/haproxy.cfg.template @@ -9,12 +9,12 @@ defaults log global option httplog option dontlognull - timeout connect TIMEOUT_CONNECT - timeout client TIMEOUT_CLIENT - timeout server TIMEOUT_SERVER + timeout connect ${TIMEOUT_CONNECT} + timeout client ${TIMEOUT_CLIENT} + timeout server ${TIMEOUT_SERVER} userlist app_api_credentials - user app_api_haproxy_user insecure-password "NC_PASSWORD_PLACEHOLDER" + user app_api_haproxy_user password ${NC_HAPROXY_PASSWORD} frontend docker_engine mode http diff --git a/haproxy_ex_apps.cfg b/haproxy_ex_apps.cfg.template similarity index 100% rename from haproxy_ex_apps.cfg rename to haproxy_ex_apps.cfg.template diff --git a/start.sh b/start.sh index 0056a13..54e0611 100644 --- a/start.sh +++ b/start.sh @@ -1,29 +1,42 @@ #!/bin/sh -# Check if both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified -if [ -n "$NC_HAPROXY_PASSWORD" ] && [ -f "$NC_HAPROXY_PASSWORD_FILE" ]; then - echo "Error: Both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified. Please specify only one." - exit 1 -fi +if [ ! -f "/haproxy.cfg" ]; then -if [ -f "$NC_HAPROXY_PASSWORD_FILE" ]; then - NC_HAPROXY_PASSWORD=$(cat "$NC_HAPROXY_PASSWORD_FILE") -fi + echo "Creating HaProxy config.." -sed -i "s|NC_PASSWORD_PLACEHOLDER|$NC_HAPROXY_PASSWORD|" /haproxy.cfg -sed -i "s|TIMEOUT_CONNECT|$TIMEOUT_CONNECT|" /haproxy.cfg -sed -i "s|TIMEOUT_CLIENT|$TIMEOUT_CLIENT|" /haproxy.cfg -sed -i "s|TIMEOUT_SERVER|$TIMEOUT_SERVER|" /haproxy.cfg + if [ -n "$NC_HAPROXY_PASSWORD_FILE" ] && [ ! -f "$NC_HAPROXY_PASSWORD_FILE" ]; then + echo "Error: NC_HAPROXY_PASSWORD_FILE is specified but the file does not exist." + exit 1 + fi -if [ -f "/certs/cert.pem" ]; then - EX_APPS_COUNT_PADDED=$(printf "%03d" "$EX_APPS_COUNT") - sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6 ssl crt /certs/cert.pem|" /haproxy.cfg - sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:23000-23$EX_APPS_COUNT_PADDED v4v6 ssl crt /certs/cert.pem|" /haproxy_ex_apps.cfg - sed -i "s|EX_APPS_NET_PLACEHOLDER|$EX_APPS_NET|" /haproxy_ex_apps.cfg - # Chmod certs to be accessible by haproxy - chmod 644 /certs/cert.pem + if [ -n "$NC_HAPROXY_PASSWORD" ] && [ -n "$NC_HAPROXY_PASSWORD_FILE" ]; then + echo "Error: Only one of NC_HAPROXY_PASSWORD or NC_HAPROXY_PASSWORD_FILE should be specified." + exit 1 + fi + + if [ -n "$NC_HAPROXY_PASSWORD_FILE" ]; then + NC_HAPROXY_PASSWORD=$(mkpasswd -m sha-256 < "$NC_HAPROXY_PASSWORD_FILE") + else + NC_HAPROXY_PASSWORD=$(echo "$NC_HAPROXY_PASSWORD" | mkpasswd -m sha-256) + fi + + export NC_HAPROXY_PASSWORD + + envsubst < /haproxy.cfg.template > /haproxy.cfg + envsubst < /haproxy_ex_apps.cfg.template > /haproxy_ex_apps.cfg + + if [ -f "/certs/cert.pem" ]; then + EX_APPS_COUNT_PADDED=$(printf "%03d" "$EX_APPS_COUNT") + sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6 ssl crt /certs/cert.pem|" /haproxy.cfg + sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:23000-23$EX_APPS_COUNT_PADDED v4v6 ssl crt /certs/cert.pem|" /haproxy_ex_apps.cfg + sed -i "s|EX_APPS_NET_PLACEHOLDER|$EX_APPS_NET|" /haproxy_ex_apps.cfg + # Chmod certs to be accessible by haproxy + chmod 644 /certs/cert.pem + else + sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6|" /haproxy.cfg + fi else - sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6|" /haproxy.cfg + echo "HaProxy config already present." fi echo "HaProxy config:"