Added compose file for testing 2.0 (#120)

kchudy · web-flow · commit 4ec1f5402b95 · 2026-02-09T12:39:17.000+01:00
* Added compose files for testing 2.0

* Added additional gateways

* Added load balancer based on envoy

* Removed redundant configuration

* Removed redundant setting

* Fixed secret env variable

* Upgraded postgres
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 docker-compose/.env
 docker-compose/.volumes
+docker-compose2.0/.volumes
 .idea
 terraform/**/terraform.tfstate
 terraform/**/terraform.tfstate.backup
diff --git a/docker-compose2.0/docker-compose.yaml b/docker-compose2.0/docker-compose.yaml
@@ -0,0 +1,88 @@
+services:
+  core:
+    image: ghcr.io/defguard/defguard:dev
+    environment:
+      DEFGUARD_COOKIE_INSECURE: "true"
+      DEFGUARD_SECRET_KEY: defguard-secret-key-defguard-secret-key-defguard-secret-key-defguard-secret-key
+      DEFGUARD_AUTH_SECRET: defguard-auth-secret
+      DEFGUARD_GATEWAY_SECRET: defguard-gateway-secret
+      DEFGUARD_YUBIBRIDGE_SECRET: defguard-yubibridge-secret
+      DEFGUARD_DB_HOST: db
+      DEFGUARD_DB_PORT: 5432
+      DEFGUARD_DB_USER: defguard
+      DEFGUARD_DB_PASSWORD: defguard
+      DEFGUARD_DB_NAME: defguard
+      RUST_BACKTRACE: 1
+    depends_on:
+      - db
+    ports:
+      - "8000:8000"
+
+  edge1:
+    image: ghcr.io/defguard/defguard-proxy:dev
+    volumes:
+      - ./.volumes/certs2.0-ha/edge1:/etc/defguard/certs
+    depends_on:
+      - core
+
+  edge2:
+    image: ghcr.io/defguard/defguard-proxy:dev
+    volumes:
+      - ./.volumes/certs2.0-ha/edge2:/etc/defguard/certs
+    depends_on:
+      - core
+
+  edge-lb:
+    image: nginx:1.25-alpine
+    depends_on:
+      - edge1
+      - edge2
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./nginx/edge.conf:/etc/nginx/conf.d/default.conf:ro
+
+  gateway1:
+    image: ghcr.io/defguard/gateway:dev
+    depends_on:
+      - core
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./.volumes/certs2.0-ha/gateway1:/etc/defguard/certs
+    environment:
+      DEFGUARD_STATS_PERIOD: 10
+      HEALTH_PORT: 55003
+
+  gateway2:
+    image: ghcr.io/defguard/gateway:dev
+    depends_on:
+      - core
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./.volumes/certs2.0-ha/gateway2:/etc/defguard/certs
+    environment:
+      DEFGUARD_STATS_PERIOD: 10
+      HEALTH_PORT: 55003
+
+  gateway-lb:
+    image: envoyproxy/envoy:v1.33-latest
+    ports:
+      - "50051:50051/udp"
+    volumes:
+      - ./envoy/envoy.yaml:/etc/envoy/envoy.yaml:ro
+    depends_on:
+      - gateway1
+      - gateway2
+
+  db:
+    image: postgres:18-alpine
+    environment:
+      POSTGRES_DB: defguard
+      POSTGRES_USER: defguard
+      POSTGRES_PASSWORD: defguard
+    volumes:
+      - ./.volumes/db2.0-ha:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
diff --git a/docker-compose2.0/envoy/envoy.yaml b/docker-compose2.0/envoy/envoy.yaml
@@ -0,0 +1,60 @@
+static_resources:
+  listeners:
+    - name: udp_listener
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 50051
+          protocol: UDP
+
+      # UDP listeners use udp_listener_config + listener_filters (not filter_chains)
+      udp_listener_config:
+        downstream_socket_config:
+          # Optional: enable GRO/GSO if kernel supports it, otherwise omit
+          prefer_gro: true
+
+      listener_filters:
+        - name: envoy.filters.udp_listener.udp_proxy
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.UdpProxyConfig
+            stat_prefix: udp_lb
+            cluster: defguard_gateway_cluster
+            idle_timeout: 60s
+
+  clusters:
+    - name: defguard_gateway_cluster
+      type: STRICT_DNS
+      connect_timeout: 1s
+      lb_policy: ROUND_ROBIN
+      dns_lookup_family: V4_ONLY
+
+      health_checks:
+        - timeout: 2s
+          interval: 5s
+          unhealthy_threshold: 2
+          healthy_threshold: 2
+          http_health_check:
+            path: /health
+            host: gateway_health
+            expected_statuses:
+              start: 200
+              end: 300
+
+      load_assignment:
+        cluster_name: defguard_gateway_cluster
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: gateway1
+                      port_value: 50051
+                  health_check_config:
+                    port_value: 55003
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: gateway2
+                      port_value: 50051
+                  health_check_config:
+                    port_value: 55003
diff --git a/docker-compose2.0/nginx/edge.conf b/docker-compose2.0/nginx/edge.conf
@@ -0,0 +1,38 @@
+upstream defguard_edge {
+  # For HTTP, round-robin is the default
+  server edge1:8080 max_fails=2 fail_timeout=10s;
+  server edge2:8080 max_fails=2 fail_timeout=10s;
+
+  # Optional: keepalive connections to backends
+  keepalive 64;
+}
+
+server {
+  listen 8080;
+
+  # Preserve original client information
+  proxy_set_header Host              $host;
+  proxy_set_header X-Real-IP         $remote_addr;
+  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+
+  # WebSockets support (if used)
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade           $http_upgrade;
+  proxy_set_header Connection        $connection_upgrade;
+
+  location / {
+    proxy_pass http://defguard_edge;
+
+    # Reasonable timeouts for long requests / SSE
+    proxy_connect_timeout 5s;
+    proxy_send_timeout 60s;
+    proxy_read_timeout 60s;
+  }
+}
+
+# Map used by WebSocket upgrade header handling
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
