haproxy/Dockerfile at master · brycelarge/haproxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
FROM alpine:3.24 AS openssl-builder

ENV OPENSSL_URL=https://github.com/quictls/openssl/archive/refs/tags/openssl-3.3.0-quic1.tar.gz
ENV OPENSSL_SHA1SUM="1a2d16f2d6bad19ba0f62f3cde5efb1bd982c07e"

# OpenSSL build configuration
# Features
ARG OPENSSL_OPTS_FEATURES="no-tests enable-tls1_3"
# Compiler / hardening flags
ARG OPENSSL_OPTS_CFLAGS="-g -O3 -fstack-protector-strong -Wformat -Werror=format-security"
# Preprocessor / build defines
# -DOPENSSL_TLS_SECURITY_LEVEL=2: default min security policy (e.g. rejects weak keys/ciphers)
# -DOPENSSL_USE_NODELETE: keep libcrypto/libssl loaded to avoid unload/reload issues (plugins/forked procs)
# -DL_ENDIAN: explicitly assume little-endian target
# -DOPENSSL_PIC: build position-independent code (shared libs)
# -DOPENSSL_CPUID_OBJ: enable runtime CPU feature detection
# ASM toggles: force-enable common fast paths (AESNI, SHA*, GHASH, X25519/X448, etc.)
# -DNDEBUG: disable asserts
# -D_FORTIFY_SOURCE=2: extra libc bounds checking (effective with optimizations)
ARG OPENSSL_OPTS_DEFINES="-DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN \
    -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 \
    -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m \
    -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DMD5_ASM \
    -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM \
    -DX448_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2"

RUN apk add --no-cache curl build-base make autoconf automake gcc libc-dev linux-headers && \
    mkdir -p /tmp/openssl && \
    curl -sfSL "${OPENSSL_URL}" -o openssl.tar.gz && \
    echo "${OPENSSL_SHA1SUM}  openssl.tar.gz" | sha1sum -c - && \
    tar -xzf openssl.tar.gz -C /tmp/openssl --strip-components=1 && \
    rm -f openssl.tar.gz && \
    cd /tmp/openssl && \
    ./config --libdir=lib --prefix=/opt/quictls ${OPENSSL_OPTS_FEATURES} ${OPENSSL_OPTS_CFLAGS} ${OPENSSL_OPTS_DEFINES} && \
    nproc="$(command -v getconf >/dev/null 2>&1 && getconf _NPROCESSORS_ONLN || grep -c ^processor /proc/cpuinfo || echo 1)" && \
    make -j "$nproc" build_sw && \
    make install_sw && \
    rm -rf /tmp/openssl && \
    OPENSSL_MODULES=/opt/quictls/lib/ossl-modules \
    LD_LIBRARY_PATH=/opt/quictls/lib \
    /opt/quictls/bin/openssl version -a

RUN \
    mkdir -p /opt/quictls/ssl && \
    rm -rf /opt/quictls/ssl/certs && \
    ln -s /etc/ssl/certs /opt/quictls/ssl/certs

FROM alpine:3.24 AS haproxy-builder
COPY --from=openssl-builder /opt/quictls /opt/quictls

# haproxy build environment variables
ARG HAPROXY_BRANCH=3.4
ARG HAPROXY_MINOR=3.4.0
ARG HAPROXY_SHA256=72ee779970afaba4632151ffd93a5c2494c96d35aa7fc2c01335eca3af8a98fc
# Set ENV variables from ARGs for use in RUN commands
ENV HAPROXY_BRANCH=${HAPROXY_BRANCH}
ENV HAPROXY_MINOR=${HAPROXY_MINOR}
ENV HAPROXY_SHA256=${HAPROXY_SHA256}

COPY haproxy.tar.gz /tmp/haproxy.tar.gz

RUN \
    echo "**** Install haproxy build packages ****" && \
    apk add --no-cache \
        build-base \
        libc-dev \
        linux-headers \
        lua5.4-dev \
        openssl \
        openssl-dev \
        pcre2-dev \
        zlib-dev && \
    echo "**** Verify and extract Haproxy ****" && \
    echo "$HAPROXY_SHA256 */tmp/haproxy.tar.gz" | sha256sum -c - && \
    mkdir -p /usr/src && \
    tar -xzf /tmp/haproxy.tar.gz -C /usr/src && \
    mv /usr/src/haproxy-* /usr/src/haproxy && \
    rm /tmp/haproxy.tar.gz && \
    echo "**** Cleanup ****" && \
    rm -rf /tmp/*

RUN \
    echo "**** Compiling Haproxy from source ****" && \
    cd /usr/src/haproxy && \
    set -eux && \
    nproc="$(command -v getconf >/dev/null 2>&1 && getconf _NPROCESSORS_ONLN || grep -c ^processor /proc/cpuinfo || echo 1)" && \
    export PKG_CONFIG_PATH=/opt/quictls/lib/pkgconfig:/usr/lib/pkgconfig && \
    export LD_LIBRARY_PATH=/opt/quictls/lib:/usr/lib && \
    make -C /usr/src/haproxy -j "$nproc" all \
        TARGET=linux-musl \
        USE_OPENSSL=1 \
        USE_LIBCRYPT=1 \
        USE_QUIC=1 \
        SSL_INC=/opt/quictls/include \
        SSL_LIB=/opt/quictls/lib \
        USE_LUA=1 \
        LUA_INC=/usr/include/lua5.4 \
        LUA_LIB=/usr/lib/lua5.4 \
        USE_PROMEX=1 \
        USE_PCRE2=1 \
        USE_PCRE2_JIT=1 \
        LDFLAGS="-L/opt/quictls/lib -Wl,-rpath,/opt/quictls/lib -L/usr/lib" && \
    make -C /usr/src/haproxy install-bin \
        TARGET=linux-musl \
        USE_OPENSSL=1 \
        USE_LIBCRYPT=1 \
        USE_QUIC=1 \
        SSL_INC=/opt/quictls/include \
        SSL_LIB=/opt/quictls/lib \
        USE_LUA=1 \
        LUA_INC=/usr/include/lua5.4 \
        LUA_LIB=/usr/lib/lua5.4 \
        USE_PROMEX=1 \
        USE_PCRE2=1 \
        USE_PCRE2_JIT=1 \
        LDFLAGS="-L/opt/quictls/lib -Wl,-rpath,/opt/quictls/lib -L/usr/lib" && \
    make -C /usr/src/haproxy TARGET=linux-musl install-man && \
    /usr/local/sbin/haproxy -vv

# start from fresh to remove all build layers and packages
FROM brycelarge/alpine-baseimage:3.24

ARG HAPROXY_MINOR=3.4.0

COPY --from=haproxy-builder /usr/local/sbin/haproxy /usr/local/sbin/haproxy
COPY --from=haproxy-builder /opt/quictls /opt/quictls

ENV PATH="/opt/quictls/bin:${PATH}" \
    LD_LIBRARY_PATH=/opt/quictls/lib

# Create HAProxy directories and copy error pages in final stage
RUN mkdir -p /etc/haproxy/errors /etc/haproxy/certs
COPY errors/ /etc/haproxy/errors/

# Copy the custom scripts
COPY ./conf.d/logrotate.d/haproxy /etc/logrotate.d/haproxy
COPY ./conf.d/rsyslog.d/haproxy.conf /etc/rsyslog.d/49-haproxy.conf
COPY ./conf.d/rsyslog.conf /etc/rsyslog.conf
COPY ./conf.d/network.conf /etc/sysctl.d/network.conf
COPY ./scripts/healthcheck.sh /usr/local/bin/healthcheck.sh

# Set timezone environment variable
ENV TZ=EST

RUN \
    echo "**** Install runtime packages ****" && \
    apk add --no-cache \
        lua5.4 \
        openssl \
        pcre2 \
        readline \
        libcrypto3 \
        libssl3 \
        rsyslog \
        inotify-tools \
        gettext \
        socat \
        libcap \
        iptables \
        tzdata && \
    echo "**** Make rsyslog directory ****" && \
    mkdir -p \
        /var/spool/rsyslog \
        /scripts && \
    echo "**** Create Haproxy user and make our folders ****" && \
    set -eux && \
    addgroup --gid 99 --system haproxy && \
    adduser \
        --disabled-password \
        --home /var/lib/haproxy \
        --ingroup haproxy \
        --no-create-home \
        --system \
        --uid 99 \
        haproxy && \
    mkdir -p \
        /var/lib/haproxy \
        /var/run/haproxy \
        /var/lib/haproxy/dev && \
    chmod 755 /usr/local/bin/healthcheck.sh && \
    chown haproxy:haproxy /var/lib/haproxy && \
    chown haproxy:haproxy /var/run/haproxy && \
    chown haproxy:haproxy /etc/haproxy && \
    chmod 775 /var/lib/haproxy && \
    chmod 775 /var/run/haproxy && \
    chmod 775 /scripts && \
    chmod 755 /var/lib/haproxy/dev && \
    chown haproxy:haproxy /var/lib/haproxy/dev && \
    touch /var/lib/haproxy/dev/log && \
    chown haproxy:haproxy /var/lib/haproxy/dev/log && \
    chmod 755 /var/lib/haproxy/dev/log && \
    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy && \
    echo "**** add acme user and add to haproxy group for serving certificates ****" && \
    addgroup -g 1000 -S acme && \
    adduser \
        --disabled-password \
        --home /config/acme \
        --ingroup acme \
        --no-create-home \
        --system \
        --uid 1000 \
        acme && \
    adduser acme haproxy && \
    echo "**** Add the tzdata package and configure timezone ****" && \
    ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

ENV CONFIG_DIR=/config \
    CONFIG_AUTO_GENERATE=true \
    FRONTEND_IP_PROTECTION=false \
    DEV_MODE=false \
    DEBUG=false \
    DNS_SERVERS="1.1.1.1 1.0.0.1 8.8.8.8"

COPY root/ /
COPY scripts/ /scripts/

RUN chmod +x /scripts/*.sh && \
    chown -R haproxy:haproxy /scripts && \
    chmod 775 /scripts && \
    /usr/local/sbin/haproxy -vv

LABEL maintainer="Bryce Large" \
      org.opencontainers.image.title="HAProxy with ACME" \
      org.opencontainers.image.description="HAProxy with Lua ACME HTTP-01 challenge support" \
      org.opencontainers.image.version="${HAPROXY_MINOR}" \
      org.opencontainers.image.source="https://github.com/brycelarge/haproxy"

WORKDIR /var/lib/haproxy

EXPOSE 80/tcp 443/tcp 443/udp 8404/tcp
VOLUME ["/config", "/var/log/haproxy", "/etc/haproxy/certs"]

# https://www.haproxy.org/download/1.8/doc/management.txt
# "4. Stopping and restarting HAProxy"
# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
STOPSIGNAL SIGUSR1

# Add healthcheck
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
    CMD /usr/local/bin/healthcheck.sh