merge in dev3

group_vars/all/main.yml

@@ -2,22 +2,6 @@
 
 dslproxy: "<CHANGE_ME:hostname>"
 
-soctools_users:
-  - firstname: "Arne"
-    lastname: "Oslebo"
-    username: "arne.oslebo"
-    email: "arne.oslebo@uninett.no"
-    DN: "CN=Arne Oslebo"
-    CN: "Arne Oslebo"
-    password: "Pass002"
-  - firstname: "Bozidar"
-    lastname: "Proevski"
-    username: "bozidar.proevski"
-    email: "bozidar.proevski@finki.ukim.mk"
-    DN: "CN=Bozidar Proevski"
-    CN: "Bozidar Proevski"
-    password: "Pass001"
-
 # TheHive Button plugin
 THEHIVE_URL: "https://hive.gn4-3-wp8-soc.sunet.se/"
 THEHIVE_API_KEY: "5LymseWiurZBrQN8Kqp8O+9KniTL5cE0"
@@ -30,6 +14,12 @@ repo: gn43-dsl
 version: 7
 suffix: a20201004
 
+haproxy_name: "dsoclab-haproxy"
+haproxy_version: "2.2"
+haproxy_img: "{{repo}}/haproxy:{{version}}{{suffix}}"
+HAPROXY_PROCESSES: "2"
+HAPROXY_STATS_PASS: "eiph2Eepaizicheelah3tei+bae3ohgh"
+
 temp_root: "/tmp/centosbuild"
 
 openjdk_img: "{{repo}}/openjdk:{{version}}{{suffix}}"
@@ -39,9 +29,6 @@ zookeeper_img: "{{repo}}/zookeeper:{{version}}{{suffix}}"
 
 nifi_img: "{{repo}}/nifi:{{version}}{{suffix}}"
 
-nginx_name: "dsoclab-nginx"
-nginx_img: "{{repo}}/nginx:{{version}}{{suffix}}"
-
 mysql_name: "dsoclab-mysql"
 mysql_img: "{{repo}}/mysql:{{version}}{{suffix}}"
 mysql_dbrootpass: "Pass006"
@@ -62,6 +49,21 @@ nifi_repo: "https://archive.apache.org/dist"
 
 ca_cn: "SOCTOOLS-CA"
 
+soctools_users:
+  - firstname: "Arne"
+    lastname: "Oslebo"
+    username: "arne.oslebo"
+    email: "arne.oslebo@uninett.no"
+    DN: "CN=Arne Oslebo"
+    CN: "Arne Oslebo"
+    password: "Pass002"
+  - firstname: "Bozidar"
+    lastname: "Proevski"
+    username: "bozidar.proevski"
+    email: "bozidar.proevski@finki.ukim.mk"
+    DN: "CN=Bozidar Proevski"
+    CN: "Bozidar Proevski"
+    password: "Pass001"
 
 odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}"
 odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}"

roles/build/tasks/haproxy.yml

+---
+
+- name: Configure the haproxy Dockerfile
+  template:
+    src: haproxy/Dockerfile.j2
+    dest: "{{role_path}}/files/haproxyDockerfile"
+
+- name: Build haproxy image
+  command: docker build -t {{repo}}/haproxy:{{version}}{{suffix}} -f {{role_path}}/files/haproxyDockerfile {{role_path}}/files
+

roles/build/tasks/main.yml

@@ -6,8 +6,8 @@
     fail_msg: "Review *all* settings in group_vars/all/main.yml"
 
 - include: centos.yml
-- include: nginx.yml
 - include: mysql.yml
+- include: haproxy.yml
 - include: openjdk.yml
 - include: zookeeper.yml
 - include: nifi.yml

roles/build/tasks/nginx.yml

----
-
-- name: Configure the nginx Dockerfile
-  template:
-    src: nginx/Dockerfile.j2
-    dest: "{{role_path}}/files/nginxDockerfile"
-
-- name: Build nginx image
-  command: docker build -t {{repo}}/nginx:{{version}}{{suffix}} -f {{role_path}}/files/nginxDockerfile {{role_path}}/files
-

roles/build/templates/haproxy/Dockerfile.j2

+FROM gn43-dsl/centos:{{version}}{{suffix}}
+
+ENV HAPROXY_VERSION 2.2.3
+ENV HAPROXY_URL https://www.haproxy.org/download/2.2/src/haproxy-2.2.3.tar.gz
+ENV HAPROXY_SHA256 7209db363d4dbecb21133f37b01048df666aebc14ff543525dbea79be202064e
+ENV OPENSSL_VERSION=1.0.2u
+
+
+# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
+RUN \
+  yum install -y epel-release && \
+  yum update -y && \
+  `# Install build tools. Note: perl needed to compile openssl...` \
+  yum install -y \
+  inotify-tools \
+  wget \
+  tar \
+  gzip \
+  make \
+  gcc \
+  perl \
+  pcre-devel \
+  zlib-devel \
+  iptables \
+  pcre2-devel \
+  daemonize \
+  pth-devel && \
+  `# Install newest openssl...` \
+  wget -O /tmp/openssl.tgz https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz && \
+  tar -zxf /tmp/openssl.tgz -C /tmp && \
+  cd /tmp/openssl-* && \
+  ./config --prefix=/usr \
+  --openssldir=/etc/ssl \
+  --libdir=lib          \
+  no-shared zlib-dynamic && \
+  make -j$(getconf _NPROCESSORS_ONLN) V= && make install_sw && \
+  cd && rm -rf /tmp/openssl* && \
+  `# Install HAProxy...` \ 
+  && wget -O haproxy.tar.gz "$HAPROXY_URL" \
+  && echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c \
+  && mkdir -p /usr/src/haproxy \
+  && tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1 \
+  && rm haproxy.tar.gz \
+  \
+  && makeOpts=' \
+    TARGET=linux-glibc \
+    USE_GETADDRINFO=1 \
+    USE_OPENSSL=1 \
+    USE_PCRE2=1 USE_PCRE2_JIT=1 \
+    USE_ZLIB=1 \
+    \
+    EXTRA_OBJS=" \
+# see https://github.com/docker-library/haproxy/issues/94#issuecomment-505673353 for more details about prometheus support
+      contrib/prometheus-exporter/service-prometheus.o \
+    " \
+  ' \
+  && nproc="$(nproc)" \
+  && eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts" \
+  && eval "make -C /usr/src/haproxy install-bin $makeOpts" \
+  \
+  && mkdir -p /usr/local/etc/haproxy \
+  && cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors \
+  && rm -rf /usr/src/haproxy 
+
+ENTRYPOINT ["/bin/bash"]
+
+# https://www.haproxy.org/download/1.8/doc/management.txt
+# "4. Stopping and restarting HAProxy"
+# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
+# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
+STOPSIGNAL SIGUSR1

roles/build/templates/nginx/Dockerfile.j2

-FROM {{repo}}/centos:{{version}}{{suffix}}
-
-RUN yum update -y; \
-    yum install -y wget unzip curl nginx nginx-all-modules
-
-RUN yum clean all
-
-RUN ln -sf /dev/stdout /var/log/nginx/access.log \
-        && ln -sf /dev/stderr /var/log/nginx/error.log
-
-EXPOSE 80 443
-
-STOPSIGNAL SIGTERM
-
-CMD ["nginx", "-g", "daemon off;"]
-

roles/ca/tasks/main.yml

@@ -44,6 +44,7 @@
     - "{{ groups['odfekibanacontainers'] }}"
     - "{{ groups['keycloakcontainers'] }}"
     - "{{ groups['mispcontainers'] }}"
+    - "{{ groups['haproxy'] }}"
   environment:
     EASYRSA_BATCH: 1
     EASYRSA_PKI: roles/ca/files/CA
@@ -61,6 +62,7 @@
     - "{{ groups['odfekibanacontainers'] }}"
     - "{{ groups['keycloakcontainers'] }}"
     - "{{ groups['mispcontainers'] }}"
+    - "{{ groups['haproxy'] }}"
   environment:
     EASYRSA_BATCH: 1
     EASYRSA_PKI: roles/ca/files/CA
@@ -133,6 +135,20 @@
   with_items:
     - "{{ groups['odfekibanacontainers'] }}"
 
+- name: Copy haproxy host cert to haproxy role
+  copy:
+    src: roles/ca/files/CA/issued/{{item}}.crt
+    dest: roles/haproxy/files/{{item}}.crt
+  with_items:
+    - "{{ groups['haproxy'] }}"
+
+- name: Copy haproxy host key to haproxy role
+  copy:
+    src: roles/ca/files/CA/private/{{item}}.key
+    dest: roles/haproxy/files/{{item}}.key
+  with_items:
+    - "{{ groups['haproxy'] }}"
+
 - name: Copy keycloak host certs to keycloak role
   copy:
     src: roles/ca/files/CA/issued/{{item}}.crt

roles/docker/tasks/nginx.yml → roles/docker/tasks/haproxy.yml

 ---
 
-- name: Create nginx proxy
+- name: Create haproxy container
   docker_container:
-    name: "{{ nginx_name }}"
-    hostname: "{{ nginx_name }}"
-    image: "{{ nginx_img }}"
+    name: "{{ haproxy_name }}"
+    hostname: "{{ haproxy_name }}"
+    image: "{{ haproxy_img }}"
     networks:
       - name: "{{ soctools_netname}}"
     networks_cli_compatible: yes
     published_ports:
       - "443:443"
+      - "8888:8888"
       - "8443:8443"
       - "9443:9443"
       - "9200:9200"
       - "7750:7750"
+    entrypoint: "/bin/bash"
+    interactive: "yes"
   tags:
     - start
 
-- name: Destroy nginx proxy
+- name: Destroy haproxy container
   docker_container:
-    name: "{{ nginx_name }}"
+    name: "{{ haproxy_name }}"
     state: absent
   tags:
     - stop

roles/docker/tasks/main.yml

@@ -9,7 +9,7 @@
 - include: odfees.yml
 - include: odfekibana.yml
 - include: misp.yml
-#- include: keycloak.yml
-- include: nginx.yml
+- include: keycloak.yml
+- include: haproxy.yml
 - include: networkremove.yml
 

roles/haproxy/tasks/main.yml

 ---
 # tasks file for haproxy
 
-- name: Create directory
+- name: Copy haproxy configuration file
+  template:
+    src: haproxy.cfg.j2
+    dest: /usr/local/etc/haproxy/haproxy.cfg
+  tags:
+    - start
+
+- name: Create required directories
   file:
-    name: /usr/local/etc/haproxy
-    state: directory
+   path: "{{ item }}"
+   state: directory
+   mode: 0755
+   owner: root
+   group: root
+  with_items:
+  - /opt/haproxy
+  - /etc/ssl/haproxy
+  tags:
+    - start
+
+- name: Generate dhparam file for haproxy
+  shell: "openssl dhparam -out /usr/local/etc/haproxy/dhparam.pem 2048"
+  tags:
+    - start
 
-- name: Copy file
+- name: Copy haproxy certificates
   copy:
-    src: haproxy.cfg
-    dest: /usr/local/etc/haproxy/haproxy.cfg
+    src:  "{{ item }}"
+    dest: "/opt/haproxy/{{ item }}"
\ No newline at end of file
+    mode: 0600
+  with_items:
+    - "{{ inventory_hostname }}.crt"
+    - "{{ inventory_hostname }}.key"
+  tags:
+    - start
+
+- name: Combine crt and key for haproxy
+  assemble:
+    src: /opt/haproxy
+    dest: /etc/ssl/haproxy/{{ inventory_hostname }}.crt
+    owner: root
+    mode: 0600
+  tags:
+    - start
+
+- name: Delete temporary files and directory
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /opt/haproxy/{{ inventory_hostname }}.crt
+    - /opt/haproxy/{{ inventory_hostname }}.key
+    - /opt/haproxy
+  tags:
+    - start
+
+- name: Start haproxy
+  shell: "daemonize -c / -p /haproxy.pid /usr/local/sbin/haproxy -f /usr/local/etc/haproxy/haproxy.cfg"
+  tags:
+    - start
+
+#- name: Stop haproxy
+#  tags:
+#    - stop
+

roles/haproxy/templates/haproxy.cfg.j2

+global
+  #quiet
+  log stdout format raw local0
+  nbproc {{ HAPROXY_PROCESSES }}
+  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  ssl-dh-param-file /usr/local/etc/haproxy/dhparam.pem
+
+defaults
+  mode http
+  maxconn 5000
+  log global
+  timeout connect 5s
+  timeout client  20s
+  timeout server  20s
+
+listen stats
+        bind 0.0.0.0:8888
+        stats enable
+        stats hide-version
+        stats uri     /
+        stats realm   HAProxy Statistics
+        stats auth    haproxy:{{ HAPROXY_STATS_PASS }}
+
+listen nifiserv
+	bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+	mode http
+	maxconn 5000
+	fullconn 5000
+	balance source
+	option tcpka
+{% for nifihost in groups['nificontainers'] %}
+	server {{nifihost}} {{nifihost}}:9443 ssl check verify none
+{% endfor %}
+
+listen odfeserv
+        bind *:9200 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+        mode http
+        maxconn 5000
+        fullconn 5000
+        balance source
+        option tcpka
+{% for odfehost in groups['odfeescontainers'] %}
+     	server {{odfehost}} {{odfehost}}:9200 ssl check verify none
+{% endfor %}
+	
+listen keycloakserv
+        bind *:10443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+        mode http
+        maxconn 5000
+        fullconn 5000
+        balance source
+        option tcpka
+{% for keycloakhost in groups['keycloakcontainers'] %}
+	server {{keycloakhost}} {{keycloakhost}}:8443 ssl check verify none
+{% endfor %}
+
+{% for port in range(50, 60) %}
+listen nifiservtcp77{{port}}
+	bind *:77{{port}}
+	mode tcp
+        maxconn 5000
+        fullconn 5000
+        balance source
+        option tcpka
+	option tcp-check
+	tcp-check connect port 77{{port}}
+{% for nifihost in groups['nificontainers'] %}
+   	server {{nifihost}} {{nifihost}}:77{{port}} check
+
+{% endfor %}
+{% endfor %}
+
+
+listen nifiservtcp7771
+	bind *:7771
+	mode tcp
+        maxconn 5000
+        fullconn 5000
+        balance source
+        option tcpka
+	option tcp-check
+	tcp-check connect port 7771
+{% for nifihost in groups['nificontainers'] %}
+   	server {{nifihost}} {{nifihost}}:7771 check
+{% endfor %}
+
+
+{% for port in range(5000, 5020) %}
+listen nifiservhttp{{port}}
+        bind *:{{port}}
+        mode http
+        maxconn 5000
+        fullconn 5000
+        balance source
+        option tcpka
+{% for nifihost in groups['nificontainers'] %}
+        server {{nifihost}} {{nifihost}}:{{port}} check
+{% endfor %}
+
+{% endfor %}
+
+
+{% for port in range(6000, 6020) %}
+listen nifiservtcp{{port}}
+        bind *:{{port}}
+        mode tcp 
+        maxconn 5000
+        fullconn 5000
+        balance source
+        option tcpka
+        option tcp-check
+        tcp-check connect port {{port}}
+{% for nifihost in groups['nificontainers'] %}
+        server {{nifihost}} {{nifihost}}:{{port}} check
+{% endfor %}
+
+{% endfor %}

roles/nginx/tasks/main.yml

----
-
-- name: Configure nginx for proxying
-  template:
-    src: nginx.conf.j2
-    dest: /etc/nginx/nginx.conf
-  tags:
-    - start
-    - reconf
-
-- name: Restart nginx service
-  command: nginx -s reload
-  tags:
-    - start
-    - reconf

roles/nginx/templates/nginx.conf.j2

-user  nginx;
-include /usr/share/nginx/modules/*.conf;
-worker_processes  1;
-
-error_log  /var/log/nginx/error.log info;
-pid        /run/nginx.pid;
-events {
-    worker_connections  1024;
-}
-
-stream {
-  resolver 127.0.0.11;
-
-  upstream nifiserv {
-  hash $remote_addr consistent;
-  {% for nifihost in groups['nificontainers'] %}
-     server {{nifihost}}:9443;
-  {% endfor %}
-  }
-  server {
-    listen 9443;
-    proxy_pass nifiserv;
-  }
-
-  upstream odfeserv {
-  hash $remote_addr consistent;
-  {% for odfehost in groups['odfeescontainers'] %}
-     server {{odfehost}}:9200;
-  {% endfor %}
-  }
-  server {
-    listen 9200;
-    proxy_pass odfeserv;
-  }
-
-  upstream keycloakserv {
-  {% for keycloakhost in groups['keycloakcontainers'] %}
-     server {{keycloakhost}}:8443;
-  {% endfor %}
-  }
-  server {
-    listen 10443;
-    proxy_pass keycloakserv;
-  }
-
-  {% for port in range(50, 60) %}
-  upstream nifiservtcp77{{port}} {
-  {% for nifihost in groups['nificontainers'] %}
-     server {{nifihost}}:77{{port}};
-  {% endfor %}
-  }
-  server {
-    listen 77{{port}};
-    proxy_pass nifiservtcp77{{port}};
-  }
-  {% endfor %}
-
-  upstream nifiservtcp7771 {
-  {% for nifihost in groups['nificontainers'] %}
-     server {{nifihost}}:7771;
-  {% endfor %}
-  }
-  server {
-    listen 7771;
-    proxy_pass nifiservtcp7771;
-  }
-}
-

roles/nifi/templates/users.xml.j2

@@ -17,7 +17,7 @@
         <user identifier="c78caf19-016f-1000-0001-{{'%012d'|format(loop.index) }}" identity="CN={{ nifi }}"/>
         {% endfor %}
 	{% for user in soctools_users %}
-        <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index) }}" identity="{{ user.DN }}"/>
+        <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index) }}" identity="{{ user.username }}"/>
         {% endfor %}        
     </users>
 </tenants>

soctools-inventory

@@ -16,12 +16,11 @@ dsoclab-kibana ansible_connection=docker
 [keycloakcontainers]
 dsoclab-keycloak ansible_connection=docker
 
-[nginx]
-dsoclab-nginx ansible_connection=docker
-
 [mysql]
 dsoclab-mysql ansible_connection=docker
 
 [mispcontainers]
 dsoclab-misp ansible_connection=docker
 
+[haproxy]
+dsoclab-haproxy ansible_connection=docker