f0589e5628
Box (Debian 13 Trixie, amd64): apt install ./edgeguard-{api,ui,meta}.deb
zieht postgresql-17, haproxy 3.0, certbot, openssl, etc. nach.
postinst flow läuft sauber: migrate check → initdb → migrate up
(8 migrations) → render-config → install HAProxy drop-in → restart
haproxy → enable api+scheduler. Self-register in ha_nodes nach
Setup-Wizard funktioniert.
End-to-end smoke gegen 89.163.205.6:
* :80 → 301 Moved Permanently → https://
* :443 → TLS termination (self-signed _default.pem aus postinst)
→ JSON envelope vom api_backend (HTTP/2 + HSTS)
* / → React index.html aus /usr/share/edgeguard/ui/
Änderungen:
* control: keydb-server von Depends nach Recommends — single-node v1
installiert ohne KeyDB. Phase-3.1 multi-node bringt es zurück nach
Depends sobald ein eigenes APT-Repo das Paket bereitstellt.
* postinst: render-config (--no-reload) + HAProxy-Drop-in installen +
systemctl restart haproxy als zusätzliche Schritte.
* postrm: drop-in auf remove + purge entfernen, daemon-reload, ggf.
haproxy auf distro-default zurückreloaden.
* deploy/systemd/haproxy-edgeguard.conf: Drop-in lenkt HAProxy-Unit
auf /etc/edgeguard/haproxy/haproxy.cfg statt /etc/haproxy/haproxy.cfg.
After=edgeguard-api.service vermeidet 503-Race in den ersten 5s.
* scripts/apt-repo/build-package.sh: shippt Drop-in unter
/etc/edgeguard/systemd/haproxy-edgeguard.conf in der edgeguard-api.deb.
* haproxy.cfg.tpl: http-request redirect vor use_backend → keine
HAProxy-Warning beim Parsen mehr.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
75 lines
2.8 KiB
Smarty
75 lines
2.8 KiB
Smarty
# Generated by edgeguard-api — DO NOT EDIT.
|
|
# Source: internal/haproxy/haproxy.go (template: haproxy.cfg.tpl).
|
|
# Re-generate via `edgeguard-ctl render-config`.
|
|
|
|
global
|
|
log /dev/log local0 info
|
|
log /dev/log local1 notice
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
option forwardfor
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
timeout http-request 10s
|
|
|
|
# ── Public :80 ─────────────────────────────────────────────────────────
|
|
# ACME-01 challenges proxy to edgeguard-api which serves the webroot.
|
|
# Everything else redirects to HTTPS.
|
|
frontend public_http
|
|
bind :80
|
|
|
|
acl is_acme path_beg /.well-known/acme-challenge/
|
|
|
|
# Redirect to HTTPS first (skipped for ACME paths) — must come
|
|
# before use_backend so HAProxy doesn't warn about ordering.
|
|
http-request redirect scheme https code 301 unless is_acme
|
|
|
|
use_backend api_backend if is_acme
|
|
|
|
# ── Public :443 ────────────────────────────────────────────────────────
|
|
# TLS termination. Reads certs from /etc/edgeguard/tls/ — postinst
|
|
# seeds a self-signed _default.pem so HAProxy starts before certbot
|
|
# has issued anything.
|
|
frontend public_https
|
|
bind :443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
|
|
|
|
http-response set-header Strict-Transport-Security "max-age=31536000"
|
|
|
|
{{- range $d := .Domains}}
|
|
{{- range $r := $d.Routes}}
|
|
use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} }
|
|
{{- end}}
|
|
{{- end}}
|
|
|
|
default_backend api_backend
|
|
|
|
# ── Internal stats ─────────────────────────────────────────────────────
|
|
frontend internal_stats
|
|
bind 127.0.0.1:8404
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats admin if { src 127.0.0.1 }
|
|
|
|
# ── Backends ───────────────────────────────────────────────────────────
|
|
|
|
# edgeguard-api itself: management UI, REST API, ACME webroot.
|
|
backend api_backend
|
|
server api1 127.0.0.1:9443 check
|
|
|
|
{{- range .Backends}}
|
|
|
|
backend eg_backend_{{.ID}}
|
|
server {{.Name}} {{.Address}}:{{.Port}}{{if .HealthCheckPath}} check inter 5s{{end}}
|
|
{{- end}}
|