914538eed1
Architektur-Pivot: nginx fällt komplett weg. HAProxy 2.8+ übernimmt
TLS-Termination, L7-Routing per Host-Header und LB. ACME-Webroot
und Management-UI werden von edgeguard-api ausgeliefert (Phase 3
implementiert die zugehörigen Handler); HAProxy proxied
/.well-known/acme-challenge/* und Management-FQDN-Traffic an
127.0.0.1:9443. Eine Distro-Abhängigkeit weniger, ein Renderer
weniger, sauberere Trennung.
Renderer (alle mit Embed-Templates + Tests):
* internal/configgen/ — atomic write + systemctl reload helpers
* internal/haproxy/ — :80 + :443, ACME-ACL, Host-Header-Routing,
Stats-Frontend, api_backend Fallback
* internal/firewall/ — default-deny input, stateful baseline,
SSH-Rate-Limit, :80/:443 accept,
Cluster-Peer-Set für mTLS :8443,
Custom-Rules aus PG
* internal/{squid,wireguard,unbound}/ — Stubs (ErrNotImplemented)
Orchestrator + CLI:
* internal/services/configorch/ — fester Reihenfolge-Run, Stubs
sind soft-skip statt fatal
* cmd/edgeguard-ctl render-config [--no-reload] [--only=svc1,svc2]
Packaging:
* postinst: /etc/edgeguard/nginx raus, /var/lib/edgeguard/acme rein,
self-signed _default.pem via openssl req (damit HAProxy startet
bevor certbot etwas issuet hat)
* control: Depends nginx raus, openssl rein
* edgeguard-ui: dependency auf nginx weg, "Served by edgeguard-api
gin StaticFS"
Live-Smoke: render-config gegen lokale PG schreibt /etc/edgeguard/
haproxy/haproxy.cfg + nftables.d/ruleset.nft korrekt; CRUD-Test aus
Phase 2 läuft weiter unverändert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
72 lines
2.6 KiB
Smarty
72 lines
2.6 KiB
Smarty
# Generated by edgeguard-api — DO NOT EDIT.
|
|
# Source: internal/haproxy/haproxy.go (template: haproxy.cfg.tpl).
|
|
# Re-generate via `edgeguard-ctl render-config`.
|
|
|
|
global
|
|
log /dev/log local0 info
|
|
log /dev/log local1 notice
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
option forwardfor
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
timeout http-request 10s
|
|
|
|
# ── Public :80 ─────────────────────────────────────────────────────────
|
|
# ACME-01 challenges proxy to edgeguard-api which serves the webroot.
|
|
# Everything else redirects to HTTPS.
|
|
frontend public_http
|
|
bind :80
|
|
|
|
acl is_acme path_beg /.well-known/acme-challenge/
|
|
use_backend api_backend if is_acme
|
|
|
|
http-request redirect scheme https code 301 unless { ssl_fc } is_acme
|
|
|
|
# ── Public :443 ────────────────────────────────────────────────────────
|
|
# TLS termination. Reads certs from /etc/edgeguard/tls/ — postinst
|
|
# seeds a self-signed _default.pem so HAProxy starts before certbot
|
|
# has issued anything.
|
|
frontend public_https
|
|
bind :443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
|
|
|
|
http-response set-header Strict-Transport-Security "max-age=31536000"
|
|
|
|
{{- range $d := .Domains}}
|
|
{{- range $r := $d.Routes}}
|
|
use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} }
|
|
{{- end}}
|
|
{{- end}}
|
|
|
|
default_backend api_backend
|
|
|
|
# ── Internal stats ─────────────────────────────────────────────────────
|
|
frontend internal_stats
|
|
bind 127.0.0.1:8404
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats admin if { src 127.0.0.1 }
|
|
|
|
# ── Backends ───────────────────────────────────────────────────────────
|
|
|
|
# edgeguard-api itself: management UI, REST API, ACME webroot.
|
|
backend api_backend
|
|
server api1 127.0.0.1:9443 check
|
|
|
|
{{- range .Backends}}
|
|
|
|
backend eg_backend_{{.ID}}
|
|
server {{.Name}} {{.Address}}:{{.Port}}{{if .HealthCheckPath}} check inter 5s{{end}}
|
|
{{- end}}
|