Merge pull request #1 from cloudfoundry-community/backwards-compat

Backwards compat

.final_builds/jobs/haproxy/index.yml

@@ -8,4 +8,8 @@ builds:
     version: cd673ae49a46270d661b9db4bc10f0a972615c1e
     sha1: ae14d8c2d61ee62ff177a137464108dd8228144b
     blobstore_id: 0767a040-0ff4-48e4-91f3-8cde0508dafb
+  ee7d6a877a344613620ca2f6346af36f5edec41d:
+    version: ee7d6a877a344613620ca2f6346af36f5edec41d
+    sha1: 97f4f184818d1bb507b7bf52a39c5a94fb440ecc
+    blobstore_id: 691e5089-1a97-4e5d-9e1c-9edf32f80c46
 format-version: '2'

jobs/haproxy/spec

@@ -25,6 +25,9 @@ properties:
   ha_proxy.disable_http:
     description: "Disable port 80 traffic"
     default: false
+  ha_proxy.enable_4443:
+    description: "Enables port 4443 for backwards compatibility with WSS-based apps using the old CF haproxy"
+    default: false
   ha_proxy.ssl_ciphers:
     default: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
     description: "List of SSL Ciphers that are passed to HAProxy"

jobs/haproxy/templates/haproxy.config.erb

@@ -56,6 +56,22 @@ frontend https-in
     reqadd X-Forwarded-Proto:\ https
 <% end %>
 
+<% if_p("ha_proxy.enable_4443") do |wss| %>
+frontend wss-in
+    mode http
+    bind :4443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem no-sslv3 ciphers <%= p("ha_proxy.ssl_ciphers") %>
+    default_backend http-routers
+
+<% if p("ha_proxy.internal_only_domains").size > 0 %>
+    acl public src 0.0.0.0/0
+<% p("ha_proxy.internal_only_domains").each do |domain| %>
+    acl internal hdr(Host) -m sub <%= domain %>
+<% end %>
+    http-request deny if internal public
+<% end %>
+
+    reqadd X-Forwarded-Proto:\ https
+<% end %>
 backend http-routers
     mode http
     balance roundrobin

releases/cf-haproxy/cf-haproxy-3.yml

@@ -0,0 +1,20 @@
+---
+packages:
+- name: haproxy
+  version: 630ad6d6e1d3cab4547ce104f3019b483f354613
+  fingerprint: 630ad6d6e1d3cab4547ce104f3019b483f354613
+  sha1: c3b76f7f41dc290f12658a7e3dfd88f25040e89e
+  dependencies: []
+jobs:
+- name: haproxy
+  version: ee7d6a877a344613620ca2f6346af36f5edec41d
+  fingerprint: ee7d6a877a344613620ca2f6346af36f5edec41d
+  sha1: 97f4f184818d1bb507b7bf52a39c5a94fb440ecc
+license:
+  version: 1128a8ae7526393e7fbf22a18a92b4d0dfdd78c0
+  fingerprint: 1128a8ae7526393e7fbf22a18a92b4d0dfdd78c0
+  sha1: a519125dcf6220495de8f2a487c5d2bb8df6e348
+commit_hash: d0bcafb1
+uncommitted_changes: true
+name: cf-haproxy
+version: '3'

releases/cf-haproxy/index.yml

@@ -4,4 +4,6 @@ builds:
     version: '1'
   fa4778ed-7e7a-4ea1-819c-94ca28a9b867:
     version: '2'
+  cc806973-7047-433c-9324-ea47be8c42ba:
+    version: '3'
 format-version: '2'

templates/example-settings.yml

@@ -7,6 +7,7 @@ meta:
     # and make sure to save this example elsewhere
       internal_only_domains: []
       disable_http: false
+      enable_4443:  false
       backend_port: 80
       connect_timeout:      5
       client_timeout:      30