From d0bcafb162b3985b0aeb95a300a53e840bb2ba33 Mon Sep 17 00:00:00 2001
From: Geoff Franks <geoff.franks@gmail.com>
Date: Mon, 15 Jun 2015 16:36:25 -0400
Subject: [PATCH 1/2] Added backwards compatibility for port 4443 + wss

---
 jobs/haproxy/spec                         |  3 +++
 jobs/haproxy/templates/haproxy.config.erb | 16 ++++++++++++++++
 templates/example-settings.yml            |  1 +
 3 files changed, 20 insertions(+)

diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec
index 3e8ffbc5..0b8a43cc 100644
--- a/jobs/haproxy/spec
+++ b/jobs/haproxy/spec
@@ -25,6 +25,9 @@ properties:
   ha_proxy.disable_http:
     description: "Disable port 80 traffic"
     default: false
+  ha_proxy.enable_4443:
+    description: "Enables port 4443 for backwards compatibility with WSS-based apps using the old CF haproxy"
+    default: false
   ha_proxy.ssl_ciphers:
     default: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
     description: "List of SSL Ciphers that are passed to HAProxy"
diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb
index 8ff7e733..57732e40 100644
--- a/jobs/haproxy/templates/haproxy.config.erb
+++ b/jobs/haproxy/templates/haproxy.config.erb
@@ -56,6 +56,22 @@ frontend https-in
     reqadd X-Forwarded-Proto:\ https
 <% end %>
 
+<% if_p("ha_proxy.enable_4443") do |wss| %>
+frontend wss-in
+    mode http
+    bind :4443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem no-sslv3 ciphers <%= p("ha_proxy.ssl_ciphers") %>
+    default_backend http-routers
+
+<% if p("ha_proxy.internal_only_domains").size > 0 %>
+    acl public src 0.0.0.0/0
+<% p("ha_proxy.internal_only_domains").each do |domain| %>
+    acl internal hdr(Host) -m sub <%= domain %>
+<% end %>
+    http-request deny if internal public
+<% end %>
+
+    reqadd X-Forwarded-Proto:\ https
+<% end %>
 backend http-routers
     mode http
     balance roundrobin
diff --git a/templates/example-settings.yml b/templates/example-settings.yml
index bb92cafd..9814368b 100644
--- a/templates/example-settings.yml
+++ b/templates/example-settings.yml
@@ -7,6 +7,7 @@ meta:
     # and make sure to save this example elsewhere
       internal_only_domains: []
       disable_http: false
+      enable_4443:  false
       backend_port: 80
       connect_timeout:      5
       client_timeout:      30

From 6f2e5968a1be1991a8cd0c0899092a89f3fab818 Mon Sep 17 00:00:00 2001
From: Geoff Franks <geoff.franks@gmail.com>
Date: Mon, 15 Jun 2015 16:38:14 -0400
Subject: [PATCH 2/2] v3 release

---
 .final_builds/jobs/haproxy/index.yml |  4 ++++
 releases/cf-haproxy/cf-haproxy-3.yml | 20 ++++++++++++++++++++
 releases/cf-haproxy/index.yml        |  2 ++
 3 files changed, 26 insertions(+)
 create mode 100644 releases/cf-haproxy/cf-haproxy-3.yml

diff --git a/.final_builds/jobs/haproxy/index.yml b/.final_builds/jobs/haproxy/index.yml
index 788b9e2f..ce3ad7c6 100644
--- a/.final_builds/jobs/haproxy/index.yml
+++ b/.final_builds/jobs/haproxy/index.yml
@@ -8,4 +8,8 @@ builds:
     version: cd673ae49a46270d661b9db4bc10f0a972615c1e
     sha1: ae14d8c2d61ee62ff177a137464108dd8228144b
     blobstore_id: 0767a040-0ff4-48e4-91f3-8cde0508dafb
+  ee7d6a877a344613620ca2f6346af36f5edec41d:
+    version: ee7d6a877a344613620ca2f6346af36f5edec41d
+    sha1: 97f4f184818d1bb507b7bf52a39c5a94fb440ecc
+    blobstore_id: 691e5089-1a97-4e5d-9e1c-9edf32f80c46
 format-version: '2'
diff --git a/releases/cf-haproxy/cf-haproxy-3.yml b/releases/cf-haproxy/cf-haproxy-3.yml
new file mode 100644
index 00000000..4e88b4a9
--- /dev/null
+++ b/releases/cf-haproxy/cf-haproxy-3.yml
@@ -0,0 +1,20 @@
+---
+packages:
+- name: haproxy
+  version: 630ad6d6e1d3cab4547ce104f3019b483f354613
+  fingerprint: 630ad6d6e1d3cab4547ce104f3019b483f354613
+  sha1: c3b76f7f41dc290f12658a7e3dfd88f25040e89e
+  dependencies: []
+jobs:
+- name: haproxy
+  version: ee7d6a877a344613620ca2f6346af36f5edec41d
+  fingerprint: ee7d6a877a344613620ca2f6346af36f5edec41d
+  sha1: 97f4f184818d1bb507b7bf52a39c5a94fb440ecc
+license:
+  version: 1128a8ae7526393e7fbf22a18a92b4d0dfdd78c0
+  fingerprint: 1128a8ae7526393e7fbf22a18a92b4d0dfdd78c0
+  sha1: a519125dcf6220495de8f2a487c5d2bb8df6e348
+commit_hash: d0bcafb1
+uncommitted_changes: true
+name: cf-haproxy
+version: '3'
diff --git a/releases/cf-haproxy/index.yml b/releases/cf-haproxy/index.yml
index 129c6d0c..faec5d6d 100644
--- a/releases/cf-haproxy/index.yml
+++ b/releases/cf-haproxy/index.yml
@@ -4,4 +4,6 @@ builds:
     version: '1'
   fa4778ed-7e7a-4ea1-819c-94ca28a9b867:
     version: '2'
+  cc806973-7047-433c-9324-ea47be8c42ba:
+    version: '3'
 format-version: '2'