eea · anton16 · Jan 22, 2025 · Jan 23, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 2025-01-16 (3.1-1.0)
+- Upgrade HAproxy to 3.1.2
+
 ## 2023-03-09 (1.8-1.8)
 
 - Upgrade HAproxy to 1.8.31

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,8 @@
 version: "2"
 services:
   haproxy:
-    image: eeacms/haproxy
+    #image: eeacms/haproxy
+    image: h30
     depends_on:
     - webapp
     ports:
@@ -12,10 +13,11 @@ services:
       BACKENDS: "webapp"
       BACKENDS_PORT: "8080"
       DNS_ENABLED: "True"
-      HTTPCHK: "GET /"
+      HTTPCHK: "meth GET uri /"
       INTER: "5s"
       LOG_LEVEL: "info"
   webapp:
     image: eeacms/hello
+    scale: 4
     environment:
       PORT: "8080"
diff --git a/haproxy/Dockerfile b/haproxy/Dockerfile
@@ -1,6 +1,101 @@
-FROM haproxy:1.8.31-buster
+FROM debian:bullseye-slim
 LABEL maintainer="EEA: IDM2 A-Team <eea-edw-a-team-alerts@googlegroups.com>"
 
+USER root
+# runtime dependencies
+RUN set -eux; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+# @system-ca: https://github.com/docker-library/haproxy/pull/216
+		ca-certificates \
+	; \
+	rm -rf /var/lib/apt/lists/*
+
+# roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+RUN set -eux; \
+	groupadd --gid 99 --system haproxy; \
+	useradd \
+		--gid haproxy \
+		--home-dir /var/lib/haproxy \
+		--no-create-home \
+		--system \
+		--uid 99 \
+		haproxy \
+	; \
+	mkdir /var/lib/haproxy; \
+	chown haproxy:haproxy /var/lib/haproxy
+
+ENV HAPROXY_VERSION 3.1.2
+ENV HAPROXY_URL https://www.haproxy.org/download/3.1/src/haproxy-3.1.2.tar.gz
+ENV HAPROXY_SHA256 af35dc8bf3193870b72276a63920974bef1405fc41038d545b86b641aa59f400
+
+# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
+RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update && apt-get install -y --no-install-recommends \
+		gcc \
+		libc6-dev \
+		liblua5.4-dev \
+		libpcre2-dev \
+		libssl-dev \
+		make \
+		wget \
+	; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
+	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
+	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
+	mkdir -p /usr/src/haproxy; \
+	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
+	rm haproxy.tar.gz; \
+	\
+	makeOpts=' \
+		TARGET=linux-glibc \
+		USE_GETADDRINFO=1 \
+		USE_LUA=1 LUA_INC=/usr/include/lua5.4 \
+		USE_OPENSSL=1 \
+		USE_PCRE2=1 USE_PCRE2_JIT=1 \
+		USE_PROMEX=1 \
+		\
+		EXTRA_OBJS=" \
+		" \
+	'; \
+# https://salsa.debian.org/haproxy-team/haproxy/-/commit/53988af3d006ebcbf2c941e34121859fd6379c70
+	dpkgArch="$(dpkg --print-architecture)"; \
+	case "$dpkgArch" in \
+		armel) makeOpts="$makeOpts ADDLIB=-latomic" ;; \
+	esac; \
+	\
+	nproc="$(nproc)"; \
+	eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \
+	eval "make -C /usr/src/haproxy install-bin $makeOpts"; \
+	\
+	mkdir -p /usr/local/etc/haproxy; \
+	cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors; \
+	rm -rf /usr/src/haproxy; \
+	\
+	apt-mark auto '.*' > /dev/null; \
+	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	\
+# smoke test
+	haproxy -v
+
+# https://www.haproxy.org/download/1.8/doc/management.txt
+# "4. Stopping and restarting HAProxy"
+# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
+# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
+STOPSIGNAL SIGUSR1
+
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
     ca-certificates \
@@ -15,10 +110,16 @@ RUN apt-get update \
  && sed -i '/#$UDPServerRun/c\$UDPServerRun 514'  /etc/rsyslog.conf \
  && sed -i '/$UDPServerRun 514/a $UDPServerAddress 127.0.0.1' /etc/rsyslog.conf \
  && sed -i '/cron.*/a local2.*                          \/proc\/1\/fd\/1' /etc/rsyslog.conf \
- && mv /usr/local/bin/docker-entrypoint.sh /usr/local/bin/haproxy-entrypoint.sh 
-
+ && sed -i '/^module(load="imklog")/s/^/#/' /etc/rsyslog.conf 
+ 
 COPY src/haproxy.cfg /tmp/
 COPY src/configure.py src/track_hosts src/track_dns /
+
 COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# https://github.com/docker-library/haproxy/issues/200
+WORKDIR /var/lib/haproxy
 
+CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
 
diff --git a/haproxy/Readme.md b/haproxy/Readme.md
@@ -3,16 +3,18 @@
 This image is generic, thus you can obviously re-use it within
 your non-related EEA projects.
 
- - Debian: **Buster**
- - HAProxy: **1.8**
+ - Debian: **Bullseye**
+ - HAProxy: **2.9**
  - Expose: **5000**
 
 ### Supported tags and respective Dockerfile links
 
-  - `:latest` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/blob/master/haproxy/Dockerfile) - Debian: **Buster**, HAProxy: **1.8**
+  - `:latest` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/blob/master/haproxy/Dockerfile) - Debian: **bullseye**, HAProxy: **2.9**
 
 ### Stable and immutable tags
 
+  - `:2.9-1.1` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/2.9-1.1/haproxy/Dockerfile) - HAProxy: **2.9.9** Release: **1.1**
+  - `:2.0-1.0` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/2.0-1.0/haproxy/Dockerfile) - HAProxy: **2.0.31** Release: **1.0**
   - `:1.8-1.8` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/1.8-1.8/haproxy/Dockerfile) - HAProxy: **1.8.31** Release: **1.8**
   - `:1.8-1.7` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/1.8-1.7/haproxy/Dockerfile) - HAProxy: **1.8.30** Release: **1.7**
   - `:1.8-1.6` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/1.8-1.6/haproxy/Dockerfile) - HAProxy: **1.8.29** Release: **1.6**
@@ -150,7 +152,7 @@ either when running the container or in a `docker-compose.yml` file.
   * `TIMEOUT_CONNECT` the maximum time to wait for a connection attempt to a VPS to succeed. Default `5000` ms
   * `TIMEOUT_CLIENT` timeouts apply when the client is expected to acknowledge or send data during the TCP process. Default `50000` ms
   * `TIMEOUT_SERVER` timeouts apply when the server is expected to acknowledge or send data during the TCP process. Default `50000` ms
-  * `HTTPCHK` The HTTP method and uri used to check on the servers health - default `HEAD /`
+  * `HTTPCHK` The HTTP method and uri used to check on the servers health - default `meth GET uri /`
   * `HTTPCHK_HOST` Host Header override on http Health Check - default `localhost`
   * `INTER` parameter sets the interval between two consecutive health checks. If not specified, the default value is `2s`
   * `FAST_INTER` parameter sets the interval between two consecutive health checks when the server is any of the transition state (read above): UP - transitionally DOWN or DOWN - transitionally UP. If not set, then `INTER` is used.

diff --git a/haproxy/docker-entrypoint.sh b/haproxy/docker-entrypoint.sh
@@ -1,5 +1,20 @@
 #!/bin/bash
 
+set -e
+
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- haproxy "$@"
+fi
+
+if [ "$1" = 'haproxy' ]; then
+	shift # "haproxy"
+	# if the user wants "haproxy", let's add a couple useful flags
+	#   -W  -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
+	#   -db -- disables background mode
+	set -- haproxy -W -db "$@"
+fi
+
 #fix variable _name to not have /
 if [ -n "$FRONTEND_NAME" ]; then
     export FRONTEND_NAME="${FRONTEND_NAME//\//}"
@@ -67,10 +82,10 @@ fi
 
 
 #start logging
-service rsyslog restart
+rsyslogd
 
 #start crontab
 service cron restart
 
-exec /usr/local/bin/haproxy-entrypoint.sh "$@"
+exec "$@"
 
diff --git a/haproxy/src/configure.py b/haproxy/src/configure.py
@@ -28,7 +28,7 @@
 TIMEOUT_CONNECT = os.environ.get('TIMEOUT_CONNECT', '5000')
 TIMEOUT_CLIENT = os.environ.get('TIMEOUT_CLIENT', '50000')
 TIMEOUT_SERVER = os.environ.get('TIMEOUT_SERVER', '50000')
-HTTPCHK = os.environ.get('HTTPCHK', 'HEAD /')
+HTTPCHK = os.environ.get('HTTPCHK', 'meth GET uri /')
 HTTPCHK_HOST = os.environ.get('HTTPCHK_HOST', 'localhost')
 INTER = os.environ.get('INTER', '2s')
 FAST_INTER = os.environ.get('FAST_INTER', INTER)
@@ -81,10 +81,11 @@
 
 backend_type_http = Template("""
     option forwardfor
+    option httpchk
     http-request set-header X-Forwarded-Port %[dst_port]
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
-    option httpchk $httpchk HTTP/1.1\\r\\nHost:$httpchk_host
-""")
+    http-check send $httpchk ver HTTP/1.1 hdr host $httpchk_host
+    """)
 
 backend_conf_plus = Template("""
     server $name-$index $host:$port $cookies check