From 7af4ce13ac308f401ce78a4059a0e9513f438d23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mateusz=20Gruszczy=C5=84ski?=
 <mateusz.gruszczynski@firma.interia.pl>
Date: Mon, 22 Sep 2025 09:18:45 +0200
Subject: [PATCH] push

---
 docker-compose.yml  | 40 ++++++++++++++++++++++++++++++++++++
 haproxy/haproxy.cfg | 49 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 docker-compose.yml
 create mode 100644 haproxy/haproxy.cfg

diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..6859635
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,40 @@
+services:
+  certgen:
+    image: alpine:3.20
+    command: >
+      sh -c '
+        mkdir -p /certs;
+        if [ ! -f /certs/selfsigned.pem ]; then
+          openssl req -x509 -nodes -newkey rsa:2048 -days 825
+            -subj "/CN=*.internal"
+            -keyout /certs/selfsigned.key -out /certs/selfsigned.crt;
+          cat /certs/selfsigned.key /certs/selfsigned.crt > /certs/selfsigned.pem;
+        fi
+      '
+    volumes:
+      - ./certs:/certs
+    networks: [intranet]
+
+  haproxy:
+    image: haproxy:3.2
+    depends_on: [certgen]
+    command: >
+      sh -c '
+        for i in 1 2 3 4 5; do
+          [ -f /certs/selfsigned.pem ] && break;
+          sleep 1;
+        done;
+        haproxy -f /usr/local/etc/haproxy/haproxy.cfg
+      '
+    volumes:
+      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - ./certs:/certs:ro
+    ports:
+      - "443:443"
+      - "80:80"
+    restart: unless-stopped
+    networks: [intranet]
+
+networks:
+  intranet:
+    external: true
diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
new file mode 100644
index 0000000..6321e34
--- /dev/null
+++ b/haproxy/haproxy.cfg
@@ -0,0 +1,49 @@
+global
+    log stdout format raw local0
+    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+
+defaults
+    log     global
+    mode    http
+    option  httplog
+    timeout connect 5s
+    timeout client  30s
+    timeout server  30s
+    http-reuse safe
+    option httpchk GET /
+
+frontend fe_https
+    bind :443 ssl crt /certs/selfsigned.pem
+    bind :80
+
+    http-request set-header X-Forwarded-For %[src]
+    http-request set-header X-Forwarded-Proto https
+    http-response del-header Server
+
+    acl host_hosts            hdr(host) -i hosts.internal
+    acl host_routerosbackup   hdr(host) -i routerosbackup.internal
+    acl host_routerosupdate   hdr(host) -i routerosupdate.internal
+    acl host_sslmonitor       hdr(host) -i sslmonitor.internal
+
+    use_backend be_hosts            if host_hosts
+    use_backend be_routerosbackup   if host_routerosbackup
+    use_backend be_routerosupdate   if host_routerosupdate
+    use_backend be_sslmonitor       if host_sslmonitor
+    default_backend be_404
+
+# backendy po nazwach usług w tej samej sieci "intranet"
+backend be_hosts
+    server s1 hosts_app:5580 check
+
+backend be_routerosbackup
+    server s1 routeros_backup:5581 check
+
+backend be_routerosupdate
+    server s1 routeros_update:5582 check
+
+backend be_sslmonitor
+    server s1 ssl_monitor:5583 check
+
+backend be_404
+    http-request deny deny_status 404