push

docker-compose.yml

@@ -7,13 +7,17 @@ services:
       sh -euc '
         mkdir -p /certs;
         apk add --no-cache openssl;
-        [ -f /certs/selfsigned.pem ] || {
+        gen() {
           openssl req -x509 -nodes -newkey rsa:2048 -days 825 \
             -subj "/CN=*.internal" \
             -addext "subjectAltName=DNS:*.internal,DNS:hosts.internal,DNS:routerosbackup.internal,DNS:routerosupdate.internal,DNS:sslmonitor.internal" \
             -keyout /certs/selfsigned.key -out /certs/selfsigned.crt;
-          cat /certs/selfsigned.key /certs/selfsigned.crt > /certs/selfsigned.pem;
+          cat /certs/selfsigned.crt /certs/selfsigned.key > /certs/selfsigned.pem;  # CERT -> KEY
         }
+        # jeśli brak lub nieprawidłowy PEM to wygeneruj
+        if ! [ -f /certs/selfsigned.pem ] || ! openssl x509 -in /certs/selfsigned.pem -noout >/dev/null 2>&1; then
+          gen
+        fi
       '
     volumes:
       - ./certs:/certs

haproxy/haproxy.cfg

@@ -11,12 +11,13 @@ defaults
     timeout client  30s
     timeout server  30s
     http-reuse safe
-    option httpchk GET /
+
+frontend fe_http
+    bind :80
+    http-request redirect scheme https code 301
 
 frontend fe_https
     bind :443 ssl crt /certs/selfsigned.pem
-    bind :80
-
     http-request set-header X-Forwarded-For %[src]
     http-request set-header X-Forwarded-Proto https
     http-response del-header Server
@@ -32,7 +33,6 @@ frontend fe_https
     use_backend be_sslmonitor       if host_sslmonitor
     default_backend be_404
 
-# backendy po nazwach usług w tej samej sieci "intranet"
 backend be_hosts
     server s1 hosts_app:5580 check