From 4a6010ab5e0c834394187ea542f7c23d83ddb221 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 25 Jan 2023 15:18:09 +0100 Subject: [PATCH 1/3] Haproxy: Add front and backend for Apple push api We add a seperate front and backend on stepup tiqr servers that also serve as loadbalancer. It allows proxying http/1 requests to the http/2 only Apple API --- roles/haproxy/files/sysconfig_haproxy | 5 ----- roles/haproxy/tasks/main.yml | 5 +++-- roles/haproxy/templates/haproxy_proxy.cfg.j2 | 14 ++++++++++++++ roles/haproxy/templates/sysconfig_haproxy.j2 | 1 + 4 files changed, 18 insertions(+), 7 deletions(-) delete mode 100644 roles/haproxy/files/sysconfig_haproxy create mode 100644 roles/haproxy/templates/haproxy_proxy.cfg.j2 create mode 100644 roles/haproxy/templates/sysconfig_haproxy.j2 diff --git a/roles/haproxy/files/sysconfig_haproxy b/roles/haproxy/files/sysconfig_haproxy deleted file mode 100644 index b440567fe..000000000 --- a/roles/haproxy/files/sysconfig_haproxy +++ /dev/null @@ -1,5 +0,0 @@ -# Add extra options to the haproxy daemon here. This can be useful for -# specifying multiple configuration files with multiple -f options. -# See haproxy(1) for a complete list of options. -# This overrides the default haproxy.cfg config file -CONFIG="/etc/haproxy/haproxy_global.cfg -f /etc/haproxy/haproxy_frontend.cfg -f /etc/haproxy/haproxy_backend.cfg -f /etc/haproxy/haproxy_stick_table_backend.cfg" diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index bc51e97e9..5386f99ea 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -19,8 +19,8 @@ until: haproxy_package_installed is succeeded - name: Copy haproxy sysconfig file - copy: - src: sysconfig_haproxy + template: + src: sysconfig_haproxy.j2 dest: /etc/sysconfig/haproxy notify: - "restart haproxy" @@ -131,6 +131,7 @@ - haproxy_frontend.cfg - haproxy_backend.cfg - haproxy_stick_table_backend.cfg + - haproxy_proxy.cfg notify: - "reload haproxy" diff --git a/roles/haproxy/templates/haproxy_proxy.cfg.j2 b/roles/haproxy/templates/haproxy_proxy.cfg.j2 new file mode 100644 index 000000000..fd555888f --- /dev/null +++ b/roles/haproxy/templates/haproxy_proxy.cfg.j2 @@ -0,0 +1,14 @@ +{% if 'stepuppapp' in group_names %} +# Apple API v2 only uses http/2. Since curl on Centos7 does not support http/2 we provide a seperate proxy to fix that. +frontend apple_fe + + bind 127.0.0.1:5000 + mode http + default_backend apple_be + +backend apple_be + mode http + server apple api.push.apple.com:443 ssl verify required ca-file /etc/pki/tls/certs/ca-bundle.crt alpn h2 crt /opt/openconext/OpenConext-tiqr/app/files/apns.pem +{% else %} +# Empty placeholder. This functionality is only used on StepupTIQR servers that also have the loadbalancer role installed locally +{% endif %} diff --git a/roles/haproxy/templates/sysconfig_haproxy.j2 b/roles/haproxy/templates/sysconfig_haproxy.j2 new file mode 100644 index 000000000..a5580b16a --- /dev/null +++ b/roles/haproxy/templates/sysconfig_haproxy.j2 @@ -0,0 +1 @@ +CONFIG="/etc/haproxy/haproxy_global.cfg -f /etc/haproxy/haproxy_frontend.cfg -f /etc/haproxy/haproxy_backend.cfg -f /etc/haproxy/haproxy_stick_table_backend.cfg -f /etc/haproxy/haproxy_proxy.cfg" From c524e6c7fd27b8f86bdebd98a8a307469dd283a0 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 25 Jan 2023 15:20:28 +0100 Subject: [PATCH 2/3] Stepuptiqr: Add proxy to proxy http/1 requests to the http/2 only Apple API. An Haproxy instance is installed on StepupTIQR machines. It's only purpose is to proxy the requests from Tiqr to the Apple Push Notification service (APNs). Since the curl shipped with CentOS7 is http/1 only, and the APNs is http/2 only we use this proxy. --- roles/stepuptiqr/files/haproxy.cfg | 35 ++++++++++++++++++++++++++++++ roles/stepuptiqr/handlers/main.yml | 5 +++++ roles/stepuptiqr/tasks/haproxy.yml | 27 +++++++++++++++++++++++ roles/stepuptiqr/tasks/main.yml | 4 ++++ 4 files changed, 71 insertions(+) create mode 100644 roles/stepuptiqr/files/haproxy.cfg create mode 100644 roles/stepuptiqr/tasks/haproxy.yml diff --git a/roles/stepuptiqr/files/haproxy.cfg b/roles/stepuptiqr/files/haproxy.cfg new file mode 100644 index 000000000..af5358656 --- /dev/null +++ b/roles/stepuptiqr/files/haproxy.cfg @@ -0,0 +1,35 @@ +global + log 127.0.0.1 local2 + chroot /var/lib/haproxy + pidfile /var/run/haproxy.pid + maxconn 4000 + user haproxy + group tiqr + daemon + stats socket /var/lib/haproxy/stats + +defaults + mode http + log global + option httplog + option http-server-close + option log-health-checks + option redispatch + retries 3 + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 1m + timeout server 1m + timeout http-keep-alive 10s + timeout check 10s + maxconn 3000 + +frontend apple_fe + bind 127.0.0.1:5000 + mode http + default_backend apple_be + +backend apple_be + mode http + server apple api.push.apple.com:443 ssl verify required ca-file /etc/pki/tls/certs/ca-bundle.crt alpn h2 crt /opt/openconext/OpenConext-tiqr/app/files/apns.pem diff --git a/roles/stepuptiqr/handlers/main.yml b/roles/stepuptiqr/handlers/main.yml index 40eef830c..e561ae404 100644 --- a/roles/stepuptiqr/handlers/main.yml +++ b/roles/stepuptiqr/handlers/main.yml @@ -6,3 +6,8 @@ service: name: php72-php-fpm state: reloaded + +- name: reload haproxy + service: + name: haproxy + state: reloaded diff --git a/roles/stepuptiqr/tasks/haproxy.yml b/roles/stepuptiqr/tasks/haproxy.yml new file mode 100644 index 000000000..c44c678bc --- /dev/null +++ b/roles/stepuptiqr/tasks/haproxy.yml @@ -0,0 +1,27 @@ +--- +- name: Enable ius repo + yum: + name: "https://repo.ius.io/ius-release-el7.rpm" + state: present + +- name: Install haproxy and socat + yum: + name: + - haproxy20.x86_64 + - socat + +- name: Install haproxy config file + copy: + src: haproxy.cfg + dest: /etc/haproxy/haproxy.cfg + owner: root + group: haproxy + mode: 0640 + notify: + - "reload haproxy" + +- name: Start and enable haproxy + service: + name: haproxy + state: started + enabled: true diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml index 4bbb1dd74..9a7e53e49 100644 --- a/roles/stepuptiqr/tasks/main.yml +++ b/roles/stepuptiqr/tasks/main.yml @@ -77,6 +77,10 @@ - "02-tiqr-migrate-to-keyserver.php" when: keyserver_consumerkey is defined +- name: Inlude haproxy tasks + include_tasks: "haproxy.yml" + when: "'loadbalancer' not in group_names" + - meta: flush_handlers - name: Include post installation tasks From 610d674947bc132fc00c408b417845b07737f591 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 25 Jan 2023 16:39:39 +0100 Subject: [PATCH 3/3] Stepuptiqr: Add the option to configure a local proxy, configurable by setting the boolean apns_http2_proxy to true --- roles/stepuptiqr/tasks/main.yml | 2 +- roles/stepuptiqr/templates/parameters.yaml.j2 | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml index 9a7e53e49..13fbead2e 100644 --- a/roles/stepuptiqr/tasks/main.yml +++ b/roles/stepuptiqr/tasks/main.yml @@ -79,7 +79,7 @@ - name: Inlude haproxy tasks include_tasks: "haproxy.yml" - when: "'loadbalancer' not in group_names" + when: "'loadbalancer' not in group_names and apns_http2_proxy |default(false) | bool" - meta: flush_handlers diff --git a/roles/stepuptiqr/templates/parameters.yaml.j2 b/roles/stepuptiqr/templates/parameters.yaml.j2 index 9dd296728..193cfb152 100644 --- a/roles/stepuptiqr/templates/parameters.yaml.j2 +++ b/roles/stepuptiqr/templates/parameters.yaml.j2 @@ -52,6 +52,11 @@ parameters: apns: certificate: '{{ current_release_config_file_dir_name }}/apns.pem' environment: production +{% if apns_http2_proxy |default(false) | bool %} + version: 2 + proxy_host_url: 'http://localhost' + apns.proxy_host_port: 5000 +{% endif %} accountblocking: maxAttempts: 5 # temporarilyBlockDuration: