-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
235 lines (205 loc) · 5.45 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
# syntax=docker/dockerfile:1
FROM alpine:latest AS builder
ARG SSL_LIBRARY
ARG AWS_LC_TAG=v1.43.0 \
LIBRESSL_TAG=v3.9.2 \
OPENSSL_TAG=openssl-3.4.0 \
WOLFSSL_TAG=v5.7.6 \
LIBSLZ_TAG=v1.2.1 \
HAPROXY_VERSION=3.1.2
COPY --link ["scratchfs", "/scratchfs"]
RUN <<EOF
set -ex
sed -i -r 's/v\d+\.\d+/edge/g' /etc/apk/repositories
apk update
apk upgrade --no-interactive --latest
apk add --no-cache --virtual .build-deps \
autoconf \
automake \
clang \
cmake \
curl \
file \
git \
go \
gnupg \
libc-dev \
libtool \
linux-headers \
lua5.4-dev \
make \
openssl \
patch \
pcre2-dev \
perl \
readline-dev \
samurai \
tar \
util-linux-misc \
--repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
#
# Prepare destination scratchfs
#
# Create self-signed certificate
openssl req -x509 -newkey rsa:4096 -nodes -keyout /scratchfs/etc/ssl/localhost.pem.key -out /scratchfs/etc/ssl/localhost.pem -days 365 -sha256 -subj "/CN=localhost"
chown 1000:1000 /scratchfs/etc/ssl/localhost.pem.key /scratchfs/var/lib/haproxy /scratchfs/var/lib/haproxy/stats
#
# Mozilla CA cert bundle
#
curl --silent --location --compressed --output /scratchfs/etc/ssl/cacert.pem https://curl.haxx.se/ca/cacert.pem
curl --silent --location --compressed --output /scratchfs/etc/ssl/cacert.pem.sha256 https://curl.haxx.se/ca/cacert.pem.sha256
cd /scratchfs/etc/ssl
sha256sum -c /scratchfs/etc/ssl/cacert.pem.sha256
rm /scratchfs/etc/ssl/cacert.pem.sha256
mkdir -p /usr/src
#
# OpenSSL library (with QUIC support)
#
if [ "${SSL_LIBRARY}" = "openssl" ]; then curl --silent --location https://github.com/openssl/openssl/archive/refs/tags/${OPENSSL_TAG}.tar.gz | tar xz -C /usr/src --one-top-level=openssl --strip-components=1; fi
#
# LibreSSL
#
if [ "${SSL_LIBRARY}" = "libressl" ]; then curl --silent --location https://github.com/libressl-portable/portable/archive/refs/tags/${LIBRESSL_TAG}.tar.gz | tar xz -C /usr/src --one-top-level=libressl --strip-components=1; fi
#
# AWS-LC
#
if [ "${SSL_LIBRARY}" = "aws-lc" ]; then curl --silent --location https://github.com/aws/aws-lc/archive/refs/tags/${AWS_LC_TAG}.tar.gz | tar xz -C /usr/src --one-top-level=aws-lc --strip-components=1; fi
#
# WolfSSL
#
if [ "${SSL_LIBRARY}" = "wolfssl" ]; then
curl --silent --location -o /usr/src/wolfssl.tar.gz https://github.com/wolfSSL/wolfssl/archive/refs/tags/${WOLFSSL_TAG}-stable.tar.gz
mkdir /usr/src/wolfssl
tar -xzf /usr/src/wolfssl.tar.gz -C /usr/src/wolfssl --strip-components=1
rm /usr/src/wolfssl.tar.gz
fi
#
# libslz
#
curl --silent --location https://github.com/wtarreau/libslz/archive/refs/tags/${LIBSLZ_TAG}.tar.gz | tar xz -C /usr/src --one-top-level=libslz --strip-components=1
#
# HAProxy
#
curl --silent --location http://www.haproxy.org/download/$(echo ${HAPROXY_VERSION} | cut -f 1-2 -d .)/src/haproxy-${HAPROXY_VERSION}.tar.gz | tar xz -C /usr/src --one-top-level=haproxy --strip-components=1
#
# OpenSSL
#
if [ "${SSL_LIBRARY}" = "openssl" ]; then
cd /usr/src/openssl
CC=clang ./Configure no-shared no-tests linux-generic64
make -j$(getconf _NPROCESSORS_ONLN) && make install_sw
fi
#
# LibreSSL
#
if [ "${SSL_LIBRARY}" = "libressl" ]; then
cd /usr/src/libressl
./autogen.sh
CC=clang CXX=clang++ ./configure \
--disable-shared \
--disable-tests \
--enable-static
make -j$(getconf _NPROCESSORS_ONLN) install
fi
#
# AWS-LC
#
if [ "${SSL_LIBRARY}" = "aws-lc" ]; then
cd /usr/src/aws-lc
mkdir -p .openssl/lib .openssl/include
ln -sf /usr/src/aws-lc/include/openssl /usr/src/aws-lc/.openssl/include/openssl
CC=clang CXX=clang++ cmake -GNinja -B build -DCMAKE_BUILD_TYPE=Release
ninja -C build || exit 1
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib
fi
#
# WolfSSL
#
if [ "${SSL_LIBRARY}" = "wolfssl" ]; then
cd /usr/src/wolfssl
./autogen.sh
CC=clang CXX=clang++ ./configure \
--disable-examples \
--disable-shared \
--enable-static \
--enable-alpn \
--enable-earlydata \
--enable-haproxy \
--enable-quic \
--enable-tlsv12 \
--enable-tls13 \
--enable-curve25519 \
--enable-ed25519
make -j$(getconf _NPROCESSORS_ONLN) install
fi
#
# Compile libslz
#
cd /usr/src/libslz
make CC=clang static
EOF
RUN <<EOF
#
# Compile HAProxy
#
set -x
cd /usr/src/haproxy
# Default make options
# Note: USE_PCRE2_STATIC is implied due to static LD_FLAGS
MAKE_OPTS=" \
TARGET=linux-musl \
CPU=generic \
CC=clang \
CXX=clang \
SLZ_INC=/usrc/src/libslz/src \
SLZ_LIB=/usr/src/libslz \
LUA_INC=/usr/include/lua5.4 \
LUA_LIB=/usr/lib/lua5.4 \
LUA_LIB_NAME=lua \
USE_CPU_AFFINITY=1 \
USE_GETADDRINFO=1 \
USE_LIBCRYPT=1 \
USE_LUA=1 \
USE_NS=1 \
USE_OPENSSL=1 \
USE_PCRE2=1 \
USE_PCRE2_JIT=1 \
USE_QUIC=1 \
USE_TFO=1 \
USE_THREAD=1 \
"
if [ "${SSL_LIBRARY}" = "openssl" ]; then
MAKE_OPTS_EXTRA=" \
USE_QUIC_OPENSSL_COMPAT=1 \
"
fi
if [ "${SSL_LIBRARY}" = "wolfssl" ]; then
MAKE_OPTS_EXTRA=" \
SSL_INC=/usr/local/include/wolfssl
USE_OPENSSL_WOLFSSL=1 \
"
fi
if [ "${SSL_LIBRARY}" = "aws-lc" ]; then
MAKE_OPTS_EXTRA=" \
SSL_INC=/usr/src/aws-lc/.openssl/include \
SSL_LIB=/usr/src/aws-lc/.openssl/lib \
USE_OPENSSL_AWSLC=1 \
"
fi
make -j "$(getconf _NPROCESSORS_ONLN)" \
$MAKE_OPTS \
$MAKE_OPTS_EXTRA \
LDFLAGS="-g -w -static -s" \
SUBVERS="-http3-${SSL_LIBRARY}"
make PREFIX=/usr install-bin
ls -lh /usr/sbin/haproxy
file /usr/sbin/haproxy
/usr/sbin/haproxy -vv
cp /usr/sbin/haproxy /scratchfs/usr/sbin/
EOF
FROM scratch
COPY --from=builder /scratchfs /
EXPOSE 8080/tcp 8443/tcp 8443/udp
STOPSIGNAL SIGUSR1
ENTRYPOINT ["/usr/sbin/haproxy"]
CMD ["-f", "/etc/haproxy/haproxy.cfg"]