Add local proxy sidecar

.gitignore

@@ -42,3 +42,4 @@
 
 /node_modules
 /coverage/
+/vars.*.yml

manifest.yml

@@ -4,6 +4,7 @@ defaults: &defaults
     - https://github.com/cloudfoundry/apt-buildpack
     - nodejs_buildpack
     - ruby_buildpack
+    - binary_buildpack
   memory: 512M
   disk_quota: 2G
   stack: cflinuxfs4
@@ -15,6 +16,11 @@ applications:
   <<: *defaults
   instances: 1
   disk_quota: 6GB
+  sidecars:
+    - name: local-proxy
+      process_types: [ 'web' ]
+      command: ./proxy/caddy run --config proxy/Caddyfile.local
+      memory: 64M
   env:
     RAILS_ENV: dev
     RAILS_LOG_TO_STDOUT: true
@@ -25,4 +31,20 @@ applications:
     LOGIN_PRIVATE_KEY_PATH: dev_key.pem
     LOGIN_PUBLIC_KEY_PATH: dev_cert.pem
     LOGIN_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/auth/result
-    LOGOUT_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/
+    LOGOUT_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/
+
+- name: challenge-proxy
+  buildpacks:
+    - binary_buildpack
+  routes:
+    - route: challenge-proxy.apps.internal
+  stack: cflinuxfs4
+  memory: 64M
+  path: proxy
+  health-check-type: process
+  command: ./caddy run --config Caddyfile
+  env:
+    PROXY_USERNAME: ((username))
+    PROXY_PASSWORD: ((password))
+    PROXY_DENY: ((proxydeny))
+    PROXY_ALLOW: ((proxyallow))

proxy/.profile

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# Despite the temptation to use #!/bin/bash, we want to keep this file as as
+# POSIX sh-compatible as possible. This is to facilitate testing the .profile
+# under Alpine, which doesn't have /bin/bash, but does have ash (which is itself
+# a flavor of busybox).
+ENABLE_ASH_BASH_COMPAT=1
+
+set -e
+
+# Ensure there's only one entry per line, and leave no whitespace
+PROXY_DENY=$(  echo -n "$PROXY_DENY"  | sed 's/^\S/ &/' | sed 's/\ /\n/g' | sed '/^\s*$/d' )
+PROXY_ALLOW=$( echo -n "$PROXY_ALLOW" | sed 's/^\S/ &/' | sed 's/\ /\n/g' | sed '/^\s*$/d' )
+
+# Append to the appropriate files
+echo -n "$PROXY_DENY"  > deny.acl
+echo -n "$PROXY_ALLOW" > allow.acl
+
+# Newline Terminate Non-Empty File If Not Already aka ntnefina
+# https://stackoverflow.com/a/10082466/17138235
+#
+# It's unclear if this works properly under Alpine because it uses ANSI-C
+# quoting; that needs more testiing. However, if caddy complains about a blank
+# in the file, you know why!
+ntnefina() {
+    if [ -s "$1" ] && [ "$(tail -c1 "$1"; echo x)" != $'\nx' ]; then
+        echo "" >> "$1"
+    fi
+}
+
+ntnefina deny.acl
+ntnefina allow.acl
+
+# Make it easy to run curl tests on ourselves
+https_proxy="https://$PROXY_USERNAME:$PROXY_PASSWORD@$(echo "$VCAP_APPLICATION" |  jq .application_uris[0] | sed 's/"//g'):61443"
+export https_proxy
+
+# Make open ports configurable via the PROXY_PORTS environment variable.
+# For example "80 443 22 61443". Default to 443 only.
+if [ -z "${PROXY_PORTS}" ]; then
+  PROXY_PORTS="443"
+fi
+export PROXY_PORTS
+
+echo
+echo
+echo "The proxy connection URL is:"
+echo "  $https_proxy"

proxy/Caddyfile

@@ -0,0 +1,28 @@
+{
+	debug
+	log {
+		format console
+		level INFO
+	}
+	auto_https off
+}
+
+:{$PORT} {
+	route {
+		forward_proxy {
+			basic_auth {$PROXY_USERNAME} {$PROXY_PASSWORD}
+			acl {
+				deny_file deny.acl
+				allow_file allow.acl
+				deny all
+			}
+			ports {$PROXY_PORTS}
+			serve_pac
+		}
+	}
+	log {
+		format json
+		level INFO
+		output stdout
+	}
+}

proxy/Caddyfile.local

@@ -0,0 +1,25 @@
+{
+	debug
+	log {
+		format console
+		level INFO
+	}
+	auto_https off
+}
+
+:8080 {
+	route {
+		forward_proxy {
+			acl {
+			    allow all
+			}
+			ports 80 443 22 61443
+			upstream $PROXYROUTE
+		}
+	}
+	log {
+		format json
+		level INFO
+		output stdout
+	}
+}