diff --git a/.gitignore b/.gitignore index 22a4cd72..5160f528 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ /node_modules /coverage/ +/vars.*.yml diff --git a/manifest.yml b/manifest.yml index 9ae01e7d..5cdbe2c1 100644 --- a/manifest.yml +++ b/manifest.yml @@ -4,6 +4,7 @@ defaults: &defaults - https://github.com/cloudfoundry/apt-buildpack - nodejs_buildpack - ruby_buildpack + - binary_buildpack memory: 512M disk_quota: 2G stack: cflinuxfs4 @@ -15,6 +16,11 @@ applications: <<: *defaults instances: 1 disk_quota: 6GB + sidecars: + - name: local-proxy + process_types: [ 'web' ] + command: ./proxy/caddy run --config proxy/Caddyfile.local + memory: 64M env: RAILS_ENV: dev RAILS_LOG_TO_STDOUT: true @@ -25,4 +31,20 @@ applications: LOGIN_PRIVATE_KEY_PATH: dev_key.pem LOGIN_PUBLIC_KEY_PATH: dev_cert.pem LOGIN_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/auth/result - LOGOUT_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/ \ No newline at end of file + LOGOUT_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/ + +- name: challenge-proxy + buildpacks: + - binary_buildpack + routes: + - route: challenge-proxy.apps.internal + stack: cflinuxfs4 + memory: 64M + path: proxy + health-check-type: process + command: ./caddy run --config Caddyfile + env: + PROXY_USERNAME: ((username)) + PROXY_PASSWORD: ((password)) + PROXY_DENY: ((proxydeny)) + PROXY_ALLOW: ((proxyallow)) diff --git a/proxy/.profile b/proxy/.profile new file mode 100644 index 00000000..82ff51eb --- /dev/null +++ b/proxy/.profile @@ -0,0 +1,48 @@ +#!/bin/sh + +# Despite the temptation to use #!/bin/bash, we want to keep this file as as +# POSIX sh-compatible as possible. This is to facilitate testing the .profile +# under Alpine, which doesn't have /bin/bash, but does have ash (which is itself +# a flavor of busybox). +ENABLE_ASH_BASH_COMPAT=1 + +set -e + +# Ensure there's only one entry per line, and leave no whitespace +PROXY_DENY=$( echo -n "$PROXY_DENY" | sed 's/^\S/ &/' | sed 's/\ /\n/g' | sed '/^\s*$/d' ) +PROXY_ALLOW=$( echo -n "$PROXY_ALLOW" | sed 's/^\S/ &/' | sed 's/\ /\n/g' | sed '/^\s*$/d' ) + +# Append to the appropriate files +echo -n "$PROXY_DENY" > deny.acl +echo -n "$PROXY_ALLOW" > allow.acl + +# Newline Terminate Non-Empty File If Not Already aka ntnefina +# https://stackoverflow.com/a/10082466/17138235 +# +# It's unclear if this works properly under Alpine because it uses ANSI-C +# quoting; that needs more testiing. However, if caddy complains about a blank +# in the file, you know why! +ntnefina() { + if [ -s "$1" ] && [ "$(tail -c1 "$1"; echo x)" != $'\nx' ]; then + echo "" >> "$1" + fi +} + +ntnefina deny.acl +ntnefina allow.acl + +# Make it easy to run curl tests on ourselves +https_proxy="https://$PROXY_USERNAME:$PROXY_PASSWORD@$(echo "$VCAP_APPLICATION" | jq .application_uris[0] | sed 's/"//g'):61443" +export https_proxy + +# Make open ports configurable via the PROXY_PORTS environment variable. +# For example "80 443 22 61443". Default to 443 only. +if [ -z "${PROXY_PORTS}" ]; then + PROXY_PORTS="443" +fi +export PROXY_PORTS + +echo +echo +echo "The proxy connection URL is:" +echo " $https_proxy" diff --git a/proxy/Caddyfile b/proxy/Caddyfile new file mode 100644 index 00000000..8ebb39a0 --- /dev/null +++ b/proxy/Caddyfile @@ -0,0 +1,28 @@ +{ + debug + log { + format console + level INFO + } + auto_https off +} + +:{$PORT} { + route { + forward_proxy { + basic_auth {$PROXY_USERNAME} {$PROXY_PASSWORD} + acl { + deny_file deny.acl + allow_file allow.acl + deny all + } + ports {$PROXY_PORTS} + serve_pac + } + } + log { + format json + level INFO + output stdout + } +} diff --git a/proxy/Caddyfile.local b/proxy/Caddyfile.local new file mode 100644 index 00000000..e05e8114 --- /dev/null +++ b/proxy/Caddyfile.local @@ -0,0 +1,25 @@ +{ + debug + log { + format console + level INFO + } + auto_https off +} + +:8080 { + route { + forward_proxy { + acl { + allow all + } + ports 80 443 22 61443 + upstream $PROXYROUTE + } + } + log { + format json + level INFO + output stdout + } +} diff --git a/proxy/caddy b/proxy/caddy new file mode 100755 index 00000000..8d7461e4 Binary files /dev/null and b/proxy/caddy differ