Add docker-compose-pgp.yml with basic configuration

.env

@@ -0,0 +1,77 @@
+###########################################################
+## HOCKEYPUCK STANDALONE SITE CONFIGURATION TEMPLATE
+## Edit this, then run ./mkconfig.bash
+###########################################################
+
+#######################################################################
+## docker-compose<1.29 does not parse quoted values like a POSIX shell.
+## This means that normally you should not quote values in this file,
+## as docker-compose's old behaviour is highly unintuitive.
+## 
+## The scripts in this directory try to compensate, and can parse
+## *double* quotes around ALIAS_FQDNS, CLUSTER_FQDNS and HKP_LOG_FORMAT
+## values *only*, as these values will normally contain whitespace and
+## so most users will instinctively quote them anyway.
+##
+## In all other cases, enclosing quotes MUST NOT be used.
+#######################################################################
+
+# This is the primary FQDN of your site
+FQDN=pgp.dobrev.it
+# Any extra FQDN aliases, space-separated
+ALIAS_FQDNS=""
+# A contact email address for the site operator (that's you!)
+EMAIL=[email protected]
+# PGP encryption key for the above email address
+FINGERPRINT=0x283A56AE9544F3C87C71ADB0CAAAE2B8C198C9AE
+# ACME Directory Resource URI (use Let's Encrypt if empty)
+ACME_SERVER=
+
+###########################################################
+# You normally won't need to change anything below here
+###########################################################
+
+POSTGRES_USER=hkp
+POSTGRES_PASSWORD=TDJEMUERMETDU4LKQXEWMAZZODXVOKGER7I6ZN7IEP6YUQNW
+RELEASE=standalone
+
+# Parameterised default values for haproxy config
+
+# The following is only required in shim mode
+#KEYSERVER_HOST_PORT=hockeypuck:11371
+
+# Remote URL for fetching tor exit relays list
+TOR_EXIT_RELAYS_URL=https://www.dan.me.uk/torlist/?exit
+
+# Advanced HAProxy configuration options
+
+# Set this to the host:port that your HAProxy peers will see
+#HAP_PEER_HOST_PORT=127.0.0.1:1395
+# Every name and alias of your other cluster members, space-separated
+# Note that their IPs should also be added to ./haproxy/etc/lists/whitelist.list
+CLUSTER_FQDNS=""
+
+# Set these to "port" or "host:port" to override the listening hostip/port(s)
+HAP_HTTP_HOST_PORT=8081
+#HAP_HTTPS_HOST_PORT=443
+#HAP_HKP_HOST_PORT=11371
+
+# Uncomment *at most one* of the BEHIND settings to trust an upstream proxy's request headers.
+# This is vital so that rate limiting applies to the client's real IP and not the proxy's.
+#
+# Trust CF-Connecting-IP: headers
+#HAP_BEHIND_CLOUDFLARE=true
+# Trust X-Forwarded-For: headers
+#HAP_BEHIND_PROXY=true
+
+# Set this to e.g. /etc/letsencrypt in order to share certificates with the host.
+# Note that the certbot container is responsible for renewing these.
+#CERTBOT_CONF=certbot_conf
+
+# MIGRATION_HAPROXY_DONE (DO NOT REMOVE THIS LINE!)
+
+# Set the HAProxy log format
+HAP_LOG_FORMAT="%ci:%cp [%t] %ft %b/%s %Tq/%Tw/%Tc/%Tr/%Tt %ST %U/%B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+
+# MIGRATION_HAPROXY_LOGFORMAT_DONE (DO NOT REMOVE THIS LINE!)
+# MIGRATION_3_DONE (DO NOT REMOVE THIS LINE!)

docker-compose-pgp.yml

@@ -0,0 +1,31 @@
+version: '3.3'
+
+services:
+  haproxy:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: hockey-stick
+    user: root
+    restart: always
+    environment:
+    - FQDN
+    - ALIAS_FQDNS
+    - KEYSERVER_HOST_PORT=192.168.122.1:11371
+    - HAP_CONF_DIR=/usr/local/etc/haproxy
+    - HAP_CACHE_DIR=/tmp
+    - HAP_LOG_FORMAT
+    - HAP_BEHIND_CLOUDFLARE
+    - HAP_BEHIND_PROXY
+    - HAP_DISABLE_PROMETHEUS=true
+    - HAP_DISABLE_CERTBOT=true
+    - HAP_DISABLE_SSL=true
+    command:
+      - haproxy
+      - -f
+      - /etc/haproxy/haproxy.d
+    ports:
+      - 8081:80
+    volumes:
+      - ./haproxy.d:/etc/haproxy/haproxy.d
+      - ./lists:/usr/local/etc/haproxy/lists

docker-compose-standalone.yml

@@ -0,0 +1,120 @@
+version: '3.7'
+services:
+  hockeypuck:
+    image: hockeypuck/hockeypuck:${RELEASE}
+    build:
+      context: ../../..
+    ports:
+    - "${HKP_RECON_HOST_PORT:-11370}:11370"
+    restart: always
+    depends_on:
+    - postgres
+    volumes:
+    - ./hockeypuck/etc:/hockeypuck/etc
+    - hkp_data:/hockeypuck/data
+    - pgp_import:/hockeypuck/import
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  postgres:
+    image: postgres:11
+    restart: always
+    environment:
+    - POSTGRES_USER
+    - POSTGRES_PASSWORD
+    - POSTGRES_DB=hkp
+    volumes:
+    - pg_data:/var/lib/postgresql/data
+
+  prometheus:
+    image: prom/prometheus:v2.43.0
+    restart: always
+    volumes:
+    - prom_data:/prometheus
+    - ./prometheus/etc:/etc/prometheus
+    command:
+    - "--web.external-url=/monitoring/prometheus/"
+    - "--config.file=/etc/prometheus/prometheus.yml"
+    - "--storage.tsdb.path=/prometheus"
+    - "--web.console.libraries=/usr/share/prometheus/console_libraries"
+    - "--web.console.templates=/usr/share/prometheus/consoles"
+
+  haproxy:
+    image: haproxy:2.6-alpine
+    ports:
+    - "${HAP_HTTP_HOST_PORT:-80}:80"
+    - "${HAP_HTTPS_HOST_PORT:-443}:443"
+    - "${HAP_HKP_HOST_PORT:-11371}:11371"
+    - "${HAP_PEER_HOST_PORT:-127.0.0.1:1395}:1395"
+    user: root
+    restart: always
+    init: true
+    environment:
+    - FQDN
+    - ALIAS_FQDNS
+    - CLUSTER_FQDNS
+    - PROMETHEUS_HOST_PORT=prometheus:9090
+    - CERTBOT_HOST_PORT=certbot:80
+    - KEYSERVER_HOST_PORT=hockeypuck:11371
+    - HAP_DHPARAM_FILE=/etc/letsencrypt/ssl-dhparams.pem
+    - HAP_CONF_DIR=/usr/local/etc/haproxy
+    - HAP_CACHE_DIR=/var/cache/haproxy
+    - HAP_CERT_DIR=/etc/letsencrypt/live
+    - HAP_LOG_FORMAT
+    - HAP_BEHIND_CLOUDFLARE
+    - HAP_BEHIND_PROXY
+    depends_on:
+    - certbot
+    - haproxy_cache
+    - haproxy_internal
+    - prometheus
+    volumes:
+    - ./haproxy-entrypoint.sh:/usr/local/bin/haproxy-entrypoint.sh
+    - ./haproxy/etc:/usr/local/etc/haproxy
+    - haproxy_cache:/var/cache/haproxy
+    - ${CERTBOT_CONF:-certbot_conf}:/etc/letsencrypt
+    entrypoint: "/usr/local/bin/haproxy-entrypoint.sh -f /usr/local/etc/haproxy/haproxy.d"
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  haproxy_internal:
+    image: haproxy:2.6-alpine
+    user: root
+    restart: always
+    volumes:
+    - ./haproxy/etc/haproxy-internal.cfg:/usr/local/etc/haproxy/haproxy.cfg
+    entrypoint: "/bin/sh -c 'export HOSTNAME=$$(hostname); export HOST_IP=$$(hostname -i); haproxy -f /usr/local/etc/haproxy/haproxy.cfg'"
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  haproxy_cache:
+    image: instrumentisto/rsync-ssh
+    restart: always
+    volumes:
+    - haproxy_cache:/var/cache/haproxy
+    entrypoint: "/bin/sh -c 'trap exit TERM; touch /var/cache/haproxy/tor_exit_relays.list; while :; do sleep 1800; wget \"${TOR_EXIT_RELAYS_URL}\" -O /var/cache/haproxy/tor_exit_relays.list; done'"
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "1"
+
+  certbot:
+    image: certbot/certbot
+    restart: always
+    volumes:
+    - ${CERTBOT_CONF:-certbot_conf}:/etc/letsencrypt
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do for i in /etc/letsencrypt/live/*; do [ -d \"$$i\" ] && ln -sf privkey.pem $$i/fullchain.pem.key; certbot --standalone renew; done; sleep 12h & wait $${!}; done;'"
+
+volumes:
+  hkp_data: {}
+  pg_data: {}
+  prom_data: {}
+  pgp_import: {}
+  haproxy_cache: {}
+  certbot_conf: {}

docker-compose.yml

@@ -1,4 +1,4 @@
-version: '3.8'
+version: '3.3'
 
 services:
   haproxy:
@@ -7,14 +7,14 @@ services:
       dockerfile: Dockerfile
     image: hockey-stick
     ports:
-      - 80:80
+      - 8081:80
     volumes:
       - ./haproxy.cfg:/etc/haproxy/haproxy.cfg
+    depends_on:
+      - http-echo
 
   http-echo:
     image: mendhak/http-https-echo
-    depends_on:
-      - haproxy
     environment:
       - DISABLE_REQUEST_LOGS=true
       - HTTP_PORT=5678

haproxy.d/00_global.cfg

@@ -0,0 +1,52 @@
+global
+    lua-prepend-path /etc/haproxy/lua/lib/?.lua
+    lua-load /etc/haproxy/lua/dnsbl.lua
+
+    # Map threads to individual CPU cores. Assumes at least 2 available cores.
+    cpu-map auto:1/1-2 0-1
+
+    .if defined(HAP_DISABLE_SSL)
+    .notice "SSL support disabled via environment"
+    .else
+
+    # generated 2022-10-15, Mozilla Guideline v5.6, HAProxy 2.4, OpenSSL 3.0.2, intermediate configuration
+    # https://ssl-config.mozilla.org/#server=haproxy&version=2.4&config=intermediate&openssl=3.0.2&guideline=5.6
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-dh-param-file "${HAP_DHPARAM_FILE}"
+
+    # lower the record size to improve Time to First Byte (TTFB)
+    tune.ssl.maxrecord  1419
+
+    # Tune SSL cache size
+    tune.ssl.cachesize 500000
+    # Tune DH params
+    tune.ssl.default-dh-param 2048 # TODO: Export as variable. Most systems use 2048 by default
+
+    .endif # HAP_DISABLE_SSL
+
+    log stdout format raw local0
+
+    # Allow maximum of 200 000 connections
+    maxconn 200000
+
+    tune.comp.maxlevel  5
+    maxcompcpuusage     98
+
+    # Number of threads per process
+    nbthread 12
+
+    # Allow local admin socket
+    stats socket "${HAP_CACHE_DIR}"/haproxy.admin.sock mode 660 level admin expose-fd listeners
+    stats timeout 30s
+
+    # Perform stateless reloads on HUP
+    master-worker
+
+    server-state-file "${HAP_CACHE_DIR}"/server-state

haproxy.d/10_defaults.cfg

@@ -0,0 +1,22 @@
+defaults
+    load-server-state-from-file global
+
+    option dontlognull
+    option http-server-close
+    option splice-response
+    option clitcpka
+    option srvtcpka
+    option tcp-smart-accept
+    option tcp-smart-connect
+    option contstats
+    retries 3
+
+    timeout http-request    5s
+    timeout http-keep-alive 5s
+    timeout connect         5s
+    timeout client          60s
+    timeout client-fin      60s
+    timeout tunnel          40m         # timeout to use with WebSocket and CONNECT
+    timeout server          150s
+    timeout tarpit          15s
+    timeout queue           10s

haproxy.d/20_LOCAL_peers.cfg

@@ -0,0 +1,15 @@
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# LOCAL site configuration file for haproxy clusters
+# This file is NOT overwritten on upgrade
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#peers haproxy-peers
+#    peer "${HOSTNAME}"      "${HOST_IP}":1395
+#    peer haproxy-internal   haproxy_internal:1395
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # Uncomment and edit the below to share firewall state across multiple stacks
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    #peer haproxy-remote1    10.0.0.1:1395
+    #peer haproxy-remote2    10.0.0.2:1395

haproxy.d/20_LOCAL_peers.cfg.tmpl

@@ -0,0 +1,15 @@
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# LOCAL site configuration file for haproxy clusters
+# This file is NOT overwritten on upgrade
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+peers haproxy-peers
+    peer "${HOSTNAME}"      "${HOST_IP}":1395
+    peer haproxy-internal   haproxy_internal:1395
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # Uncomment and edit the below to share firewall state across multiple stacks
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    #peer haproxy-remote1    10.0.0.1:1395
+    #peer haproxy-remote2    10.0.0.2:1395

haproxy.d/30_st_global_ddos.cfg

@@ -0,0 +1,27 @@
+backend st_global_ddos
+    # Stick Table Definitions
+    #  - conn_cur: count active connections
+    #  - conn_rate(10s): average incoming connection rate over 10 seconds
+    #  - http_err_rate(3s): Monitors the number of errors generated by an IP over a period of 3 seconds
+    #  - http_req_rate(10s): Monitors the number of request sent by an IP over a period of 10 seconds
+    stick-table type ipv6 size 2m expire 30s store conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(3s)
+
+# Cache DNSBL requests
+backend st_known_tor_visitors
+    # Store the IP address of the client after DNSBL lookup
+    #
+    # gpc0 > 0 means the IP address is not blacklisted
+    # gpc1 > 0 means the IP address is blacklisted
+    #
+    # Information is stored for 30 minutes
+    stick-table type ipv6 size 2m expire 30m store gpc0,gpc1
+
+backend st_tor_request_rate
+    stick-table type string len 32 size 10 expire 24h store conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
+
+backend st_tor_24h_ban
+    stick-table type ipv6 size 1m expire 24h store gpc0
+
+backend st_tor_24days_ban
+    stick-table type ipv6 size 1m expire 24d store gpc0
+