Webhook PROXY protocol testing

haproxy.cfg

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend web_proxy
	mode http
	bind *:80

	default_backend webhook_proxy

frontend web_http
	mode http
	bind *:81

	default_backend webhook_http

backend webhook_proxy
	mode http
	option forwardfor
	option httplog
	server webhook-listener 127.0.0.1:9000 send-proxy

backend webhook_http
	mode http
	option forwardfor
	option httplog
	server webhook-listener 127.0.0.1:9000

proxy-protocol.json

[
	{
		"id": "proxy-test",
		"execute-command": "/vagrant/proxy-protocol.sh",
		"command-working-directory": "/vagrant/test",
		"include-command-output-in-response": true,
		"trigger-rule-mismatch-http-response-code": 400,
		"trigger-rule": {
			"match": {
				"type": "ip-whitelist",
				"ip-range": "192.168.99.1"
			}
		}
	}
]

proxy-protocol.sh

#!/bin/sh -eu

echo "Hook success!"

Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|
	config.vm.box = 'koalephant/debian9-amd64'

	config.vm.network 'private_network', ip: '192.168.98.5'
	config.vm.network 'private_network', ip: '192.168.99.5'

	config.vm.define 'webhook-dev'
	config.vm.hostname = 'webhook-dev.local.koalephant.com'

	config.vm.provision :shell, privileged: true, inline: <<-SHELL
		if ! grep "stretch-backports" /etc/apt/sources.list > /dev/null; then
			echo "Enabling Stretch Backports"
			grep -m 1 "debian stretch main" /etc/apt/sources.list | sed -e "s#stretch#stretch-backports#g" >> /etc/apt/sources.list
			cat <<-EOT > /etc/apt/preferences.d/stretch-backports
Package: golang golang-1.8 golang-doc golang-go golang-src
Pin: release n=stretch-backports
Pin-Priority: 1001
EOT
		fi
		apt-get update
		apt-get install --yes golang git-core haproxy

		cp -fv /vagrant/haproxy.cfg /etc/haproxy/webhook-proxy.cfg
		if ! grep "^CONFIG" /etc/default/haproxy > /dev/null; then
			echo "Setting HAProxy config"
			echo "CONFIG=/etc/haproxy/webhook-proxy.cfg" >> /etc/default/haproxy
			service haproxy restart
		fi
	SHELL

	config.vm.provision :shell, privileged: false, run: :always, inline: <<-MSG
		echo "Steps to test PROXY protocol: "
		echo " - Build webhook (for Linux)"
		echo " - Run 'vagrant ssh -- /vagrant/webhook -proxyProtocol -hooks /vagrant/proxy-protocol.json -verbose'"
		echo " - Open the following urls:"
		echo "  - http://192.168.99.5:81/hooks/proxy-test (Should Fail)"
		echo "  - http://192.168.99.5:80/hooks/proxy-test (Should Work)"
	MSG
end