cf-haproxy BOSH Release v8.0.2

Bug Fixes

• Fixed an issue with the wrong X-Forwarded-Proto value being set for https

cf-haproxy-boshrelease BOSH Release v8.0.0

Releases are now managed via Concourse!

v8

New Features

• Supports multiple ssl certs on haproxy nodes. Specify them by using ha_proxy.ssl_pem as an array of certs, and the boshrelease will install all of them, and make them available to haproxy, in the event that you are serving multiple domains up via https, with different certs for each.
• Supports force-setting headers. If there are headers you need to enforce on your requests for some reason, you can now use ha_proxy.headers to configure the headers and values.
• Supports generic TCP proxying via the ha_proxy.tcp array. Each element in the array defines a port to enable tcp-mode proxying on. Supposts TLS + TCP proxying as well

cf-hproxy-boshrelease v6

New Features:

HTTP -> HTTPS Redirection

cf-haproxy-boshrelease now supports redirecting requests from http to https for al requestsl, or a specified subset of hosted domains:

ha_proxy.https_redirect_domains - An array of domains for which to redirect http to https
ha_proxy.https_redirect_all_domains - A boolean controlling whether or not all domains will be redirected to https

Compression Support

cf-haproxy-boshrelease now supports using gzip compression for HTTP responses:

ha_proxy.compress_types - A space separated list of HTTP content types to compress

Thanks

This release was brought to you by the work of @Koizumi85, @shinji62, and @ronakbanka. Many thanks to them for all their help!

Added X-Forward-Proto header support

HAProxy will now make use of X-Forward-Proto headers correctly, if they are passed in from upstream forwarders like ELBs.

Many thanks to @shinji62 for the fix!

Fixed bug with enable_4443

Setting ha_proxy.enable_4443 to "false" now actually disables port 4443 listening!

Backwards Compatibility Support for 4443

Adds backwards compatibility support for port 4443 via ha_proxy.enable_4443: true to make transitioning off the older cf-release based haproxy easier in production.

Updated Configs

Addressed an issue causing block lines to be repeated in the configs when multiple domains were listed in haproxy.internal_only_domains.

Initial Release

BOSH Release for cf-haproxy

This BOSH release is an attempt to get a more customizable/secure haproxy release than what is provided in cf-release.

It adds the following features:

• blacklisting internal-only domains, to prevent Host header spoofing
• fine-graned timeout configurations for http, https, and websocket connections
• no tcp-mode proxying, just HTTP proxying, to prevent backdoors around Host header spoofing.