Releases: cloudfoundry/haproxy-boshrelease
cf-haproxy BOSH Release v8.0.2
Bug Fixes
- Fixed an issue with the wrong X-Forwarded-Proto value being set for https
cf-haproxy-boshrelease BOSH Release v8.0.0
Releases are now managed via Concourse!
v8
New Features
- Supports multiple ssl certs on haproxy nodes. Specify them by using
ha_proxy.ssl_pem
as an array of certs, and the boshrelease will install all of them, and make them available to haproxy, in the event that you are serving multiple domains up via https, with different certs for each. - Supports force-setting headers. If there are headers you need to enforce on your requests for some reason, you can now use
ha_proxy.headers
to configure the headers and values. - Supports generic TCP proxying via the
ha_proxy.tcp
array. Each element in the array defines a port to enable tcp-mode proxying on. Supposts TLS + TCP proxying as well
cf-hproxy-boshrelease v6
New Features:
HTTP -> HTTPS Redirection
cf-haproxy-boshrelease now supports redirecting requests from http to https for al requestsl, or a specified subset of hosted domains:
ha_proxy.https_redirect_domains
- An array of domains for which to redirect http to https
ha_proxy.https_redirect_all_domains
- A boolean controlling whether or not all domains will be redirected to https
Compression Support
cf-haproxy-boshrelease now supports using gzip compression for HTTP responses:
ha_proxy.compress_types
- A space separated list of HTTP content types to compress
Thanks
This release was brought to you by the work of @Koizumi85, @shinji62, and @ronakbanka. Many thanks to them for all their help!
Added X-Forward-Proto header support
HAProxy will now make use of X-Forward-Proto headers correctly, if they are passed in from upstream forwarders like ELBs.
Many thanks to @shinji62 for the fix!
Fixed bug with enable_4443
Setting ha_proxy.enable_4443 to "false" now actually disables port 4443 listening!
Backwards Compatibility Support for 4443
Adds backwards compatibility support for port 4443 via ha_proxy.enable_4443: true
to make transitioning off the older cf-release based haproxy easier in production.
Updated Configs
Addressed an issue causing block lines to be repeated in the configs when multiple domains were listed in haproxy.internal_only_domains
.
Initial Release
BOSH Release for cf-haproxy
This BOSH release is an attempt to get a more customizable/secure haproxy release than what is provided in cf-release.
It adds the following features:
- blacklisting internal-only domains, to prevent Host header spoofing
- fine-graned timeout configurations for http, https, and websocket connections
- no tcp-mode proxying, just HTTP proxying, to prevent backdoors around Host header spoofing.