====== Решение HAProxy ======

  * [[https://www.leaderssl.ru/articles/354-vypolnyaem-ssl-terminatsiyu-s-pomoschyu-haproxy-dlya-ubuntu-14-04|Выполняем SSL-терминацию с помощью HAProxy для Ubuntu 14.04]]
  * [[https://www.haproxy.com/documentation/haproxy-configuration-tutorials/http-rewrites/|HAProxy config tutorials HTTP rewrites]]
  * [[https://serverfault.com/questions/560978/configure-multiple-ssl-certificates-in-haproxy|Configure multiple SSL certificates in Haproxy]]
  * [[https://youtu.be/oIczkkD-hOU|Видео урок: Доступ к приложениям в Bare-Metal Kubernetes]]

<code>
gate# apt install haproxy

gate# cat wild.crt wild.key > /etc/ssl/private/wild.crtkey
gate# ###cat gowebd.crt gowebd.key > /etc/ssl/private/gowebd.crtkey
gate# ###cat keycloak.crt keycloak.key > /etc/ssl/private/keycloak.crtkey

gate# cat /etc/haproxy/haproxy.cfg
</code><code>
...
frontend ft-gate
    mode http

    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

    bind *:443 ssl crt /etc/ssl/private/wild.crtkey
#    bind *:443 ssl crt /etc/ssl/private/gowebd.crtkey crt /etc/ssl/private/keycloak.crtkey

    default_backend      bk-kube-ingress
#    use_backend bk-kube-ingress if { ssl_fc_sni keycloak.corp13.un }
#    use_backend bk-node-ingress if { ssl_fc_sni gowebd.corp13.un }

    option               tcplog
    
backend bk-kube-ingress

#    http-request set-header X-Forwarded-Proto https if { ssl_fc }
#    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
#    http-request set-header X-Forwarded-Port %[dst_port]

##    http-request add-header X-Real-Ip %[src] # Custom header with src IP
##    option forwardfor # X-forwarded-for
##    http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if { ssl_fc }

    mode        http
    balance     roundrobin

    server  kube1 kube1:80 check
    server  kube2 kube2:80 check
    server  kube3 kube3:80 check

#backend bk-node-ingress
#    mode        http
#    balance     roundrobin
#    server  node2 node2:80 check
#    server  node3 node3:80 check
</code><code>
# haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid

# service haproxy restart

# tail -f /var/log/haproxy.log
# journalctl -f | grep proxy

haproxy# curl https://localhost/ -H "Host: gowebd.corpX.un" -k
</code>