diff --git a/custom-domain/dstack-ingress/README.md b/custom-domain/dstack-ingress/README.md index ff09346..a9e9f5d 100644 --- a/custom-domain/dstack-ingress/README.md +++ b/custom-domain/dstack-ingress/README.md @@ -35,7 +35,7 @@ You can use a wildcard domain (e.g. `*.myapp.com`) to route all subdomains to a ```yaml services: dstack-ingress: - image: dstacktee/dstack-ingress:2.0@sha256:9fb13c42dceaba91d2e2e7de3a06700a2cf507f4335ae70f3f1db4574a5ad552 + image: dstacktee/dstack-ingress:2.1 ports: - "443:443" environment: @@ -64,7 +64,7 @@ volumes: ```yaml services: dstack-ingress: - image: dstacktee/dstack-ingress:2.0@sha256:9fb13c42dceaba91d2e2e7de3a06700a2cf507f4335ae70f3f1db4574a5ad552 + image: dstacktee/dstack-ingress:2.1 ports: - "443:443" environment: @@ -102,7 +102,7 @@ Use `ROUTING_MAP` to route different domains to different backends via SNI: ```yaml services: ingress: - image: dstacktee/dstack-ingress:2.0@sha256:9fb13c42dceaba91d2e2e7de3a06700a2cf507f4335ae70f3f1db4574a5ad552 + image: dstacktee/dstack-ingress:2.1 ports: - "443:443" environment: diff --git a/custom-domain/dstack-ingress/docker-compose.multi.yaml b/custom-domain/dstack-ingress/docker-compose.multi.yaml index 0b3e46b..e026999 100644 --- a/custom-domain/dstack-ingress/docker-compose.multi.yaml +++ b/custom-domain/dstack-ingress/docker-compose.multi.yaml @@ -1,6 +1,6 @@ services: ingress: - image: dstacktee/dstack-ingress:2.0@sha256:9fb13c42dceaba91d2e2e7de3a06700a2cf507f4335ae70f3f1db4574a5ad552 + image: dstacktee/dstack-ingress:2.1 ports: - "443:443" environment: diff --git a/custom-domain/dstack-ingress/docker-compose.yaml b/custom-domain/dstack-ingress/docker-compose.yaml index 53c7788..dc09dc5 100644 --- a/custom-domain/dstack-ingress/docker-compose.yaml +++ b/custom-domain/dstack-ingress/docker-compose.yaml @@ -1,6 +1,6 @@ services: dstack-ingress: - image: dstacktee/dstack-ingress:2.0@sha256:9fb13c42dceaba91d2e2e7de3a06700a2cf507f4335ae70f3f1db4574a5ad552 + image: dstacktee/dstack-ingress:2.1 ports: - "443:443" environment: diff --git a/custom-domain/dstack-ingress/scripts/build-combined-pems.sh b/custom-domain/dstack-ingress/scripts/build-combined-pems.sh index 33f8c70..6e10fcb 100644 --- a/custom-domain/dstack-ingress/scripts/build-combined-pems.sh +++ b/custom-domain/dstack-ingress/scripts/build-combined-pems.sh @@ -4,6 +4,8 @@ set -e +source /scripts/functions.sh + CERT_DIR="/etc/haproxy/certs" mkdir -p "$CERT_DIR" @@ -11,7 +13,7 @@ all_domains=$(get-all-domains.sh) while IFS= read -r domain; do [[ -n "$domain" ]] || continue - le_dir="/etc/letsencrypt/live/${domain}" + le_dir="/etc/letsencrypt/live/$(cert_dir_name "$domain")" combined="${CERT_DIR}/${domain}.pem" if [ -f "${le_dir}/fullchain.pem" ] && [ -f "${le_dir}/privkey.pem" ]; then cat "${le_dir}/fullchain.pem" "${le_dir}/privkey.pem" > "$combined" diff --git a/custom-domain/dstack-ingress/scripts/entrypoint.sh b/custom-domain/dstack-ingress/scripts/entrypoint.sh index 880e078..560418b 100644 --- a/custom-domain/dstack-ingress/scripts/entrypoint.sh +++ b/custom-domain/dstack-ingress/scripts/entrypoint.sh @@ -155,9 +155,13 @@ EOF if [ "$EVIDENCE_SERVER" = "true" ]; then cat <<'EVIDENCE_BLOCK' >>/etc/haproxy/haproxy.cfg - # Route /evidences requests to local evidence HTTP server + # Route /evidences requests to the local evidence HTTP server. + # inspect-delay sets the upper bound for buffering; the accept rule + # fires as soon as any application data is present in the buffer + # (after SSL termination a full TLS record is decrypted atomically, + # so the complete HTTP request is available on first evaluation). tcp-request inspect-delay 5s - tcp-request content accept if WAIT_END + tcp-request content accept if { req.len gt 0 } acl is_evidence payload(0,0) -m beg "GET /evidences" acl is_evidence payload(0,0) -m beg "HEAD /evidences" use_backend be_evidence if is_evidence