Aleph 565 ipv4 domain support

packaging/aleph-vm/DEBIAN/conffiles

@@ -1 +1,5 @@
 /etc/aleph-vm/supervisor.env
+/etc/needrestart/conf.d/aleph-vm.conf
+/etc/haproxy/http_domains.map
+/etc/haproxy/https_domains.map
+/etc/haproxy/ssh_domains.map

packaging/aleph-vm/DEBIAN/control

@@ -3,6 +3,6 @@ Version: 0.1.8
 Architecture: all
 Maintainer: Aleph.im
 Description: Aleph.im VM execution engine
-Depends: python3,python3-pip,python3-aiohttp,python3-msgpack,python3-aiodns,python3-alembic,python3-sqlalchemy,python3-setproctitle,redis,python3-aioredis,python3-psutil,sudo,acl,curl,systemd-container,squashfs-tools,debootstrap,python3-packaging,python3-cpuinfo,python3-nftables,python3-jsonschema,cloud-image-utils,ndppd,python3-yaml,python3-dotenv,python3-schedule,qemu-system-x86,qemu-utils,python3-systemd,python3-dbus,btrfs-progs,nftables,lshw,python3-jwcrypto,python3-netifaces
+Depends: python3,python3-pip,python3-aiohttp,python3-msgpack,python3-aiodns,python3-alembic,python3-sqlalchemy,python3-setproctitle,redis,python3-aioredis,python3-psutil,sudo,acl,curl,systemd-container,squashfs-tools,debootstrap,python3-packaging,python3-cpuinfo,python3-nftables,python3-jsonschema,cloud-image-utils,ndppd,python3-yaml,python3-dotenv,python3-schedule,qemu-system-x86,qemu-utils,python3-systemd,python3-dbus,btrfs-progs,nftables,lshw,python3-jwcrypto,python3-netifaces,haproxy
 Section: aleph-im
 Priority: Extra

packaging/aleph-vm/etc/haproxy/haproxy-aleph.cfg

@@ -0,0 +1,136 @@
+# Rename to haproxy.cfg to activate
+
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+	log	global
+	mode	http
+	#option	httplog
+	option	dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+frontend stats
+  bind *:8404
+  stats enable
+  stats uri /
+  stats refresh 10s
+  http-request use-service prometheus-exporter if { path /metrics }
+
+# Frontend for HTTPS traffic (with SNI extraction)
+frontend ft_ssl
+    bind *:443
+    mode tcp
+
+    # Inspect SSL handshake
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    # Extract SNI from TLS CLIENT HELLO and store it
+    acl has_sni req_ssl_sni -m found
+    tcp-request content set-var(txn.sni) req_ssl_sni if has_sni
+
+    # Find the target server dynamically from SNI
+    use_backend bk_ssl if has_sni
+    default_backend bk_default_ssl
+
+# Frontend for HTTP traffic (with Host header extraction)
+frontend ft_http
+    bind *:80
+    mode http
+
+    # Extract Host header and store it
+    http-request set-var(txn.host) hdr(host)
+
+    # Find the target server dynamically from Host header
+    use_backend bk_http if { var(txn.host) -m found }
+    default_backend bk_default_supervisor
+
+# Frontend for SSH and other TCP traffic
+frontend ft_ssh
+    bind *:2222
+    #ssl crt /etc/haproxy/certs/ssl.pem
+    mode tcp
+
+    # For SSH connections, we need a different approach
+    # For this example, assume connections to port 22 go to fixed backends based on client source
+    #tcp-request content set-var(sess.dst) ssl_fc_sni
+    use_backend bk_ssh
+    #default_backend bk_default_ssl
+
+# Dynamic backend that will be populated with servers at runtime
+backend bk_ssl
+    mode tcp
+
+    # Use the appropriate variable based on the traffic type
+    # For HTTPS - Use SNI
+    use-server %[var(txn.sni),lower,map(/etc/haproxy/https_domains.map)] if { var(txn.sni) -m found }
+
+    # The Python script will populate this backend with servers dynamically
+    # Initially, no servers are defined here - they will be added via socket commands
+
+# Dynamic backend that will be populated with servers at runtime
+backend bk_ssh
+    mode tcp
+
+    # Use the appropriate variable based on the traffic type
+    # For HTTPS - Use SNI
+    use-server %[var(txn.sni),lower,map(/etc/haproxy/ssh_domains.map)] if { var(txn.sni) -m found }
+
+    # The Python script will populate this backend with servers dynamically
+    # Initially, no servers are defined here - they will be added via socket commands
+
+backend bk_http
+    mode http
+
+    # For HTTP - Use Host header
+    use-server %[var(txn.host),lower,map(/etc/haproxy/http_domains.map)] if { var(txn.host) -m found }
+    http-send-name-header Host
+
+    # The Python script will populate this backend with servers dynamically
+    # Initially, no servers are defined here - they will be added via socket commands
+
+# Default backend as fallback to fallback to the aleph-vm supervisor
+# Backend to terminate TLS for fallback (uses internal http frontend)
+backend bk_default_ssl
+    mode tcp
+    server fallback_local 127.0.0.1:4443 send-proxy
+
+
+# Internal frontend that handles TLS termination (serve cert) and HTTP
+frontend ft_terminated_ssl
+    bind 127.0.0.1:4443 ssl crt /etc/haproxy/certs/ accept-proxy
+    mode http
+    default_backend bk_default_supervisor
+
+
+# HTTP backend behind TLS termination
+backend bk_default_supervisor
+    mode http
+    http-request set-header Host %[req.hdr(host)]
+    server web1 127.0.0.1 : 4020

packaging/aleph-vm/etc/haproxy/http_domains.map

@@ -0,0 +1 @@
+dualstack-to-instance.aleph.sh 172.16.6.2:80

packaging/aleph-vm/etc/haproxy/https_domains.map

@@ -0,0 +1,2 @@
+dualstack-to-instance.aleph.sh 172.16.6.2:443
+vm-lab.aleph.sh 127.0.0.1:4443

packaging/aleph-vm/etc/haproxy/ssh_domains.map

@@ -0,0 +1 @@
+dualstack-to-instance.aleph.sh 172.16.6.2:22

src/aleph/vm/conf.py

@@ -333,6 +333,11 @@ class Settings(BaseSettings):
         description="Sensitive fields, redacted from `--print-settings`.",
     )
 
+    # Used to control HA Proxy
+    HAPROXY_SOCKET: Path = Field(
+        default=Path("/run/haproxy/admin.sock"), description="Control HAPROXY for domain mapping"
+    )
+
     def update(self, **kwargs):
         for key, value in kwargs.items():
             if key != key.upper():