From 4f2551f83818d2b1fb47aaeb35ac6eef3d0059a2 Mon Sep 17 00:00:00 2001 From: dillweadclerant-ai Date: Tue, 9 Dec 2025 19:12:29 +0800 Subject: [PATCH] Delete proxy directory --- proxy/.dockerignore | 6 -- proxy/Dockerfile | 58 --------------- proxy/ops/docker-compose.yml | 27 ------- proxy/ops/docker_boot.service | 20 ------ proxy/src/generate-certs.sh | 99 -------------------------- proxy/src/healthcheck.sh | 26 ------- proxy/src/proxy_config.cfg | 102 --------------------------- proxy/src/set_public_ip_and_start.sh | 84 ---------------------- 8 files changed, 422 deletions(-) delete mode 100644 proxy/.dockerignore delete mode 100644 proxy/Dockerfile delete mode 100644 proxy/ops/docker-compose.yml delete mode 100644 proxy/ops/docker_boot.service delete mode 100644 proxy/src/generate-certs.sh delete mode 100644 proxy/src/healthcheck.sh delete mode 100644 proxy/src/proxy_config.cfg delete mode 100755 proxy/src/set_public_ip_and_start.sh diff --git a/proxy/.dockerignore b/proxy/.dockerignore deleted file mode 100644 index bd375f0a..00000000 --- a/proxy/.dockerignore +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright (c) Meta Platforms, Inc. and affiliates. -# -# License found in the LICENSE file in the root directory -# of this source tree. - -ops/ diff --git a/proxy/Dockerfile b/proxy/Dockerfile deleted file mode 100644 index 288a45d9..00000000 --- a/proxy/Dockerfile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright (c) Meta Platforms, Inc. and affiliates. -# -# License found in the LICENSE file in the root directory -# of this source tree. -FROM haproxy:lts-alpine - -# Install dependencies for healthcheck support -USER root -RUN apk --no-cache add curl openssl jq bash - -# Customization variables for certificate generation -ARG SSL_IP -ARG SSL_DNS - -# Generate + copy the self-signed certificate settings -WORKDIR /certs -COPY src/generate-certs.sh /usr/local/bin/generate-certs.sh -RUN chmod +x /usr/local/bin/generate-certs.sh && \ - /usr/local/bin/generate-certs.sh && \ - mkdir --parents /etc/haproxy/ssl/ && \ - mv /certs/proxy.whatsapp.net.pem /etc/haproxy/ssl/proxy.whatsapp.net.pem && \ - chown -R haproxy:haproxy /etc/haproxy/ -WORKDIR / - -# Copy the public-ip setting + sshd startup script -COPY --chown=haproxy:haproxy src/set_public_ip_and_start.sh /usr/local/bin/set_public_ip_and_start.sh -RUN chmod +x /usr/local/bin/set_public_ip_and_start.sh - -# Copy the HAProxy configuration -COPY --chown=haproxy:haproxy src/proxy_config.cfg /usr/local/etc/haproxy/haproxy.cfg -RUN chown haproxy:haproxy /usr/local/etc/haproxy - -# Copy + define the healthcheck -COPY src/healthcheck.sh /usr/local/bin/healthcheck.sh -RUN chmod +x /usr/local/bin/healthcheck.sh -HEALTHCHECK --interval=10s --start-period=5s CMD bash /usr/local/bin/healthcheck.sh - -RUN mkdir --parents /home/haproxy/certs && chown haproxy:haproxy /home/haproxy/certs - -# Validate the HAProxy configuration file (sanity check) -RUN haproxy -c -V -f /usr/local/etc/haproxy/haproxy.cfg - -# Revert to the haproxy user for runtime operation -USER haproxy - -# Expose the container-supported network ports -EXPOSE 80/tcp -EXPOSE 8080/tcp -EXPOSE 443/tcp -EXPOSE 8443/tcp -EXPOSE 5222/tcp -EXPOSE 8222/tcp -EXPOSE 8199/tcp -EXPOSE 587/tcp -EXPOSE 7777/tcp - -# This is the startup command which also runs a background job to manage the WAPOX IPs -CMD /usr/local/bin/set_public_ip_and_start.sh diff --git a/proxy/ops/docker-compose.yml b/proxy/ops/docker-compose.yml deleted file mode 100644 index 811636a3..00000000 --- a/proxy/ops/docker-compose.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright (c) Meta Platforms, Inc. and affiliates. -# -# License found in the LICENSE file in the root directory -# of this source tree. -version: '3.3' - -services: - proxy: - container_name: whatsapp_proxy - build: ../ - restart: unless-stopped - ports: - - "80:80" # HTTP - - "443:443" # HTTPS - - "5222:5222" # JABBER - - "8199:8199" # HAPROXY statistics page - - "8080:8080" # HTTP with accept-proxy processing - - "8443:8443" # HTTPS with accept-proxy processing - - "8222:8222" # JABBER with accept-proxy processing - - "587:587" # whatsapp.net - - "7777:7777" # whatsapp.net - healthcheck: - test: /usr/local/bin/healthcheck.sh - interval: 10s - start_period: 5s - environment: - - PUBLIC_IP=10.0.0.1 diff --git a/proxy/ops/docker_boot.service b/proxy/ops/docker_boot.service deleted file mode 100644 index 54075539..00000000 --- a/proxy/ops/docker_boot.service +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright (c) Meta Platforms, Inc. and affiliates. -# -# License found in the LICENSE file in the root directory -# of this source tree. - -## Systemd definition for an example service to startup the proxy container on host reboot - -[Unit] -description=docker boot -After=docker.service - -[Service] -Type=oneshot -RemainAfterExit=yes -WorkingDirectory=/root/whatsapp_proxy/proxy/ops -ExecStart=docker compose up -d -ExecStop=docker compose stop - -[Install] -WantedBy=multi-user.target diff --git a/proxy/src/generate-certs.sh b/proxy/src/generate-certs.sh deleted file mode 100644 index a315c4ae..00000000 --- a/proxy/src/generate-certs.sh +++ /dev/null @@ -1,99 +0,0 @@ -#!/bin/bash -# Copyright (c) Meta Platforms, Inc. and affiliates. -# -# License found in the LICENSE file in the root directory -# of this source tree. - -echo "----------------------------" -echo "| SSL Certificate Generation |" -echo "----------------------------" -echo - -export RANDOM_CA=$(head -c 60 /dev/urandom | tr -dc 'a-zA-Z0-9') -export CA_KEY="ca-key.pem" -export CA_CERT="ca.pem" -export CA_SUBJECT="${RANDOM_CA}" -export CA_EXPIRE="36500" # 100 years - -export SSL_CONFIG="openssl.cnf" -export SSL_KEY="key.pem" -export SSL_CSR="key.csr" -export SSL_CERT="cert.pem" -export SSL_SIZE="4096" -export SSL_EXPIRE="3650" # 10 years - -export RANDOM_SSL=$(head -c 60 /dev/urandom | tr -dc 'a-zA-Z0-9') -export SSL_SUBJECT="${RANDOM_SSL}.net" -export SSL_DNS=${SSL_DNS} -export SSL_IP=${SSL_IP} - -export DEBUG=${DEBUG:=1} - -echo "--> Certificate Authority" -echo "Generating certs for ${SSL_SUBJECT}" - -if [[ -e ./${CA_KEY} ]]; then - echo "====> Using existing CA Key ${CA_KEY}" -else - echo "====> Generating new CA key ${CA_KEY}" - openssl genrsa -out ${CA_KEY} 4096 -fi - -if [[ -e ./${CA_CERT} ]]; then - echo "====> Using existing CA Certificate ${CA_CERT}" -else - echo "====> Generating new CA Certificate ${CA_CERT}" - openssl req -x509 -new -nodes -key ${CA_KEY} -days ${CA_EXPIRE} -out ${CA_CERT} -subj "/CN=${CA_SUBJECT}" || exit 1 -fi - -[[ -n $DEBUG ]] && cat $CA_CERT - -echo "====> Generating new config file ${SSL_CONFIG}" -cat > ${SSL_CONFIG} <> ${SSL_CONFIG} <> ${SSL_CONFIG} - done - - if [[ -n ${SSL_IP} ]]; then - ip=(${SSL_IP}) - for i in "${!ip[@]}"; do - echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG} - done - fi -fi - -echo "====> Generating new SSL KEY ${SSL_KEY}" -openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} || exit 1 - -echo "====> Generating new SSL CSR ${SSL_CSR}" -openssl req -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/CN=${SSL_SUBJECT}" -config ${SSL_CONFIG} || exit 1 - -echo "====> Generating new SSL CERT ${SSL_CERT}" -openssl x509 -req -in ${SSL_CSR} -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \ - -days ${SSL_EXPIRE} -extensions v3_req -extfile ${SSL_CONFIG} || exit 1 - -echo "====> Generating SSL CERT / KEY COMBO proxy.whatsapp.net.pem" -cat ${SSL_KEY} > proxy.whatsapp.net.pem -cat ${SSL_CERT} >> proxy.whatsapp.net.pem - -echo "Certificate generation completed." - diff --git a/proxy/src/healthcheck.sh b/proxy/src/healthcheck.sh deleted file mode 100644 index ca5b9eb0..00000000 --- a/proxy/src/healthcheck.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# Copyright (c) Meta Platforms, Inc. and affiliates. -# -# License found in the LICENSE file in the root directory -# of this source tree. - -curl -s -w 2 "http://127.0.0.1:8199/;csv" > /tmp/stats.txt || exit 1 - -# First trim off the leading line which is just "#" -# Then convert the ugly CSV to slightly less ugly JSON -# Filter out the lines for *.whatsapp_net backend status -# Select the "check_desc" field (Description of the check result) -# and take all results that do NOT equal "Layer4 check passed" from HAProxy -RESULT=$(tail -n +1 /tmp/stats.txt | jq -R 'split(",")' | jq -c 'select(.[1] != null) | select(.[1] | contains("whatsapp_net"))' | jq --raw-output '.[65]| select(. | test("Layer4 check passed") | not)') - -# # CSV output header row: -# # ["# pxname","svname","qcur","qmax","scur","smax","slim","stot","bin","bout","dreq","dresp","ereq","econ","eresp","wretr","wredis","status","weight","act","bck","chkfail","chkdown","lastchg","downtime","qlimit","pid","iid","sid","throttle","lbtot","tracked","type","rate","rate_lim","rate_max","check_status","check_code","check_duration","hrsp_1xx","hrsp_2xx","hrsp_3xx","hrsp_4xx","hrsp_5xx","hrsp_other","hanafail","req_rate","req_rate_max","req_tot","cli_abrt","srv_abrt","comp_in","comp_out","comp_byp","comp_rsp","lastsess","last_chk","last_agt","qtime","ctime","rtime","ttime","agent_status","agent_code","agent_duration","check_desc","agent_desc","check_rise","check_fall","check_health","agent_rise","agent_fall","agent_health","addr","cookie","mode","algo","conn_rate","conn_rate_max","conn_tot","intercepted","dcon","dses","wrew","connect","reuse","cache_lookups","cache_hits","srv_icur","src_ilim","qtime_max","ctime_max","rtime_max","ttime_max","eint","idle_conn_cur","safe_conn_cur","used_conn_cur","need_conn_est","uweight","agg_server_check_status","-","ssl_sess","ssl_reused_sess","ssl_failed_handshake","h2_headers_rcvd","h2_data_rcvd","h2_settings_rcvd","h2_rst_stream_rcvd","h2_goaway_rcvd","h2_detected_conn_protocol_errors","h2_detected_strm_protocol_errors","h2_rst_stream_resp","h2_goaway_resp","h2_open_connections","h2_backend_open_streams","h2_total_connections","h2_backend_total_streams",""] - -if [ "$RESULT" != "" ] -then - echo "[HEALTHCHECKER] Container failed healthchecks, L4 healthcheck on *.whatsapp.net failed" - echo "[HEALTKCHECKER] Result $RESULT" - exit -1; -fi - -exit 0; diff --git a/proxy/src/proxy_config.cfg b/proxy/src/proxy_config.cfg deleted file mode 100644 index 889d9913..00000000 --- a/proxy/src/proxy_config.cfg +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright (c) Meta Platforms, Inc. and affiliates. -# -# License found in the LICENSE file in the root directory -# of this source tree. - -## This file contains the HAProxy configuration for the WhatsApp proxy host use-case - -# Documentation -# https://cbonte.github.io/haproxy-dconv/2.5/configuration.html#maxconn - -global - # Default buffer size is 16kB and we need 2 buffers/conn. - # For WA we want a lower memory footprint, so we lower it to 4kB. - tune.bufsize 4096 - - # We limit the connection count to 27.5K connections concurrently such that - # to fail healthchecks we'd have to actually have health problems rather than just reject connections - # - # Upon the 27501'th connection on a proxy port, it'll be REJECTED in favor of reconnecting to a different proxy host - # which will mean the existing connection will be serviced without the host being recycled - maxconn 27500 - - # Adds some randomness on the interval delay between two consecutive health checks - spread-checks 5 - - # # Log to local rsyslogd (levels: emerg alert crit err warning notice info debug) - # log 127.0.0.1 local0 notice - ssl-server-verify none - - # ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - # ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - # ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - # ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - - -defaults - mode tcp - # we don't retain this information for long since connections are load balanced they'll end up on a new host - timeout client-fin 1s - timeout server-fin 1s - timeout connect 5s - timeout client 200s - timeout server 200s - # log global - # option tcplog - default-server inter 10s fastinter 1s downinter 3s error-limit 50 - -listen stats - bind :::8199 - mode http - http-request use-service prometheus-exporter if { path /metrics } - stats uri / - -# These expect direct connections from clients or through NLB balanced -# connections -frontend haproxy_v4_http - maxconn 27495 - #PUBLIC_IP - - bind ipv4@*:80 - bind ipv4@*:8080 accept-proxy - - default_backend wa_http - -frontend haproxy_v4_https - maxconn 27495 - #PUBLIC_IP - - bind ipv4@*:443 ssl crt /etc/haproxy/ssl/proxy.whatsapp.net.pem - bind ipv4@*:8443 ssl crt /etc/haproxy/ssl/proxy.whatsapp.net.pem accept-proxy - - default_backend wa - -frontend haproxy_v4_xmpp - maxconn 27495 - #PUBLIC_IP - - bind ipv4@*:5222 - bind ipv4@*:8222 accept-proxy - - default_backend wa - -frontend haproxy_v4_whatsapp_net - maxconn 27495 - #PUBLIC_IP - - bind ipv4@*:587 - bind ipv4@*:7777 - - default_backend wa_whatsapp_net - -backend wa_whatsapp_net - default-server check inter 60000 observe layer4 - server whatsapp_net_443 whatsapp.net:443 - -backend wa - default-server check inter 60000 observe layer4 send-proxy - server g_whatsapp_net_5222 g.whatsapp.net:5222 - -backend wa_http - default-server check inter 60000 observe layer4 send-proxy - server g_whatsapp_net_80 g.whatsapp.net:80 diff --git a/proxy/src/set_public_ip_and_start.sh b/proxy/src/set_public_ip_and_start.sh deleted file mode 100755 index 9ade79aa..00000000 --- a/proxy/src/set_public_ip_and_start.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/bash -# Copyright (c) Meta Platforms, Inc. and affiliates. -# -# License found in the LICENSE file in the root directory -# of this source tree. - -## About: -# This script replaces instances of #PUBLIC_IP in the HaProxy configuration files -# with the real public ip. There's an order of priority here which is -# 1. Environment variable -# 2. AWS EC2 Metadata endpoint -# 3. Third-party sources -# If all fails, we'll just not set the destination IP address - -CONFIG_FILE="/usr/local/etc/haproxy/haproxy.cfg" - -## Custom function to use as curl wrapper -# --silent: to reduce the nois eof response -# --show-error: to show errors in the response -# --fail: to fail on non-200 responses -# --ipv4: to force ipv4 resolution -# --max-time: to set a timeout -function fetch() { - curl --silent --show-error --fail --ipv4 --max-time 2 "$@" -} - -## PUBLIC_IP supplied from environment variable -if [[ $PUBLIC_IP == '' ]] -then - echo "[PROXYHOST] No public IP address was supplied as an environment variable." -fi - -## PUBLIC_IP retrieved from AWS EC2 metadata endpoint -if [[ $PUBLIC_IP == '' ]] -then - # Attempt retrieval of the public ip from the meta-data instance - PUBLIC_IP=$(fetch http://169.254.169.254/latest/meta-data/public-ipv4) - if [[ $PUBLIC_IP == '' ]] - then - echo "[PROXYHOST] Failed to retrieve public ip address from AWS URI within 2s" - fi -fi - -## PUBLIC_IP retrieved from third-party sources -if [[ $PUBLIC_IP == '' ]] -then - urls=( - 'https://icanhazip.com/' - 'https://ipinfo.io/ip' - 'https://domains.google.com/checkip' - ) - - # Attempt retrieval of the public ip from the third-party sources - for url in "${urls[@]}"; do - PUBLIC_IP="$(fetch "${url}")" && break - done - if [[ $PUBLIC_IP == '' ]] - then - echo "[PROXYHOST] Failed to retrieve public ip address from third-party sources within 2s" - fi -fi - -# Now if the public IP is available (test is for not-empty) -# then replace the instances in all haproxy config lines -if [[ -n "$PUBLIC_IP" ]] -then - echo "[PROXYHOST] Public IP address ($PUBLIC_IP) in-place replacement occurring on $CONFIG_FILE" - # Replace all instances of #PUBLIC_IP with the - # haproxy configuration statement for the frontend which set's the destination - # ip to the public ip of the container (which is necessary to determine our IP's - # internally within WA) - sed -i "s/#PUBLIC\_IP/tcp-request connection set-dst ipv4($PUBLIC_IP)/g" $CONFIG_FILE -fi - -# Setup a new, on-the-fly certificate for the HTTPS port (so this re-generates each restart) -pushd /home/haproxy/certs -/usr/local/bin/generate-certs.sh -mv proxy.whatsapp.net.pem /etc/haproxy/ssl/proxy.whatsapp.net.pem -chown haproxy:haproxy /etc/haproxy/ssl/proxy.whatsapp.net.pem -popd - -# Start HAProxy -haproxy -f "$CONFIG_FILE" -