Major upgrade: API key authentication, certificate renewal/download endpoints, monitoring/alerting scripts, improved logging, and documentation updates. See UPGRADE_SUMMARY.md for details.

2025-07-11 06:24:56 -07:00
parent f58dbef3c5
commit 7b0b4c0476
9 changed files with 1338 additions and 86 deletions
--- a/README.md
+++ b/README.md
@@ -5,8 +5,13 @@ A Flask-based API service for managing HAProxy configurations with dynamic SSL c

 To run the container:
 ```bash
-docker run -d  -p 80:80 -p 443:443 -p 8000:8000 -v lets-encrypt:/etc/letsencrypt -v haproxy:/etc/haproxy --name haproxy-manager repo.anhonesthost.net/cloud-hosting-platform/haproxy-manager-base:latest
+# Without API key authentication (default)
+docker run -d -p 80:80 -p 443:443 -p 8000:8000 -v lets-encrypt:/etc/letsencrypt -v haproxy:/etc/haproxy --name haproxy-manager repo.anhonesthost.net/cloud-hosting-platform/haproxy-manager-base:latest
+
+# With API key authentication (recommended for production)
+docker run -d -p 80:80 -p 443:443 -p 8000:8000 -v lets-encrypt:/etc/letsencrypt -v haproxy:/etc/haproxy -e HAPROXY_API_KEY=your-secure-api-key-here --name haproxy-manager repo.anhonesthost.net/cloud-hosting-platform/haproxy-manager-base:latest
 ```
+
 ## Features

 - RESTful API for HAProxy configuration management
@@ -18,6 +23,25 @@ docker run -d  -p 80:80 -p 443:443 -p 8000:8000 -v lets-encrypt:/etc/letsencrypt
 - Template override support for custom backend configurations
 - Process monitoring and auto-restart capabilities
 - Socket-based HAProxy runtime API integration
+- **NEW**: API key authentication for secure access
+- **NEW**: Certificate renewal API endpoint
+- **NEW**: Certificate download endpoints for other services
+- **NEW**: Comprehensive error logging and alerting system
+- **NEW**: Certificate status monitoring with expiration dates
+
+## Security
+
+### API Key Authentication
+
+When the `HAPROXY_API_KEY` environment variable is set, all API endpoints (except `/health` and `/`) require authentication using a Bearer token:
+
+```bash
+# Example API call with authentication
+curl -H "Authorization: Bearer your-secure-api-key-here" \
+     http://localhost:8000/api/domains
+```
+
+If no API key is set, the service runs without authentication (useful for development).

 ## Requirements

@@ -61,11 +85,32 @@ GET /health
 }
 ```

+### Get Domains
+Retrieve all configured domains and their backend information.
+
+```bash
+GET /api/domains
+Authorization: Bearer your-api-key
+
+# Response
+[
+    {
+        "id": 1,
+        "domain": "example.com",
+        "ssl_enabled": 1,
+        "ssl_cert_path": "/etc/haproxy/certs/example.com.pem",
+        "template_override": null,
+        "backend_name": "example_backend"
+    }
+]
+```
+
 ### Add Domain
 Add a new domain with backend servers configuration.

 ```bash
 POST /api/domain
+Authorization: Bearer your-api-key
 Content-Type: application/json

 {
@@ -100,6 +145,7 @@ Request and configure SSL certificate for a domain using Let's Encrypt.

 ```bash
 POST /api/ssl
+Authorization: Bearer your-api-key
 Content-Type: application/json

 {
@@ -117,6 +163,7 @@ Remove a domain and its associated backend configuration.

 ```bash
 DELETE /api/domain
+Authorization: Bearer your-api-key
 Content-Type: application/json

 {
@@ -129,3 +176,153 @@ Content-Type: application/json
    "message": "Domain configuration removed"
 }
 ```
+
+### Regenerate Configuration
+Regenerate HAProxy configuration from database.
+
+```bash
+GET /api/regenerate
+Authorization: Bearer your-api-key
+
+# Response
+{
+    "status": "success"
+}
+```
+
+### Reload HAProxy
+Reload HAProxy configuration without restart.
+
+```bash
+GET /api/reload
+Authorization: Bearer your-api-key
+
+# Response
+{
+    "status": "success"
+}
+```
+
+## New Certificate Management Endpoints
+
+### Renew All Certificates
+Trigger renewal of all Let's Encrypt certificates and reload HAProxy.
+
+```bash
+POST /api/certificates/renew
+Authorization: Bearer your-api-key
+
+# Response
+{
+    "status": "success",
+    "message": "Certificates renewed and HAProxy reloaded"
+}
+```
+
+### Get Certificate Status
+Get status of all certificates including expiration dates.
+
+```bash
+GET /api/certificates/status
+Authorization: Bearer your-api-key
+
+# Response
+{
+    "certificates": [
+        {
+            "domain": "example.com",
+            "ssl_enabled": true,
+            "cert_path": "/etc/haproxy/certs/example.com.pem",
+            "expires": "2024-12-31T23:59:59",
+            "days_until_expiry": 45
+        }
+    ]
+}
+```
+
+### Download Certificate Files
+Download certificate files for use by other services.
+
+```bash
+# Download combined certificate (cert + key)
+GET /api/certificates/example.com/download
+Authorization: Bearer your-api-key
+
+# Download private key only
+GET /api/certificates/example.com/key
+Authorization: Bearer your-api-key
+
+# Download certificate only (no private key)
+GET /api/certificates/example.com/cert
+Authorization: Bearer your-api-key
+```
+
+## Logging and Monitoring
+
+The HAProxy Manager includes comprehensive logging and error tracking:
+
+### Log Files
+- `/var/log/haproxy-manager.log` - General application logs
+- `/var/log/haproxy-manager-errors.log` - Error logs for alerting
+
+### Logged Operations
+All API operations are logged with timestamps and success/failure status:
+- Domain management (add/remove)
+- SSL certificate operations
+- Configuration generation
+- HAProxy reload/restart operations
+- Certificate renewals
+
+### Error Alerting
+Failed operations are logged to the error log file. You can monitor this file for alerting:
+```bash
+# Monitor error log for alerting
+tail -f /var/log/haproxy-manager-errors.log
+```
+
+## Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `HAPROXY_API_KEY` | API key for authentication (optional) | None (no auth) |
+
+## Example Usage
+
+### Setting up with API key authentication:
+```bash
+# Start container with API key
+docker run -d \
+  -p 80:80 -p 443:443 -p 8000:8000 \
+  -v lets-encrypt:/etc/letsencrypt \
+  -v haproxy:/etc/haproxy \
+  -e HAPROXY_API_KEY=your-secure-api-key-here \
+  --name haproxy-manager \
+  repo.anhonesthost.net/cloud-hosting-platform/haproxy-manager-base:latest
+
+# Add a domain
+curl -X POST http://localhost:8000/api/domain \
+  -H "Authorization: Bearer your-secure-api-key-here" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "domain": "example.com",
+    "backend_name": "example_backend",
+    "servers": [
+      {"name": "server1", "address": "10.0.0.1", "port": 8080, "options": "check"}
+    ]
+  }'
+
+# Request SSL certificate
+curl -X POST http://localhost:8000/api/ssl \
+  -H "Authorization: Bearer your-secure-api-key-here" \
+  -H "Content-Type: application/json" \
+  -d '{"domain": "example.com"}'
+
+# Renew certificates
+curl -X POST http://localhost:8000/api/certificates/renew \
+  -H "Authorization: Bearer your-secure-api-key-here"
+
+# Download certificate for another service
+curl -H "Authorization: Bearer your-secure-api-key-here" \
+  http://localhost:8000/api/certificates/example.com/download \
+  -o example.com.pem
+```