Update program versions and remodel Dockerfile

Dockerfile

@@ -1,16 +1,23 @@
-FROM golang:1.9.6 AS build
+FROM golang:1.11.0-alpine AS build
 ADD . /src
 WORKDIR /src
-RUN go get -d -v -t
-RUN go test --cover ./... --run UnitTest
-RUN go build -v -o docker-flow-proxy
+RUN set -x \
+    && apk add --update --no-cache --no-progress git g++ \
+    && go get -d -v -t \
+    && go test --cover ./... --run UnitTest \
+    && go build -v -o docker-flow-proxy
 
 
-FROM haproxy:1.8.8-alpine
-MAINTAINER 	Viktor Farcic <viktor@farcic.com>
+FROM haproxy:1.8.13-alpine
+LABEL org.opencontainers.image.title="Docker Flow Proxy" \
+    org.opencontainers.image.description="Automated HAProxy Reverse Proxy for Docker" \
+    org.opencontainers.image.url="https://proxy.dockerflow.com" \
+    org.opencontainers.image.licenses="MIT" \
+    org.opencontainers.image.authors="Viktor Farcic <viktor@farcic.com>" \
+    org.opencontainers.image.source="https://github.com/docker-flow/docker-flow-proxy"
 
-RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
-RUN mkdir -p /cfg/tmpl /templates /certs /logs
+RUN apk --update --no-cache --no-progress add tini \
+    && mkdir -p /cfg/tmpl /templates /certs /logs
 
 ENV CERTS="" \
     CAPTURE_REQUEST_HEADER="" \
@@ -39,21 +46,20 @@ ENV CERTS="" \
     TIMEOUT_HTTP_REQUEST="5" TIMEOUT_HTTP_KEEP_ALIVE="15" TIMEOUT_CLIENT="20" TIMEOUT_CONNECT="5" TIMEOUT_QUEUE="30" TIMEOUT_SERVER="20" TIMEOUT_TUNNEL="3600" \
     USERS="" \
     SKIP_ADDRESS_VALIDATION="true" \
-    SSL_BIND_OPTIONS="no-sslv3" SSL_BIND_CIPHERS="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
+    SSL_BIND_OPTIONS="ssl-min-ver TLSv1.2 no-tls-tickets" \
+    SSL_BIND_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM"
 
-EXPOSE 80
-EXPOSE 443
-EXPOSE 8080
+EXPOSE 80 \
+    443 \
+    8080
 
-RUN apk --no-cache add tini
 ENTRYPOINT ["/sbin/tini", "-g", "--"]
 CMD ["docker-flow-proxy", "server"]
 HEALTHCHECK --interval=5s --start-period=3s --timeout=10s CMD check.sh
 
 COPY scripts/check.sh /usr/local/bin/check.sh
-RUN chmod +x /usr/local/bin/check.sh
 COPY errorfiles /errorfiles
 COPY haproxy.cfg /cfg/haproxy.cfg
 COPY haproxy.tmpl /cfg/tmpl/haproxy.tmpl
 COPY --from=build /src/docker-flow-proxy /usr/local/bin/docker-flow-proxy
-RUN chmod +x /usr/local/bin/docker-flow-proxy
+RUN chmod +x /usr/local/bin/docker-flow-proxy /usr/local/bin/check.sh

docs/config.md

@@ -45,8 +45,8 @@ The following environment variables can be used to configure the *Docker Flow Pr
 |SERVICE_DOMAIN_ALGO|The default algorithm applied to domain ACLs. It can be overwritten for a service through the `serviceDomainAlgo` parameter.<br>**Examples:**<br>`hdr(host)`: matches only if domain is the same as `serviceDomain`<br>`hdr_dom(host)`: matches the specified `serviceDomain` and any subdomain (a string either isolated or delimited by dots).<br>`req.ssl_sni`: matches Server Name TLS extension<br>**Default Value:** `hdr_beg(host)`|
 |SERVICE_NAME       |The name of the service. It must be the same as the value of the `--name` argument used to create the proxy service. Used only in the *swarm* mode.<br>**Example:** `my-proxy`<br>**Default value:** `proxy`|
 |SKIP_ADDRESS_VALIDATION|Whether to skip validating service address before reconfiguring the proxy.<br>**Example:** false<br>**Default value:** `true`|
-|SSL_BIND_CIPHERS   |Sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for all "bind" lines which do not explicitly define theirs. The format of the string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such as `AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH`.<br>**Default value:** see [Dockerfile](https://github.com/docker-flow/docker-flow-proxy/blob/master/Dockerfile#L31)|
-|SSL_BIND_OPTIONS   |Sets default ssl-options to force on all "bind" lines.<br>**Default value:** `no-sslv3`|
+|SSL_BIND_CIPHERS   |Sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for all "bind" lines which do not explicitly define theirs. The format of the string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such as `EECDH+AESGCM:EDH+AESGCM`.<br>**Default value:** see [Dockerfile](https://github.com/docker-flow/docker-flow-proxy/blob/master/Dockerfile#L42)|
+|SSL_BIND_OPTIONS   |Sets default ssl-options to force on all "bind" lines.<br>**Default value:** `ssl-min-ver TLSv1.2 no-tls-tickets`|
 |STATS_USER         |Username for the statistics page. If not set, stats will not be available. If both `STATS_USER` and `STATS_PASS` are set to `none`, statistics will be available without authentication.<br>**Example:** my-user<br>**Default value:** `admin`|
 |STATS_USER_ENV     |The name of the environment variable that holds the username for the statistics page.<br>**Example:** MY_USER<br>**Default value:** `STATS_USER`|
 |STATS_PASS         |Password for the statistics page. If not set, stats will not be available. If both `STATS_USER` and `STATS_PASS` are set to `none`, statistics will be available without authentication.<br>**Example:** my-pass<br>**Default value:** `admin`|

logging/logging_test.go

@@ -41,7 +41,7 @@ func (s LoggingTestSuite) Test_StartLogging_OutputsSyslogToStdOut() {
 		expected := fmt.Sprintf("This is a syslog message %d", i)
 		go sysLog.Info(expected)
 		logged := false
-		for c := 0; c < 200; c++ {
+		for c := 0; c < 1000; c++ {
 			if strings.Contains(actual, expected) {
 				logged = true
 				break