Harden build reproducibility and input sanitization

- Pin haproxy base image by digest for reproducible builds
- Add USER root comment explaining why (haproxy defaults to uid 99)
- Add sanitize_alpn() validator; ALPN is now validated at startup
- Require time suffix on haproxy timeouts (bare numbers are milliseconds
  in HAProxy which is almost never what users intend)
- Remove `local` usage outside function scope in renewal-daemon.sh
- Document ALPN env var in README

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: h4x3rotab

custom-domain/dstack-ingress/Dockerfile

@@ -1,5 +1,7 @@
-FROM haproxy:3.1-bookworm
+FROM haproxy@sha256:49a0a0d6f0b8b7e59c233b06eefab1564f2c8d64f673554d368fd7d2ab4b2c2d
 
+# haproxy image runs as non-root (uid 99) by default; we need root for
+# certbot, DNS management, and writing to /etc/haproxy/certs.
 USER root
 
 RUN --mount=type=bind,source=pinned-packages.txt,target=/tmp/pinned-packages.txt,ro \

custom-domain/dstack-ingress/README.md

@@ -178,6 +178,7 @@ environment:
 | `TIMEOUT_SERVER` | `86400s` | Server-side timeout |
 | `EVIDENCE_SERVER` | `true` | Serve evidence files at `/evidences/` on the TLS port |
 | `EVIDENCE_PORT` | `80` | Internal port for evidence HTTP server |
+| `ALPN` | | TLS ALPN protocols (e.g. `h2,http/1.1`). Only set if backends support h2c |
 
 For DNS provider credentials, see [DNS_PROVIDERS.md](DNS_PROVIDERS.md).
 

custom-domain/dstack-ingress/scripts/functions.sh

@@ -85,10 +85,28 @@ sanitize_positive_integer() {
 sanitize_haproxy_timeout() {
     local candidate="$1"
     local name="${2:-timeout}"
-    if [[ "$candidate" =~ ^[0-9]+(us|ms|s|m|h|d)?$ ]]; then
+    # Require a time suffix — bare numbers are milliseconds in HAProxy,
+    # which is almost never what users intend.
+    if [[ "$candidate" =~ ^[0-9]+(us|ms|s|m|h|d)$ ]]; then
         echo "$candidate"
     else
-        echo "Error: Invalid ${name}: $candidate (e.g. 10s, 5m, 86400s)" >&2
+        echo "Error: Invalid ${name}: $candidate (must include suffix, e.g. 10s, 5m, 86400s)" >&2
+        return 1
+    fi
+}
+
+sanitize_alpn() {
+    local candidate="$1"
+    if [ -z "$candidate" ]; then
+        echo ""
+        return 0
+    fi
+    # ALPN value is comma-separated protocol names (e.g. "h2,http/1.1")
+    # Only allow alphanumeric, dots, slashes, hyphens, and commas.
+    if [[ "$candidate" =~ ^[A-Za-z0-9./-]+(,[A-Za-z0-9./-]+)*$ ]]; then
+        echo "$candidate"
+    else
+        echo "Error: Invalid ALPN value: $candidate (e.g. h2,http/1.1)" >&2
         return 1
     fi
 }

custom-domain/dstack-ingress/scripts/renewal-daemon.sh

@@ -25,11 +25,10 @@ while true; do
             build-combined-pems.sh || echo "Combined PEM build failed"
 
             # Graceful reload: send SIGUSR2 to haproxy master process
-            local pidfile="/var/run/haproxy/haproxy.pid"
-            if [ ! -f "$pidfile" ]; then
-                echo "HAProxy reload failed: PID file $pidfile not found" >&2
-            elif ! kill -USR2 "$(cat "$pidfile")"; then
-                echo "HAProxy reload failed: SIGUSR2 to PID $(cat "$pidfile") failed" >&2
+            if [ ! -f /var/run/haproxy/haproxy.pid ]; then
+                echo "HAProxy reload failed: PID file /var/run/haproxy/haproxy.pid not found" >&2
+            elif ! kill -USR2 "$(cat /var/run/haproxy/haproxy.pid)"; then
+                echo "HAProxy reload failed: SIGUSR2 to PID $(cat /var/run/haproxy/haproxy.pid) failed" >&2
             else
                 echo "Certificate renewed and HAProxy reloaded successfully"
             fi

custom-domain/dstack-ingress/scripts/tests/test_sanitizers.sh

@@ -63,6 +63,10 @@ assert_equal "$(sanitize_haproxy_timeout 5m TIMEOUT)" "5m" "sanitize_haproxy_tim
 assert_equal "$(sanitize_haproxy_timeout 500ms TIMEOUT)" "500ms" "sanitize_haproxy_timeout accepts 500ms"
 assert_equal "$(sanitize_haproxy_timeout 100us TIMEOUT)" "100us" "sanitize_haproxy_timeout accepts 100us"
 assert_equal "$(sanitize_haproxy_timeout 1d TIMEOUT)" "1d" "sanitize_haproxy_timeout accepts 1d"
+assert_equal "$(sanitize_alpn 'h2,http/1.1')" "h2,http/1.1" "sanitize_alpn accepts h2,http/1.1"
+assert_equal "$(sanitize_alpn 'h2')" "h2" "sanitize_alpn accepts h2"
+assert_equal "$(sanitize_alpn 'http/1.1')" "http/1.1" "sanitize_alpn accepts http/1.1"
+assert_equal "$(sanitize_alpn '')" "" "sanitize_alpn accepts empty"
 
 # Failing cases
 assert_fails "sanitize_port rejects non-numeric" sanitize_port abc
@@ -100,6 +104,10 @@ assert_fails "sanitize_dns_label rejects invalid characters" sanitize_dns_label
 assert_fails "sanitize_positive_integer rejects zero" sanitize_positive_integer 0 MAXCONN
 assert_fails "sanitize_positive_integer rejects non-numeric" sanitize_positive_integer abc MAXCONN
 assert_fails "sanitize_haproxy_timeout rejects bare text" sanitize_haproxy_timeout abc TIMEOUT
+assert_fails "sanitize_haproxy_timeout rejects bare number" sanitize_haproxy_timeout 10 TIMEOUT
+assert_fails "sanitize_alpn rejects semicolons" sanitize_alpn "h2;drop"
+assert_fails "sanitize_alpn rejects newlines" sanitize_alpn $'h2\nhttp/1.1'
+assert_fails "sanitize_alpn rejects spaces" sanitize_alpn "h2, http/1.1"
 
 if [[ $failures -eq 0 ]]; then
     echo "All sanitizer tests passed"