paulbsd-salt/states/haproxy/templates/haproxy.cfg.j2

## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "haproxy/map.jinja" import haproxy,certs with context %}

{%- macro internal() -%}
  acl internal src -f {{ haproxy.config.dir }}/maps/access
  http-response return status 403 default-errorfiles if ! internal
{%- endmacro -%}

{%- macro head() -%}
  http-request return status 200 if { method -i HEAD }
{%- endmacro -%}

{%- macro serverheader() -%}
  http-response set-header server "{{ haproxy.config.servername }}"
{%- endmacro -%}

{%- macro endpoints(servers, check, ssl) -%}
  {%- for server in servers %}
  server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " check observe layer7 inter 1s fall 5 rise 5 " if check|default(true) }}{{ " ssl verify none " if ssl|default(false) }}
  {%- endfor %}
{%- endmacro -%}

{%- macro cache() -%}
  http-request cache-use static if { path_end .css .js .png .jpg }
  http-response cache-store static 
{%- endmacro -%}

{%- macro compression() -%}
  compression algo gzip
  compression type text/html text/plain text/css text/javascript application/javascript
{%- endmacro -%}

{%- macro admin() -%}
listen stats
  mode http
  bind *:7000 v4v6
  stats enable
  stats refresh 5s
  stats uri /
{%- endmacro -%}

{%- macro api() -%}
  stats socket ipv4@127.0.0.1:9990 level admin
  stats socket /var/run/hap-lb.sock mode 666 level admin
  stats timeout 2m
{%- endmacro %}

global
  lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
{%- for file in haproxy.scripts %}
  {%- if not file.lib %}
  lua-load {{ haproxy.config.dir }}/{{ file.name }}
  {%- endif %}
{%- endfor %}
  maxconn 1000
{%- if haproxy.config.api.enable %}
  {{ api() }}
{%- endif %}
  ssl-default-bind-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
  ssl-default-bind-options {{ haproxy.config.ssl_options|join(" ") }}
  ssl-default-server-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
  ssl-default-server-options {{ haproxy.config.ssl_options|join(" ") }}
  crt-base {{ haproxy.config.acme_fullchains_dir }}
  ssl-dh-param-file {{ haproxy.config.acme_dh_dir }}/dh.pem

defaults
{%- for key, value in haproxy.config.defaults.items() %}
  {{ key }} {{ value }}
{%- endfor %}

{%- if haproxy.config.admin %}
{{ admin() }}
{%- endif %}

cache static
  total-max-size 256
  max-object-size 50000
  max-age 120

backend per_ip_rates
  stick-table type string size 1m expire 10s store http_req_rate(10s)

frontend http
  bind *:80,:::80 v4v6
  mode http
  acl http ssl_fc,not
  http-request redirect scheme https if http

frontend https
  bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
  mode http
  option httplog
  {%- for name, values in haproxy.config.vhosts.items() %}
  use_backend {{ name }} if { hdr(Host) -i {{ values.host }} }
  {%- endfor %}
  http-request track-sc0 src table per_ip_rates
  http-request capture req.hdr(User-Agent) len 200
  http-request capture req.hdr(Content-Type) len 200
  http-request capture req.hdr(Referer) len 200
  http-request capture sc_http_req_rate(0) len 4
  http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
  http-request set-header x-proxy-id "{{ salt["grains.get"]("host") }}"
  log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
  default_backend nginx

{% for name, values in haproxy.config.vhosts.items() %}
backend {{ name }}
  balance {{ values.balance|default("roundrobin") }}
  mode http
  option forwardfor
{%- if values.head|default(false) %}
  {{ head() }}
{%- endif %}

{%- if values.compression|default(true) %}
  {{ compression() }}
{%- endif %}

{%- if values.usecache|default(true) %}
  {{ cache() }}
{%- endif %}

{%- if values.serverheader|default(true) %}
  {{ serverheader() }}
{%- endif %}

{%- if values.internal|default(false) %}
  {{ internal() }}
{%- endif %}
  {{- endpoints(values.servers, values.check, values.ssl) }}
{% endfor -%}

{% for name, values in haproxy.config.services.items() %}
listen {{ name }}
  bind :::{{ values.port }} v4v6
  mode tcp
  option tcplog
{%- if values.type == "postgres" %}
  option pgsql-check user postgres
{%- endif %}
  default-server inter 3s fall 3
  {%- for server in values.servers %}
  server {{ server.name }} {{ server.name }}:{{ server.port }} check {{ "backup" if server.backup|default(false) }} port {{ server.port }}
  {%- endfor %}
{% endfor -%}
initial state for haproxy 2022-10-01 20:06:19 +02:00			`## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}`
			`{%- from "haproxy/map.jinja" import haproxy,certs with context %}`

updated haproxy state 2022-10-23 16:37:53 +02:00			`{%- macro internal() -%}`
			`acl internal src -f {{ haproxy.config.dir }}/maps/access`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`http-response return status 403 default-errorfiles if ! internal`
			`{%- endmacro -%}`

updated haproxy state 2022-10-23 16:37:53 +02:00			`{%- macro head() -%}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`http-request return status 200 if { method -i HEAD }`
			`{%- endmacro -%}`

updated haproxy state 2022-10-23 16:37:53 +02:00			`{%- macro serverheader() -%}`
			`http-response set-header server "{{ haproxy.config.servername }}"`
			`{%- endmacro -%}`

			`{%- macro endpoints(servers, check, ssl) -%}`
			`{%- for server in servers %}`
			`server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " check observe layer7 inter 1s fall 5 rise 5 " if check\|default(true) }}{{ " ssl verify none " if ssl\|default(false) }}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- endfor %}`
			`{%- endmacro -%}`

updated haproxy state 2022-10-23 16:37:53 +02:00			`{%- macro cache() -%}`
			`http-request cache-use static if { path_end .css .js .png .jpg }`
			`http-response cache-store static`
			`{%- endmacro -%}`

			`{%- macro compression() -%}`
			`compression algo gzip`
			`compression type text/html text/plain text/css text/javascript application/javascript`
			`{%- endmacro -%}`

initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- macro admin() -%}`
			`listen stats`
			`mode http`
			`bind *:7000 v4v6`
			`stats enable`
			`stats refresh 5s`
			`stats uri /`
			`{%- endmacro -%}`

			`{%- macro api() -%}`
updated haproxy state 2022-10-23 16:37:53 +02:00			`stats socket ipv4@127.0.0.1:9990 level admin`
			`stats socket /var/run/hap-lb.sock mode 666 level admin`
			`stats timeout 2m`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- endmacro %}`

			`global`
updated haproxy state 2022-10-23 16:37:53 +02:00			`lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua`
			`{%- for file in haproxy.scripts %}`
			`{%- if not file.lib %}`
			`lua-load {{ haproxy.config.dir }}/{{ file.name }}`
			`{%- endif %}`
updated haproxy state 2022-10-10 10:16:32 +02:00			`{%- endfor %}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`maxconn 1000`
updated haproxy state 2022-10-23 16:37:53 +02:00			`{%- if haproxy.config.api.enable %}`
			`{{ api() }}`
			`{%- endif %}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`ssl-default-bind-ciphers {{ haproxy.config.ssl_ciphers\|join(":") }}`
			`ssl-default-bind-options {{ haproxy.config.ssl_options\|join(" ") }}`
			`ssl-default-server-ciphers {{ haproxy.config.ssl_ciphers\|join(":") }}`
			`ssl-default-server-options {{ haproxy.config.ssl_options\|join(" ") }}`
updated haproxy state 2022-10-23 16:37:53 +02:00			`crt-base {{ haproxy.config.acme_fullchains_dir }}`
			`ssl-dh-param-file {{ haproxy.config.acme_dh_dir }}/dh.pem`
initial state for haproxy 2022-10-01 20:06:19 +02:00
			`defaults`
updated haproxy state 2022-10-23 16:37:53 +02:00			`{%- for key, value in haproxy.config.defaults.items() %}`
			`{{ key }} {{ value }}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- endfor %}`

			`{%- if haproxy.config.admin %}`
updated haproxy state 2022-10-10 10:16:32 +02:00			`{{ admin() }}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- endif %}`

updated haproxy state 2022-10-10 10:16:32 +02:00			`cache static`
updated haproxy state 2022-10-23 16:37:53 +02:00			`total-max-size 256`
updated haproxy state 2022-10-10 10:16:32 +02:00			`max-object-size 50000`
			`max-age 120`

updated haproxy state 2022-10-23 16:37:53 +02:00			`backend per_ip_rates`
			`stick-table type string size 1m expire 10s store http_req_rate(10s)`

initial state for haproxy 2022-10-01 20:06:19 +02:00			`frontend http`
			`bind *:80,:::80 v4v6`
			`mode http`
			`acl http ssl_fc,not`
			`http-request redirect scheme https if http`

			`frontend https`
updated haproxy state 2022-10-23 16:37:53 +02:00			`bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}`
			`mode http`
			`option httplog`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- for name, values in haproxy.config.vhosts.items() %}`
			`use_backend {{ name }} if { hdr(Host) -i {{ values.host }} }`
			`{%- endfor %}`
updated haproxy state 2022-10-23 16:37:53 +02:00			`http-request track-sc0 src table per_ip_rates`
			`http-request capture req.hdr(User-Agent) len 200`
			`http-request capture req.hdr(Content-Type) len 200`
			`http-request capture req.hdr(Referer) len 200`
			`http-request capture sc_http_req_rate(0) len 4`
			`http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }`
			`http-request set-header x-proxy-id "{{ salt["grains.get"]("host") }}"`
			`log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`default_backend nginx`

			`{% for name, values in haproxy.config.vhosts.items() %}`
			`backend {{ name }}`
			`balance {{ values.balance\|default("roundrobin") }}`
updated haproxy state 2022-10-23 16:37:53 +02:00			`mode http`
			`option forwardfor`
			`{%- if values.head\|default(false) %}`
			`{{ head() }}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- endif %}`
updated haproxy state 2022-10-23 16:37:53 +02:00
			`{%- if values.compression\|default(true) %}`
			`{{ compression() }}`
			`{%- endif %}`

updated haproxy state 2022-10-10 10:16:32 +02:00			`{%- if values.usecache\|default(true) %}`
updated haproxy state 2022-10-23 16:37:53 +02:00			`{{ cache() }}`
			`{%- endif %}`

			`{%- if values.serverheader\|default(true) %}`
			`{{ serverheader() }}`
updated haproxy state 2022-10-10 10:16:32 +02:00			`{%- endif %}`
updated haproxy state 2022-10-23 16:37:53 +02:00
			`{%- if values.internal\|default(false) %}`
			`{{ internal() }}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- endif %}`
updated haproxy state 2022-10-23 16:37:53 +02:00			`{{- endpoints(values.servers, values.check, values.ssl) }}`
			`{% endfor -%}`
initial state for haproxy 2022-10-01 20:06:19 +02:00
			`{% for name, values in haproxy.config.services.items() %}`
			`listen {{ name }}`
			`bind :::{{ values.port }} v4v6`
			`mode tcp`
updated haproxy state 2022-10-23 16:37:53 +02:00			`option tcplog`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- if values.type == "postgres" %}`
			`option pgsql-check user postgres`
			`{%- endif %}`
			`default-server inter 3s fall 3`
updated haproxy state 2022-10-23 16:37:53 +02:00			`{%- for server in values.servers %}`
			`server {{ server.name }} {{ server.name }}:{{ server.port }} check {{ "backup" if server.backup\|default(false) }} port {{ server.port }}`
initial state for haproxy 2022-10-01 20:06:19 +02:00			`{%- endfor %}`
updated haproxy state 2022-10-23 16:37:53 +02:00			`{% endfor -%}`