paulbsd-salt/states/haproxy/templates/haproxy.cfg.j2

197 lines
7.2 KiB
Plaintext
Raw Normal View History

2022-10-01 20:06:19 +02:00
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "haproxy/map.jinja" import haproxy,certs with context %}
2022-10-23 16:37:53 +02:00
{%- macro internal() -%}
acl internal src -f {{ haproxy.config.dir }}/maps/access
2022-10-01 20:06:19 +02:00
http-response return status 403 default-errorfiles if ! internal
{%- endmacro -%}
2022-10-23 16:37:53 +02:00
{%- macro head() -%}
2022-10-01 20:06:19 +02:00
http-request return status 200 if { method -i HEAD }
{%- endmacro -%}
2022-12-03 00:07:39 +01:00
{%- macro statusresponses() -%}
http-response return content-type text/html string "404 not found" if { status 404 }
{%- endmacro -%}
2022-10-23 16:37:53 +02:00
{%- macro serverheader() -%}
http-response set-header server "{{ haproxy.config.servername }}"
{%- endmacro -%}
2022-11-13 20:48:27 +01:00
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
{%- macro httpsslrules() -%}ssl verify none{%- endmacro -%}
{%- macro httpendpoints(servers=[], check=True, ssl=False) -%}
{%- for server in servers %}
2022-12-03 00:07:39 +01:00
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}
2022-11-13 20:48:27 +01:00
{%- endfor %}
{%- endmacro -%}
{%- macro tcpendpoints(servers=[], check=True) -%}
2022-10-23 16:37:53 +02:00
{%- for server in servers %}
2022-11-13 20:48:27 +01:00
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " check" if check }}{{ " backup" if server.backup|default(False) }} port {{ server.port }}
2022-10-01 20:06:19 +02:00
{%- endfor %}
{%- endmacro -%}
2022-10-23 16:37:53 +02:00
{%- macro cache() -%}
2022-11-08 11:04:39 +01:00
http-request cache-use static if { path_end {{ haproxy.config.cache_file_types|join(" ") }} }
2022-10-23 16:37:53 +02:00
http-response cache-store static
{%- endmacro -%}
{%- macro compression() -%}
compression algo gzip
2022-11-08 11:04:39 +01:00
compression type {{ haproxy.config.gzip_mime_types|join(' ') }}
2022-10-23 16:37:53 +02:00
{%- endmacro -%}
2022-10-01 20:06:19 +02:00
{%- macro admin() -%}
2022-11-08 11:04:39 +01:00
# Stats
2022-10-01 20:06:19 +02:00
listen stats
mode http
2022-12-03 00:07:39 +01:00
bind *:{{ haproxy.config.admin.port }},:::{{ haproxy.config.admin.port }} v4v6
2022-10-01 20:06:19 +02:00
stats enable
2022-12-03 00:07:39 +01:00
#stats hide-version
stats admin if TRUE
#stats refresh 5s
stats show-modules
stats show-legends
2022-10-01 20:06:19 +02:00
stats uri /
2022-12-03 00:07:39 +01:00
monitor-uri /dead_or_alive
2022-10-01 20:06:19 +02:00
{%- endmacro -%}
{%- macro api() -%}
2022-11-08 11:04:39 +01:00
# Runtime API
stats socket {{ haproxy.config.api.tcpsocket }} level admin
stats socket {{ haproxy.config.api.filesocket }} mode 666 level admin
2022-10-01 20:06:19 +02:00
{%- endmacro %}
2022-11-08 11:04:39 +01:00
# Global config
2022-10-01 20:06:19 +02:00
global
2022-10-23 16:37:53 +02:00
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
{%- for file in haproxy.scripts %}
{%- if not file.lib %}
lua-load {{ haproxy.config.dir }}/{{ file.name }}
{%- endif %}
2022-10-10 10:16:32 +02:00
{%- endfor %}
2022-10-23 16:37:53 +02:00
{%- if haproxy.config.api.enable %}
{{ api() }}
{%- endif %}
2022-11-08 11:04:39 +01:00
maxconn 1000
2022-10-01 20:06:19 +02:00
ssl-default-bind-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
ssl-default-bind-options {{ haproxy.config.ssl_options|join(" ") }}
ssl-default-server-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
ssl-default-server-options {{ haproxy.config.ssl_options|join(" ") }}
2022-10-23 16:37:53 +02:00
crt-base {{ haproxy.config.acme_fullchains_dir }}
ssl-dh-param-file {{ haproxy.config.acme_dh_dir }}/dh.pem
2022-10-01 20:06:19 +02:00
2022-11-08 11:04:39 +01:00
# Defaults values
2022-10-01 20:06:19 +02:00
defaults
2022-10-23 16:37:53 +02:00
{%- for key, value in haproxy.config.defaults.items() %}
{{ key }} {{ value }}
2022-10-01 20:06:19 +02:00
{%- endfor %}
2022-12-03 00:07:39 +01:00
{% if haproxy.config.admin.enable %}
2022-10-10 10:16:32 +02:00
{{ admin() }}
2022-10-01 20:06:19 +02:00
{%- endif %}
2022-11-08 11:04:39 +01:00
# Cache
2022-10-10 10:16:32 +02:00
cache static
2022-12-03 00:07:39 +01:00
total-max-size 64
2022-10-10 10:16:32 +02:00
max-object-size 50000
max-age 120
2022-11-08 11:04:39 +01:00
# Per IP rates stick table
2022-10-23 16:37:53 +02:00
backend per_ip_rates
2022-12-03 00:07:39 +01:00
stick-table type string size 1m expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}})
2022-10-23 16:37:53 +02:00
2022-11-08 11:04:39 +01:00
# Default HTTP frontend
2022-10-01 20:06:19 +02:00
frontend http
2022-12-03 00:07:39 +01:00
bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
2022-10-01 20:06:19 +02:00
mode http
acl http ssl_fc,not
2022-12-03 00:07:39 +01:00
acl path_host path /host
acl path_date path /date
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
2022-10-01 20:06:19 +02:00
http-request redirect scheme https if http
2022-11-08 11:04:39 +01:00
# Default HTTPS frontend
2022-10-01 20:06:19 +02:00
frontend https
2022-12-03 00:07:39 +01:00
bind *:{{ haproxy.config.https_port }},:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
2022-10-23 16:37:53 +02:00
mode http
option httplog
2022-11-08 11:04:39 +01:00
acl internal src -f {{ haproxy.config.dir }}/maps/access
2022-12-03 00:07:39 +01:00
acl robots_txt path /robots.txt
acl path_host path /host
acl path_date path /date
2022-11-08 11:04:39 +01:00
http-request set-var(req.src) src
http-request set-var(req.host) req.hdr(host)
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
http-request track-sc0 var(req.accesshash) table per_ip_rates
2022-10-23 16:37:53 +02:00
http-request capture req.hdr(User-Agent) len 200
http-request capture req.hdr(Content-Type) len 200
http-request capture req.hdr(Referer) len 200
http-request capture sc_http_req_rate(0) len 4
2022-12-03 00:07:39 +01:00
http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
2022-11-08 11:04:39 +01:00
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
http-request set-header X-Proto https if { ssl_fc }
2022-10-23 16:37:53 +02:00
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
2022-12-03 00:07:39 +01:00
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
2022-11-08 11:04:39 +01:00
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
2022-10-01 20:06:19 +02:00
default_backend nginx
2022-11-08 11:04:39 +01:00
# HTTP Backends
2022-12-03 00:07:39 +01:00
{%- for name, values in haproxy.config.vhosts.items() %}
2022-11-13 20:48:27 +01:00
{%- if not values.redirect|default(False) %}
2022-10-01 20:06:19 +02:00
backend {{ name }}
2022-11-13 20:48:27 +01:00
balance {{ values.balance|default(haproxy.config.balance) }}
2022-10-23 16:37:53 +02:00
mode http
option forwardfor
2022-11-13 20:48:27 +01:00
{%- if values.check|default(haproxy.config.check) %}
2022-11-08 11:04:39 +01:00
option httpchk
{%- for step in values.check_steps|default([]) %}
http-check {{ step }}
{%- endfor %}
{%- endif %}
2022-12-03 00:07:39 +01:00
{{ statusresponses() }}
2022-11-13 20:48:27 +01:00
{%- if values.head|default(False) %}
2022-10-23 16:37:53 +02:00
{{ head() }}
2022-10-01 20:06:19 +02:00
{%- endif %}
2022-10-23 16:37:53 +02:00
2022-11-13 20:48:27 +01:00
{%- if values.compression|default(True) %}
2022-10-23 16:37:53 +02:00
{{ compression() }}
{%- endif %}
2022-11-13 20:48:27 +01:00
{%- if values.usecache|default(True) %}
2022-10-23 16:37:53 +02:00
{{ cache() }}
{%- endif %}
2022-11-13 20:48:27 +01:00
{%- if values.serverheader|default(True) %}
2022-10-23 16:37:53 +02:00
{{ serverheader() }}
2022-10-10 10:16:32 +02:00
{%- endif %}
2022-10-23 16:37:53 +02:00
2022-11-13 20:48:27 +01:00
{%- if values.internal|default(False) %}
2022-10-23 16:37:53 +02:00
{{ internal() }}
2022-10-01 20:06:19 +02:00
{%- endif %}
2022-11-13 20:48:27 +01:00
{{- httpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check), ssl=values.ssl|default(False)) }}
2022-11-08 11:04:39 +01:00
{%- endif %}
{% endfor %}
2022-10-01 20:06:19 +02:00
2022-11-08 11:04:39 +01:00
# TCP services
2022-12-03 00:07:39 +01:00
{%- for name, values in haproxy.config.services.items() %}
2022-10-01 20:06:19 +02:00
listen {{ name }}
2022-11-08 11:04:39 +01:00
bind *:{{ values.port }},:::{{ values.port }} v4v6
2022-10-01 20:06:19 +02:00
mode tcp
2022-10-23 16:37:53 +02:00
option tcplog
2022-10-01 20:06:19 +02:00
{%- if values.type == "postgres" %}
option pgsql-check user postgres
2022-12-03 00:07:39 +01:00
option tcpka
2022-10-01 20:06:19 +02:00
{%- endif %}
default-server inter 3s fall 3
2022-11-13 20:48:27 +01:00
{{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}
2022-10-23 16:37:53 +02:00
{% endfor -%}