updated haproxy state

2022-12-24 17:49:54 +01:00 · 2022-12-24 17:49:54 +01:00 · 2f40804e70
commit 2f40804e70
parent e41d54617f
3 changed files with 32 additions and 41 deletions
--- a/states/haproxy/config.sls
+++ b/states/haproxy/config.sls
@ -13,17 +13,6 @@ haproxy-maps-{{ filename }}:
      - service: haproxy-service
 {% endfor %}

-haproxy-spoe-config:
-  file.managed:
-    - name: {{ haproxy.config.dir }}/spoe.cfg
-    - source: salt://haproxy/templates/spoe.cfg.j2
-    - user: {{ haproxy.config.user }}
-    - group: {{ haproxy.config.group }}
-    - mode: "0600"
-    - template: jinja
-    - watch_in:
-      - service: haproxy-service
-
 haproxy-config:
  file.managed:
    - name: {{ haproxy.config.dir }}/{{ haproxy.config.configfile }}
@ -34,3 +23,14 @@ haproxy-config:
    - template: jinja
    - watch_in:
      - service: haproxy-service
+
+haproxy-spoe-config:
+  file.managed:
+    - name: {{ haproxy.config.dir }}/spoe.cfg
+    - source: salt://haproxy/templates/spoe.cfg.j2
+    - user: {{ haproxy.config.user }}
+    - group: {{ haproxy.config.group }}
+    - mode: "0600"
+    - template: jinja
+    - watch_in:
+      - service: haproxy-service
--- a/states/haproxy/defaults.yaml
+++ b/states/haproxy/defaults.yaml
@ -50,20 +50,8 @@ haproxy:
    acme_fullchains_dir: /etc/acme/fullchains
    acme_dh_dir: /etc/acme/dh
    ssl_ciphers:
-      - "ECDH+AESGCM"
-      - "DH+AESGCM"
-      - "ECDH+AES256"
-      - "DH+AES256"
-      - "ECDH+AES128"
-      - "DH+AES"
-      - "ECDH+3DES"
-      - "DH+3DES"
-      - "RSA+AESGCM"
-      - "RSA+AES"
-      - "RSA+3DES"
-      - "!aNULL"
-      - "!MD5"
-      - "!DSS"
+      - EECDH+AESGCM
+      - EECDH+CHACHA20
    ssl_options:
      - no-sslv3
      - no-tls-tickets
@ -73,11 +61,13 @@ haproxy:
      - text/css
      - text/javascript
      - application/json
-    cache_file_types:
-      - .css
-      - .js
-      - .png
-      - .jpg
+    cache:
+      size: 50000
+      file_types:
+        - .css
+        - .js
+        - .png
+        - .jpg
    ddos:
      timeperiod: 10s
      maxrequests: 200
--- a/states/haproxy/templates/haproxy.cfg.j2
+++ b/states/haproxy/templates/haproxy.cfg.j2
@ -35,7 +35,7 @@
 {%- endmacro -%}

 {%- macro cache() -%}
-  http-request cache-use static if { path_end {{ haproxy.config.cache_file_types|join(" ") }} }
+  http-request cache-use static if { path_end {{ haproxy.config.cache.file_types|join(" ") }} }
  http-response cache-store static
 {%- endmacro -%}

@ -53,7 +53,7 @@ backend admin
  stats refresh 10s
  stats show-modules
  stats show-legends
-  stats uri /server-status
+  stats uri /
 {%- endmacro -%}

 {%- macro api() -%}
@ -90,7 +90,7 @@ defaults
 # Cache
 cache static
  total-max-size 64
-  max-object-size 50000
+  max-object-size {{ haproxy.config.cache.size|default(50000) }}
  max-age 120

 # Per IP rates stick table
@ -115,15 +115,13 @@ frontend https
  mode http
  option httplog
  acl internal src -f {{ haproxy.config.dir }}/maps/access
-  acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(Host) -m str %H
+  acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
  acl robots_txt path /robots.txt
  acl path_host path /host
  acl path_date path /date
-{%- if haproxy.config.admin.enable %}
-  acl admin path_beg /server-status
-{%- endif %}
+  acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }}
  http-request set-var(req.src) src
-  http-request set-var(req.host) req.hdr(host)
+  http-request set-var(req.host) req.hdr(Host)
  http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
  http-request track-sc0 var(req.accesshash) table per_ip_rates

@ -136,15 +134,18 @@ frontend https
  http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal

  ## Returns
-  http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
+  http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
  http-request return status 200 content-type text/html lf-string "%H\n" if path_host
  http-request return status 200 content-type text/html lf-string "%T\n" if path_date

  ## Headers
-  http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
+  http-request set-header X-Proxy-Id "%H"
  http-request set-header X-Proto https if { ssl_fc }
+
+  http-response set-header Date "%[date,http_date()]"
+
  log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
-  http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
+  http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
  http-request deny deny_status 404 unless domains
 {%- if haproxy.config.admin.enable %}
  use_backend admin if admin internal