updated haproxy state
This commit is contained in:
parent
e41d54617f
commit
2f40804e70
@ -13,17 +13,6 @@ haproxy-maps-{{ filename }}:
|
|||||||
- service: haproxy-service
|
- service: haproxy-service
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
haproxy-spoe-config:
|
|
||||||
file.managed:
|
|
||||||
- name: {{ haproxy.config.dir }}/spoe.cfg
|
|
||||||
- source: salt://haproxy/templates/spoe.cfg.j2
|
|
||||||
- user: {{ haproxy.config.user }}
|
|
||||||
- group: {{ haproxy.config.group }}
|
|
||||||
- mode: "0600"
|
|
||||||
- template: jinja
|
|
||||||
- watch_in:
|
|
||||||
- service: haproxy-service
|
|
||||||
|
|
||||||
haproxy-config:
|
haproxy-config:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: {{ haproxy.config.dir }}/{{ haproxy.config.configfile }}
|
- name: {{ haproxy.config.dir }}/{{ haproxy.config.configfile }}
|
||||||
@ -34,3 +23,14 @@ haproxy-config:
|
|||||||
- template: jinja
|
- template: jinja
|
||||||
- watch_in:
|
- watch_in:
|
||||||
- service: haproxy-service
|
- service: haproxy-service
|
||||||
|
|
||||||
|
haproxy-spoe-config:
|
||||||
|
file.managed:
|
||||||
|
- name: {{ haproxy.config.dir }}/spoe.cfg
|
||||||
|
- source: salt://haproxy/templates/spoe.cfg.j2
|
||||||
|
- user: {{ haproxy.config.user }}
|
||||||
|
- group: {{ haproxy.config.group }}
|
||||||
|
- mode: "0600"
|
||||||
|
- template: jinja
|
||||||
|
- watch_in:
|
||||||
|
- service: haproxy-service
|
||||||
|
@ -50,20 +50,8 @@ haproxy:
|
|||||||
acme_fullchains_dir: /etc/acme/fullchains
|
acme_fullchains_dir: /etc/acme/fullchains
|
||||||
acme_dh_dir: /etc/acme/dh
|
acme_dh_dir: /etc/acme/dh
|
||||||
ssl_ciphers:
|
ssl_ciphers:
|
||||||
- "ECDH+AESGCM"
|
- EECDH+AESGCM
|
||||||
- "DH+AESGCM"
|
- EECDH+CHACHA20
|
||||||
- "ECDH+AES256"
|
|
||||||
- "DH+AES256"
|
|
||||||
- "ECDH+AES128"
|
|
||||||
- "DH+AES"
|
|
||||||
- "ECDH+3DES"
|
|
||||||
- "DH+3DES"
|
|
||||||
- "RSA+AESGCM"
|
|
||||||
- "RSA+AES"
|
|
||||||
- "RSA+3DES"
|
|
||||||
- "!aNULL"
|
|
||||||
- "!MD5"
|
|
||||||
- "!DSS"
|
|
||||||
ssl_options:
|
ssl_options:
|
||||||
- no-sslv3
|
- no-sslv3
|
||||||
- no-tls-tickets
|
- no-tls-tickets
|
||||||
@ -73,11 +61,13 @@ haproxy:
|
|||||||
- text/css
|
- text/css
|
||||||
- text/javascript
|
- text/javascript
|
||||||
- application/json
|
- application/json
|
||||||
cache_file_types:
|
cache:
|
||||||
- .css
|
size: 50000
|
||||||
- .js
|
file_types:
|
||||||
- .png
|
- .css
|
||||||
- .jpg
|
- .js
|
||||||
|
- .png
|
||||||
|
- .jpg
|
||||||
ddos:
|
ddos:
|
||||||
timeperiod: 10s
|
timeperiod: 10s
|
||||||
maxrequests: 200
|
maxrequests: 200
|
||||||
|
@ -35,7 +35,7 @@
|
|||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro cache() -%}
|
{%- macro cache() -%}
|
||||||
http-request cache-use static if { path_end {{ haproxy.config.cache_file_types|join(" ") }} }
|
http-request cache-use static if { path_end {{ haproxy.config.cache.file_types|join(" ") }} }
|
||||||
http-response cache-store static
|
http-response cache-store static
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
@ -53,7 +53,7 @@ backend admin
|
|||||||
stats refresh 10s
|
stats refresh 10s
|
||||||
stats show-modules
|
stats show-modules
|
||||||
stats show-legends
|
stats show-legends
|
||||||
stats uri /server-status
|
stats uri /
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro api() -%}
|
{%- macro api() -%}
|
||||||
@ -90,7 +90,7 @@ defaults
|
|||||||
# Cache
|
# Cache
|
||||||
cache static
|
cache static
|
||||||
total-max-size 64
|
total-max-size 64
|
||||||
max-object-size 50000
|
max-object-size {{ haproxy.config.cache.size|default(50000) }}
|
||||||
max-age 120
|
max-age 120
|
||||||
|
|
||||||
# Per IP rates stick table
|
# Per IP rates stick table
|
||||||
@ -115,15 +115,13 @@ frontend https
|
|||||||
mode http
|
mode http
|
||||||
option httplog
|
option httplog
|
||||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||||
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(Host) -m str %H
|
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
|
||||||
acl robots_txt path /robots.txt
|
acl robots_txt path /robots.txt
|
||||||
acl path_host path /host
|
acl path_host path /host
|
||||||
acl path_date path /date
|
acl path_date path /date
|
||||||
{%- if haproxy.config.admin.enable %}
|
acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }}
|
||||||
acl admin path_beg /server-status
|
|
||||||
{%- endif %}
|
|
||||||
http-request set-var(req.src) src
|
http-request set-var(req.src) src
|
||||||
http-request set-var(req.host) req.hdr(host)
|
http-request set-var(req.host) req.hdr(Host)
|
||||||
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
||||||
http-request track-sc0 var(req.accesshash) table per_ip_rates
|
http-request track-sc0 var(req.accesshash) table per_ip_rates
|
||||||
|
|
||||||
@ -136,15 +134,18 @@ frontend https
|
|||||||
http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
|
http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
|
||||||
|
|
||||||
## Returns
|
## Returns
|
||||||
http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
|
http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
|
||||||
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||||
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
||||||
|
|
||||||
## Headers
|
## Headers
|
||||||
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
|
http-request set-header X-Proxy-Id "%H"
|
||||||
http-request set-header X-Proto https if { ssl_fc }
|
http-request set-header X-Proto https if { ssl_fc }
|
||||||
|
|
||||||
|
http-response set-header Date "%[date,http_date()]"
|
||||||
|
|
||||||
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||||
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
||||||
http-request deny deny_status 404 unless domains
|
http-request deny deny_status 404 unless domains
|
||||||
{%- if haproxy.config.admin.enable %}
|
{%- if haproxy.config.admin.enable %}
|
||||||
use_backend admin if admin internal
|
use_backend admin if admin internal
|
||||||
|
Loading…
Reference in New Issue
Block a user