updated haproxy state

This commit is contained in:
Paul 2022-12-24 17:49:54 +01:00
parent e41d54617f
commit 2f40804e70
3 changed files with 32 additions and 41 deletions

View File

@ -13,17 +13,6 @@ haproxy-maps-{{ filename }}:
- service: haproxy-service - service: haproxy-service
{% endfor %} {% endfor %}
haproxy-spoe-config:
file.managed:
- name: {{ haproxy.config.dir }}/spoe.cfg
- source: salt://haproxy/templates/spoe.cfg.j2
- user: {{ haproxy.config.user }}
- group: {{ haproxy.config.group }}
- mode: "0600"
- template: jinja
- watch_in:
- service: haproxy-service
haproxy-config: haproxy-config:
file.managed: file.managed:
- name: {{ haproxy.config.dir }}/{{ haproxy.config.configfile }} - name: {{ haproxy.config.dir }}/{{ haproxy.config.configfile }}
@ -34,3 +23,14 @@ haproxy-config:
- template: jinja - template: jinja
- watch_in: - watch_in:
- service: haproxy-service - service: haproxy-service
haproxy-spoe-config:
file.managed:
- name: {{ haproxy.config.dir }}/spoe.cfg
- source: salt://haproxy/templates/spoe.cfg.j2
- user: {{ haproxy.config.user }}
- group: {{ haproxy.config.group }}
- mode: "0600"
- template: jinja
- watch_in:
- service: haproxy-service

View File

@ -50,20 +50,8 @@ haproxy:
acme_fullchains_dir: /etc/acme/fullchains acme_fullchains_dir: /etc/acme/fullchains
acme_dh_dir: /etc/acme/dh acme_dh_dir: /etc/acme/dh
ssl_ciphers: ssl_ciphers:
- "ECDH+AESGCM" - EECDH+AESGCM
- "DH+AESGCM" - EECDH+CHACHA20
- "ECDH+AES256"
- "DH+AES256"
- "ECDH+AES128"
- "DH+AES"
- "ECDH+3DES"
- "DH+3DES"
- "RSA+AESGCM"
- "RSA+AES"
- "RSA+3DES"
- "!aNULL"
- "!MD5"
- "!DSS"
ssl_options: ssl_options:
- no-sslv3 - no-sslv3
- no-tls-tickets - no-tls-tickets
@ -73,11 +61,13 @@ haproxy:
- text/css - text/css
- text/javascript - text/javascript
- application/json - application/json
cache_file_types: cache:
- .css size: 50000
- .js file_types:
- .png - .css
- .jpg - .js
- .png
- .jpg
ddos: ddos:
timeperiod: 10s timeperiod: 10s
maxrequests: 200 maxrequests: 200

View File

@ -35,7 +35,7 @@
{%- endmacro -%} {%- endmacro -%}
{%- macro cache() -%} {%- macro cache() -%}
http-request cache-use static if { path_end {{ haproxy.config.cache_file_types|join(" ") }} } http-request cache-use static if { path_end {{ haproxy.config.cache.file_types|join(" ") }} }
http-response cache-store static http-response cache-store static
{%- endmacro -%} {%- endmacro -%}
@ -53,7 +53,7 @@ backend admin
stats refresh 10s stats refresh 10s
stats show-modules stats show-modules
stats show-legends stats show-legends
stats uri /server-status stats uri /
{%- endmacro -%} {%- endmacro -%}
{%- macro api() -%} {%- macro api() -%}
@ -90,7 +90,7 @@ defaults
# Cache # Cache
cache static cache static
total-max-size 64 total-max-size 64
max-object-size 50000 max-object-size {{ haproxy.config.cache.size|default(50000) }}
max-age 120 max-age 120
# Per IP rates stick table # Per IP rates stick table
@ -115,15 +115,13 @@ frontend https
mode http mode http
option httplog option httplog
acl internal src -f {{ haproxy.config.dir }}/maps/access acl internal src -f {{ haproxy.config.dir }}/maps/access
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(Host) -m str %H acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
acl robots_txt path /robots.txt acl robots_txt path /robots.txt
acl path_host path /host acl path_host path /host
acl path_date path /date acl path_date path /date
{%- if haproxy.config.admin.enable %} acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }}
acl admin path_beg /server-status
{%- endif %}
http-request set-var(req.src) src http-request set-var(req.src) src
http-request set-var(req.host) req.hdr(host) http-request set-var(req.host) req.hdr(Host)
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,) http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
http-request track-sc0 var(req.accesshash) table per_ip_rates http-request track-sc0 var(req.accesshash) table per_ip_rates
@ -136,15 +134,18 @@ frontend https
http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
## Returns ## Returns
http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
http-request return status 200 content-type text/html lf-string "%H\n" if path_host http-request return status 200 content-type text/html lf-string "%H\n" if path_host
http-request return status 200 content-type text/html lf-string "%T\n" if path_date http-request return status 200 content-type text/html lf-string "%T\n" if path_date
## Headers ## Headers
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}" http-request set-header X-Proxy-Id "%H"
http-request set-header X-Proto https if { ssl_fc } http-request set-header X-Proto https if { ssl_fc }
http-response set-header Date "%[date,http_date()]"
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found } http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
http-request deny deny_status 404 unless domains http-request deny deny_status 404 unless domains
{%- if haproxy.config.admin.enable %} {%- if haproxy.config.admin.enable %}
use_backend admin if admin internal use_backend admin if admin internal