From 506c43d00e7355dbf23d4a200b93a587aa8b483c Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Mon, 16 Jan 2023 12:00:54 +0100 Subject: [PATCH] updated haproxy state --- states/haproxy/config.sls | 4 +-- states/haproxy/defaults.yaml | 41 +++++++++++++------------ states/haproxy/install.sls | 22 +++---------- states/haproxy/templates/haproxy.cfg.j2 | 20 ++++++------ 4 files changed, 39 insertions(+), 48 deletions(-) diff --git a/states/haproxy/config.sls b/states/haproxy/config.sls index 074384a..f3d0243 100644 --- a/states/haproxy/config.sls +++ b/states/haproxy/config.sls @@ -13,7 +13,7 @@ haproxy-maps-{{ filename }}: - service: haproxy-service {% endfor %} -haproxy-config: +haproxy-config-main: file.managed: - name: {{ haproxy.config.dir }}/{{ haproxy.config.configfile }} - source: salt://haproxy/templates/haproxy.cfg.j2 @@ -24,7 +24,7 @@ haproxy-config: - watch_in: - service: haproxy-service -haproxy-spoe-config: +haproxy-config-spoe: file.managed: - name: {{ haproxy.config.dir }}/spoe.cfg - source: salt://haproxy/templates/spoe.cfg.j2 diff --git a/states/haproxy/defaults.yaml b/states/haproxy/defaults.yaml index 9f15583..177e2ca 100644 --- a/states/haproxy/defaults.yaml +++ b/states/haproxy/defaults.yaml @@ -3,15 +3,6 @@ haproxy: enabled: true packages: - haproxy - scripts: - - name: scripts/http.lua - lib: true - - name: scripts/json.lua - lib: true - - name: scripts/collector.lua - lib: false - - name: scripts/weight_by_latency.lua - lib: false maps: - access - domains @@ -20,29 +11,41 @@ haproxy: config: dir: /etc/haproxy configfile: haproxy.cfg + dirs: + - maps + - scripts + - mods + - errors + scripts: + - name: scripts/http.lua + lib: true + - name: scripts/json.lua + lib: true + - name: scripts/collector.lua + lib: false + - name: scripts/weight_by_latency.lua + lib: false namespace: paulbsd - servername: "High-performance Web Server" + user: haproxy + group: haproxy + servername: High-performance Web Server http2: true defaults: #log: global #log: 127.0.0.1 local0 log: stdout format raw daemon info retries: 2 - timeout check: 1s - timeout client: 30m - timeout connect: 1s - timeout server: 30m + timeout check: 2s + timeout client: 60m + timeout connect: 2s + timeout server: 60m unique-id-format: "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid" balance: roundrobin check: true - user: haproxy - group: haproxy http_port: 80 https_port: 443 capture_length: 200 - admin: - enable: false - port: 7000 + admin: false api: enable: true filesocket: /var/run/haproxy-admin.sock diff --git a/states/haproxy/install.sls b/states/haproxy/install.sls index d60b2bf..0afdd90 100644 --- a/states/haproxy/install.sls +++ b/states/haproxy/install.sls @@ -11,28 +11,16 @@ haproxy-config-dir: - group: {{ haproxy.config.group }} - mode: "0700" -haproxy-config-maps-dir: +{% for dir in haproxy.config.dirs %} +haproxy-config-{{ dir }}-dir: file.directory: - - name: {{ haproxy.config.dir }}/maps + - name: {{ haproxy.config.dir }}/{{ dir }} - user: {{ haproxy.config.user }} - group: {{ haproxy.config.group }} - mode: "0700" +{% endfor %} -haproxy-config-script-dir: - file.directory: - - name: {{ haproxy.config.dir }}/scripts - - user: {{ haproxy.config.user }} - - group: {{ haproxy.config.group }} - - mode: "0700" - -haproxy-config-mods-dir: - file.directory: - - name: {{ haproxy.config.dir }}/mods - - user: {{ haproxy.config.user }} - - group: {{ haproxy.config.group }} - - mode: "0700" - -{% for file in haproxy.scripts %} +{% for file in haproxy.config.scripts %} haproxy-script-{{ file.name }}: file.managed: - name: {{ haproxy.config.dir }}/{{ file.name }} diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2 index 32a8300..6b316ff 100644 --- a/states/haproxy/templates/haproxy.cfg.j2 +++ b/states/haproxy/templates/haproxy.cfg.j2 @@ -3,7 +3,7 @@ {%- set fqdn = salt["grains.get"]("fqdn") %} {%- set default_backend = "test" %} -{% set ns = namespace(default_backend='notdefined') %} +{%- set ns = namespace(default_backend='notdefined') %} {%- for name, values in haproxy.config.vhosts.items() %}{% if values.default_backend|default(false) %}{% set ns.default_backend = name %}{% endif %}{% endfor %} {%- macro internal() -%} @@ -67,7 +67,7 @@ backend admin from {{ haproxy.config.namespace }} global lua-prepend-path {{ haproxy.config.dir }}/mods/?.so cpath lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua -{%- for file in haproxy.scripts %} +{%- for file in haproxy.config.scripts %} {%- if not file.lib %} lua-load {{ haproxy.config.dir }}/{{ file.name }} {%- endif %} @@ -101,7 +101,7 @@ backend per_ip_rates from {{ haproxy.config.namespace }} # Default HTTP frontend frontend http from {{ haproxy.config.namespace }} - bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6 + bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6 name http mode http ## ACLs @@ -122,7 +122,7 @@ frontend http from {{ haproxy.config.namespace }} # Default HTTPS frontend frontend https from {{ haproxy.config.namespace }} - bind *:{{ haproxy.config.https_port }},:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} + bind *:{{ haproxy.config.https_port }},:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} name https #bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} mode http option httplog @@ -133,6 +133,7 @@ frontend https from {{ haproxy.config.namespace }} acl robots_txt path /robots.txt acl self_host req.hdr(Host) {{ fqdn }} acl path_root path / + acl path_admin path_beg /; acl path_host path_dir /host acl path_date path_dir /date acl path_srchash path /srchash @@ -171,10 +172,10 @@ frontend https from {{ haproxy.config.namespace }} log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found } http-request deny deny_status 404 unless domains -{%- if haproxy.config.admin.enable %} - use_backend admin if self_host internal path_root +{%- if haproxy.config.admin %} + use_backend admin if self_host internal path_root || path_admin {%- endif %} - use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts)] + use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)] monitor-uri /dead_or_alive default_backend {{ ns.default_backend }} @@ -191,7 +192,6 @@ backend {{ name }} from {{ haproxy.config.namespace }} http-check {{ step }} {%- endfor %} {%- endif %} - {{ statusresponses() }} {%- if values.head|default(False) %} {{ head() }} {%- endif %} @@ -214,7 +214,7 @@ backend {{ name }} from {{ haproxy.config.namespace }} # TCP services {%- for name, values in haproxy.config.services.items() %} listen {{ name }} from {{ haproxy.config.namespace }} - bind *:{{ values.port }},:::{{ values.port }} v4v6 + bind *:{{ values.port }},:::{{ values.port }} v4v6 name {{ name }} mode tcp option tcplog {%- if values.type == "postgres" %} @@ -231,6 +231,6 @@ listen {{ name }} from {{ haproxy.config.namespace }} bind *:{{ values.port }},:::{{ values.port }} v4v6 {% endfor %} -{%- if haproxy.config.admin.enable %} +{%- if haproxy.config.admin %} {{ admin() }} {%- endif %}