From 6495b1330ae85b7a93a0d9ef50ad0093ca1c78c4 Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Wed, 4 Jan 2023 23:32:56 +0100 Subject: [PATCH] updated haproxy state --- states/haproxy/defaults.yaml | 2 +- states/haproxy/install.sls | 7 ++++ states/haproxy/maps/redirects.j2 | 2 +- states/haproxy/maps/vhosts.j2 | 2 +- states/haproxy/templates/haproxy.cfg.j2 | 54 ++++++++++++++++++------- 5 files changed, 50 insertions(+), 17 deletions(-) diff --git a/states/haproxy/defaults.yaml b/states/haproxy/defaults.yaml index c9d1a05..9f15583 100644 --- a/states/haproxy/defaults.yaml +++ b/states/haproxy/defaults.yaml @@ -45,7 +45,7 @@ haproxy: port: 7000 api: enable: true - filesocket: /var/run/haproxy.sock + filesocket: /var/run/haproxy-admin.sock tcpsocket: ipv4@127.0.0.1:9990 acme_dir: /etc/acme acme_fullchains_dir: /etc/acme/fullchains diff --git a/states/haproxy/install.sls b/states/haproxy/install.sls index 138b147..d60b2bf 100644 --- a/states/haproxy/install.sls +++ b/states/haproxy/install.sls @@ -25,6 +25,13 @@ haproxy-config-script-dir: - group: {{ haproxy.config.group }} - mode: "0700" +haproxy-config-mods-dir: + file.directory: + - name: {{ haproxy.config.dir }}/mods + - user: {{ haproxy.config.user }} + - group: {{ haproxy.config.group }} + - mode: "0700" + {% for file in haproxy.scripts %} haproxy-script-{{ file.name }}: file.managed: diff --git a/states/haproxy/maps/redirects.j2 b/states/haproxy/maps/redirects.j2 index 507a1bf..e2afa15 100644 --- a/states/haproxy/maps/redirects.j2 +++ b/states/haproxy/maps/redirects.j2 @@ -2,6 +2,6 @@ {%- from "haproxy/map.jinja" import haproxy with context %} {%- for name, values in haproxy.config.vhosts.items() %} {%- if values.redirect|default(false) %} -{{ values.host }} {{ values.redirect }} +{{ name }} {{ values.redirect }} {%- endif %} {%- endfor %} diff --git a/states/haproxy/maps/vhosts.j2 b/states/haproxy/maps/vhosts.j2 index f0643c3..be98e18 100644 --- a/states/haproxy/maps/vhosts.j2 +++ b/states/haproxy/maps/vhosts.j2 @@ -2,6 +2,6 @@ {%- from "haproxy/map.jinja" import haproxy with context %} {%- for name, values in haproxy.config.vhosts.items() %} {%- if not values.redirect|default(false) %} -{{ values.host }} {{ name }} +{{ name }} {{ name }} {%- endif %} {%- endfor %} diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2 index 6e7b692..982197b 100644 --- a/states/haproxy/templates/haproxy.cfg.j2 +++ b/states/haproxy/templates/haproxy.cfg.j2 @@ -1,9 +1,14 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} {%- from "haproxy/map.jinja" import haproxy,certs with context %} +{%- set fqdn = salt["grains.get"]("fqdn") %} +{%- set default_backend = "test" %} +{% set ns = namespace(default_backend='notdefined') %} +{%- for name, values in haproxy.config.vhosts.items() %}{% if values.default_backend|default(false) %}{% set ns.default_backend = name %}{% endif %}{% endfor %} + {%- macro internal() -%} acl internal src -f {{ haproxy.config.dir }}/maps/access - http-response return status 403 default-errorfiles if ! internal + http-response return status 403 content-type text/html string "403 forbidden" if ! internal {%- endmacro -%} {%- macro head() -%} @@ -11,7 +16,7 @@ {%- endmacro -%} {%- macro statusresponses() -%} - http-response return content-type text/html string "404 not found" if { status 404 } + http-response return status 404 content-type text/html string "404 not found" if { status 404 } {%- endmacro -%} {%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%} @@ -60,6 +65,7 @@ backend admin from {{ haproxy.config.namespace }} # Global config global + lua-prepend-path {{ haproxy.config.dir }}/mods/?.so cpath lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua {%- for file in haproxy.scripts %} {%- if not file.lib %} @@ -97,11 +103,21 @@ backend per_ip_rates from {{ haproxy.config.namespace }} frontend http from {{ haproxy.config.namespace }} bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6 mode http + + ## ACLs acl http ssl_fc,not - acl path_host path /host - acl path_date path /date - http-request return status 200 content-type text/html lf-string "%H\n" if path_host - http-request return status 200 content-type text/html lf-string "%T\n" if path_date + acl self_host req.hdr(Host) {{ fqdn }} + acl path_root path -m dir / + acl path_host path -m dir /host + acl path_date path -m dir /date + acl path_srchash path -m dir /srchash + + ## Basic rules + http-request set-var(txn.srchash) src,crc32,mod(100) + http-request set-var(txn.httpdate) date,http_date() + http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host + http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date + http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash http-request redirect scheme https if http # Default HTTPS frontend @@ -110,12 +126,21 @@ frontend https from {{ haproxy.config.namespace }} #bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} mode http option httplog + + ## ACLs acl internal src -f {{ haproxy.config.dir }}/maps/access acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H acl robots_txt path /robots.txt + acl self_host req.hdr(Host) {{ fqdn }} + acl path_root path / acl path_host path /host acl path_date path /date - acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }} + acl path_srchash path /srchash + + ## Basic rules + http-request set-var(txn.random) rand,mul(5) + http-request set-var(txn.httpdate) date,http_date() + http-request set-var(txn.srchash) src,crc32,mod(100) http-request set-var(req.src) src http-request set-var(req.host) req.hdr(Host) http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,) @@ -131,26 +156,27 @@ frontend https from {{ haproxy.config.namespace }} ## Returns http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt - http-request return status 200 content-type text/html lf-string "%H\n" if path_host - http-request return status 200 content-type text/html lf-string "%T\n" if path_date + http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host + http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date + http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash ## Headers http-request set-header X-Proxy-Id "%H" http-request set-header X-Proto https if { ssl_fc } - http-response set-header Date "%[date,http_date()]" + http-response set-header Date "%[var(txn.httpdate)]" http-response set-header Server "{{ haproxy.config.servername }}" - http-response set-header X-Random "%[rand,mul(5)]" + http-response set-header X-Random "%[var(txn.random)]" log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found } http-request deny deny_status 404 unless domains {%- if haproxy.config.admin.enable %} - use_backend admin if admin internal + use_backend admin if self_host internal path_root {%- endif %} - use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)] + use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts)] monitor-uri /dead_or_alive - default_backend nginx + default_backend {{ ns.default_backend }} # HTTP Backends {%- for name, values in haproxy.config.vhosts.items() %}