updated haproxy state

This commit is contained in:
Paul 2023-01-04 23:32:56 +01:00
parent d067176aab
commit 6495b1330a
5 changed files with 50 additions and 17 deletions

View File

@ -45,7 +45,7 @@ haproxy:
port: 7000 port: 7000
api: api:
enable: true enable: true
filesocket: /var/run/haproxy.sock filesocket: /var/run/haproxy-admin.sock
tcpsocket: ipv4@127.0.0.1:9990 tcpsocket: ipv4@127.0.0.1:9990
acme_dir: /etc/acme acme_dir: /etc/acme
acme_fullchains_dir: /etc/acme/fullchains acme_fullchains_dir: /etc/acme/fullchains

View File

@ -25,6 +25,13 @@ haproxy-config-script-dir:
- group: {{ haproxy.config.group }} - group: {{ haproxy.config.group }}
- mode: "0700" - mode: "0700"
haproxy-config-mods-dir:
file.directory:
- name: {{ haproxy.config.dir }}/mods
- user: {{ haproxy.config.user }}
- group: {{ haproxy.config.group }}
- mode: "0700"
{% for file in haproxy.scripts %} {% for file in haproxy.scripts %}
haproxy-script-{{ file.name }}: haproxy-script-{{ file.name }}:
file.managed: file.managed:

View File

@ -2,6 +2,6 @@
{%- from "haproxy/map.jinja" import haproxy with context %} {%- from "haproxy/map.jinja" import haproxy with context %}
{%- for name, values in haproxy.config.vhosts.items() %} {%- for name, values in haproxy.config.vhosts.items() %}
{%- if values.redirect|default(false) %} {%- if values.redirect|default(false) %}
{{ values.host }} {{ values.redirect }} {{ name }} {{ values.redirect }}
{%- endif %} {%- endif %}
{%- endfor %} {%- endfor %}

View File

@ -2,6 +2,6 @@
{%- from "haproxy/map.jinja" import haproxy with context %} {%- from "haproxy/map.jinja" import haproxy with context %}
{%- for name, values in haproxy.config.vhosts.items() %} {%- for name, values in haproxy.config.vhosts.items() %}
{%- if not values.redirect|default(false) %} {%- if not values.redirect|default(false) %}
{{ values.host }} {{ name }} {{ name }} {{ name }}
{%- endif %} {%- endif %}
{%- endfor %} {%- endfor %}

View File

@ -1,9 +1,14 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "haproxy/map.jinja" import haproxy,certs with context %} {%- from "haproxy/map.jinja" import haproxy,certs with context %}
{%- set fqdn = salt["grains.get"]("fqdn") %}
{%- set default_backend = "test" %}
{% set ns = namespace(default_backend='notdefined') %}
{%- for name, values in haproxy.config.vhosts.items() %}{% if values.default_backend|default(false) %}{% set ns.default_backend = name %}{% endif %}{% endfor %}
{%- macro internal() -%} {%- macro internal() -%}
acl internal src -f {{ haproxy.config.dir }}/maps/access acl internal src -f {{ haproxy.config.dir }}/maps/access
http-response return status 403 default-errorfiles if ! internal http-response return status 403 content-type text/html string "403 forbidden" if ! internal
{%- endmacro -%} {%- endmacro -%}
{%- macro head() -%} {%- macro head() -%}
@ -11,7 +16,7 @@
{%- endmacro -%} {%- endmacro -%}
{%- macro statusresponses() -%} {%- macro statusresponses() -%}
http-response return content-type text/html string "404 not found" if { status 404 } http-response return status 404 content-type text/html string "404 not found" if { status 404 }
{%- endmacro -%} {%- endmacro -%}
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%} {%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
@ -60,6 +65,7 @@ backend admin from {{ haproxy.config.namespace }}
# Global config # Global config
global global
lua-prepend-path {{ haproxy.config.dir }}/mods/?.so cpath
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
{%- for file in haproxy.scripts %} {%- for file in haproxy.scripts %}
{%- if not file.lib %} {%- if not file.lib %}
@ -97,11 +103,21 @@ backend per_ip_rates from {{ haproxy.config.namespace }}
frontend http from {{ haproxy.config.namespace }} frontend http from {{ haproxy.config.namespace }}
bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6 bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
mode http mode http
## ACLs
acl http ssl_fc,not acl http ssl_fc,not
acl path_host path /host acl self_host req.hdr(Host) {{ fqdn }}
acl path_date path /date acl path_root path -m dir /
http-request return status 200 content-type text/html lf-string "%H\n" if path_host acl path_host path -m dir /host
http-request return status 200 content-type text/html lf-string "%T\n" if path_date acl path_date path -m dir /date
acl path_srchash path -m dir /srchash
## Basic rules
http-request set-var(txn.srchash) src,crc32,mod(100)
http-request set-var(txn.httpdate) date,http_date()
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
http-request redirect scheme https if http http-request redirect scheme https if http
# Default HTTPS frontend # Default HTTPS frontend
@ -110,12 +126,21 @@ frontend https from {{ haproxy.config.namespace }}
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} #bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
mode http mode http
option httplog option httplog
## ACLs
acl internal src -f {{ haproxy.config.dir }}/maps/access acl internal src -f {{ haproxy.config.dir }}/maps/access
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
acl robots_txt path /robots.txt acl robots_txt path /robots.txt
acl self_host req.hdr(Host) {{ fqdn }}
acl path_root path /
acl path_host path /host acl path_host path /host
acl path_date path /date acl path_date path /date
acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }} acl path_srchash path /srchash
## Basic rules
http-request set-var(txn.random) rand,mul(5)
http-request set-var(txn.httpdate) date,http_date()
http-request set-var(txn.srchash) src,crc32,mod(100)
http-request set-var(req.src) src http-request set-var(req.src) src
http-request set-var(req.host) req.hdr(Host) http-request set-var(req.host) req.hdr(Host)
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,) http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
@ -131,26 +156,27 @@ frontend https from {{ haproxy.config.namespace }}
## Returns ## Returns
http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
http-request return status 200 content-type text/html lf-string "%H\n" if path_host http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
http-request return status 200 content-type text/html lf-string "%T\n" if path_date http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
## Headers ## Headers
http-request set-header X-Proxy-Id "%H" http-request set-header X-Proxy-Id "%H"
http-request set-header X-Proto https if { ssl_fc } http-request set-header X-Proto https if { ssl_fc }
http-response set-header Date "%[date,http_date()]" http-response set-header Date "%[var(txn.httpdate)]"
http-response set-header Server "{{ haproxy.config.servername }}" http-response set-header Server "{{ haproxy.config.servername }}"
http-response set-header X-Random "%[rand,mul(5)]" http-response set-header X-Random "%[var(txn.random)]"
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found } http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
http-request deny deny_status 404 unless domains http-request deny deny_status 404 unless domains
{%- if haproxy.config.admin.enable %} {%- if haproxy.config.admin.enable %}
use_backend admin if admin internal use_backend admin if self_host internal path_root
{%- endif %} {%- endif %}
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)] use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts)]
monitor-uri /dead_or_alive monitor-uri /dead_or_alive
default_backend nginx default_backend {{ ns.default_backend }}
# HTTP Backends # HTTP Backends
{%- for name, values in haproxy.config.vhosts.items() %} {%- for name, values in haproxy.config.vhosts.items() %}