updated haproxy state
This commit is contained in:
parent
d067176aab
commit
6495b1330a
@ -45,7 +45,7 @@ haproxy:
|
|||||||
port: 7000
|
port: 7000
|
||||||
api:
|
api:
|
||||||
enable: true
|
enable: true
|
||||||
filesocket: /var/run/haproxy.sock
|
filesocket: /var/run/haproxy-admin.sock
|
||||||
tcpsocket: ipv4@127.0.0.1:9990
|
tcpsocket: ipv4@127.0.0.1:9990
|
||||||
acme_dir: /etc/acme
|
acme_dir: /etc/acme
|
||||||
acme_fullchains_dir: /etc/acme/fullchains
|
acme_fullchains_dir: /etc/acme/fullchains
|
||||||
|
@ -25,6 +25,13 @@ haproxy-config-script-dir:
|
|||||||
- group: {{ haproxy.config.group }}
|
- group: {{ haproxy.config.group }}
|
||||||
- mode: "0700"
|
- mode: "0700"
|
||||||
|
|
||||||
|
haproxy-config-mods-dir:
|
||||||
|
file.directory:
|
||||||
|
- name: {{ haproxy.config.dir }}/mods
|
||||||
|
- user: {{ haproxy.config.user }}
|
||||||
|
- group: {{ haproxy.config.group }}
|
||||||
|
- mode: "0700"
|
||||||
|
|
||||||
{% for file in haproxy.scripts %}
|
{% for file in haproxy.scripts %}
|
||||||
haproxy-script-{{ file.name }}:
|
haproxy-script-{{ file.name }}:
|
||||||
file.managed:
|
file.managed:
|
||||||
|
@ -2,6 +2,6 @@
|
|||||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||||
{%- if values.redirect|default(false) %}
|
{%- if values.redirect|default(false) %}
|
||||||
{{ values.host }} {{ values.redirect }}
|
{{ name }} {{ values.redirect }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
@ -2,6 +2,6 @@
|
|||||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||||
{%- if not values.redirect|default(false) %}
|
{%- if not values.redirect|default(false) %}
|
||||||
{{ values.host }} {{ name }}
|
{{ name }} {{ name }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
@ -1,9 +1,14 @@
|
|||||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||||
{%- from "haproxy/map.jinja" import haproxy,certs with context %}
|
{%- from "haproxy/map.jinja" import haproxy,certs with context %}
|
||||||
|
|
||||||
|
{%- set fqdn = salt["grains.get"]("fqdn") %}
|
||||||
|
{%- set default_backend = "test" %}
|
||||||
|
{% set ns = namespace(default_backend='notdefined') %}
|
||||||
|
{%- for name, values in haproxy.config.vhosts.items() %}{% if values.default_backend|default(false) %}{% set ns.default_backend = name %}{% endif %}{% endfor %}
|
||||||
|
|
||||||
{%- macro internal() -%}
|
{%- macro internal() -%}
|
||||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||||
http-response return status 403 default-errorfiles if ! internal
|
http-response return status 403 content-type text/html string "403 forbidden" if ! internal
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro head() -%}
|
{%- macro head() -%}
|
||||||
@ -11,7 +16,7 @@
|
|||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro statusresponses() -%}
|
{%- macro statusresponses() -%}
|
||||||
http-response return content-type text/html string "404 not found" if { status 404 }
|
http-response return status 404 content-type text/html string "404 not found" if { status 404 }
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
|
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
|
||||||
@ -60,6 +65,7 @@ backend admin from {{ haproxy.config.namespace }}
|
|||||||
|
|
||||||
# Global config
|
# Global config
|
||||||
global
|
global
|
||||||
|
lua-prepend-path {{ haproxy.config.dir }}/mods/?.so cpath
|
||||||
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
|
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
|
||||||
{%- for file in haproxy.scripts %}
|
{%- for file in haproxy.scripts %}
|
||||||
{%- if not file.lib %}
|
{%- if not file.lib %}
|
||||||
@ -97,11 +103,21 @@ backend per_ip_rates from {{ haproxy.config.namespace }}
|
|||||||
frontend http from {{ haproxy.config.namespace }}
|
frontend http from {{ haproxy.config.namespace }}
|
||||||
bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
|
bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
|
||||||
mode http
|
mode http
|
||||||
|
|
||||||
|
## ACLs
|
||||||
acl http ssl_fc,not
|
acl http ssl_fc,not
|
||||||
acl path_host path /host
|
acl self_host req.hdr(Host) {{ fqdn }}
|
||||||
acl path_date path /date
|
acl path_root path -m dir /
|
||||||
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
acl path_host path -m dir /host
|
||||||
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
acl path_date path -m dir /date
|
||||||
|
acl path_srchash path -m dir /srchash
|
||||||
|
|
||||||
|
## Basic rules
|
||||||
|
http-request set-var(txn.srchash) src,crc32,mod(100)
|
||||||
|
http-request set-var(txn.httpdate) date,http_date()
|
||||||
|
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
|
||||||
|
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
|
||||||
|
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
|
||||||
http-request redirect scheme https if http
|
http-request redirect scheme https if http
|
||||||
|
|
||||||
# Default HTTPS frontend
|
# Default HTTPS frontend
|
||||||
@ -110,12 +126,21 @@ frontend https from {{ haproxy.config.namespace }}
|
|||||||
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
||||||
mode http
|
mode http
|
||||||
option httplog
|
option httplog
|
||||||
|
|
||||||
|
## ACLs
|
||||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||||
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
|
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
|
||||||
acl robots_txt path /robots.txt
|
acl robots_txt path /robots.txt
|
||||||
|
acl self_host req.hdr(Host) {{ fqdn }}
|
||||||
|
acl path_root path /
|
||||||
acl path_host path /host
|
acl path_host path /host
|
||||||
acl path_date path /date
|
acl path_date path /date
|
||||||
acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }}
|
acl path_srchash path /srchash
|
||||||
|
|
||||||
|
## Basic rules
|
||||||
|
http-request set-var(txn.random) rand,mul(5)
|
||||||
|
http-request set-var(txn.httpdate) date,http_date()
|
||||||
|
http-request set-var(txn.srchash) src,crc32,mod(100)
|
||||||
http-request set-var(req.src) src
|
http-request set-var(req.src) src
|
||||||
http-request set-var(req.host) req.hdr(Host)
|
http-request set-var(req.host) req.hdr(Host)
|
||||||
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
||||||
@ -131,26 +156,27 @@ frontend https from {{ haproxy.config.namespace }}
|
|||||||
|
|
||||||
## Returns
|
## Returns
|
||||||
http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
|
http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
|
||||||
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
|
||||||
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
|
||||||
|
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
|
||||||
|
|
||||||
## Headers
|
## Headers
|
||||||
http-request set-header X-Proxy-Id "%H"
|
http-request set-header X-Proxy-Id "%H"
|
||||||
http-request set-header X-Proto https if { ssl_fc }
|
http-request set-header X-Proto https if { ssl_fc }
|
||||||
|
|
||||||
http-response set-header Date "%[date,http_date()]"
|
http-response set-header Date "%[var(txn.httpdate)]"
|
||||||
http-response set-header Server "{{ haproxy.config.servername }}"
|
http-response set-header Server "{{ haproxy.config.servername }}"
|
||||||
http-response set-header X-Random "%[rand,mul(5)]"
|
http-response set-header X-Random "%[var(txn.random)]"
|
||||||
|
|
||||||
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||||
http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
||||||
http-request deny deny_status 404 unless domains
|
http-request deny deny_status 404 unless domains
|
||||||
{%- if haproxy.config.admin.enable %}
|
{%- if haproxy.config.admin.enable %}
|
||||||
use_backend admin if admin internal
|
use_backend admin if self_host internal path_root
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts)]
|
||||||
monitor-uri /dead_or_alive
|
monitor-uri /dead_or_alive
|
||||||
default_backend nginx
|
default_backend {{ ns.default_backend }}
|
||||||
|
|
||||||
# HTTP Backends
|
# HTTP Backends
|
||||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||||
|
Loading…
Reference in New Issue
Block a user