updated haproxy state
This commit is contained in:
parent
d067176aab
commit
6495b1330a
@ -45,7 +45,7 @@ haproxy:
|
||||
port: 7000
|
||||
api:
|
||||
enable: true
|
||||
filesocket: /var/run/haproxy.sock
|
||||
filesocket: /var/run/haproxy-admin.sock
|
||||
tcpsocket: ipv4@127.0.0.1:9990
|
||||
acme_dir: /etc/acme
|
||||
acme_fullchains_dir: /etc/acme/fullchains
|
||||
|
@ -25,6 +25,13 @@ haproxy-config-script-dir:
|
||||
- group: {{ haproxy.config.group }}
|
||||
- mode: "0700"
|
||||
|
||||
haproxy-config-mods-dir:
|
||||
file.directory:
|
||||
- name: {{ haproxy.config.dir }}/mods
|
||||
- user: {{ haproxy.config.user }}
|
||||
- group: {{ haproxy.config.group }}
|
||||
- mode: "0700"
|
||||
|
||||
{% for file in haproxy.scripts %}
|
||||
haproxy-script-{{ file.name }}:
|
||||
file.managed:
|
||||
|
@ -2,6 +2,6 @@
|
||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||
{%- if values.redirect|default(false) %}
|
||||
{{ values.host }} {{ values.redirect }}
|
||||
{{ name }} {{ values.redirect }}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
|
@ -2,6 +2,6 @@
|
||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||
{%- if not values.redirect|default(false) %}
|
||||
{{ values.host }} {{ name }}
|
||||
{{ name }} {{ name }}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
|
@ -1,9 +1,14 @@
|
||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||
{%- from "haproxy/map.jinja" import haproxy,certs with context %}
|
||||
|
||||
{%- set fqdn = salt["grains.get"]("fqdn") %}
|
||||
{%- set default_backend = "test" %}
|
||||
{% set ns = namespace(default_backend='notdefined') %}
|
||||
{%- for name, values in haproxy.config.vhosts.items() %}{% if values.default_backend|default(false) %}{% set ns.default_backend = name %}{% endif %}{% endfor %}
|
||||
|
||||
{%- macro internal() -%}
|
||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||
http-response return status 403 default-errorfiles if ! internal
|
||||
http-response return status 403 content-type text/html string "403 forbidden" if ! internal
|
||||
{%- endmacro -%}
|
||||
|
||||
{%- macro head() -%}
|
||||
@ -11,7 +16,7 @@
|
||||
{%- endmacro -%}
|
||||
|
||||
{%- macro statusresponses() -%}
|
||||
http-response return content-type text/html string "404 not found" if { status 404 }
|
||||
http-response return status 404 content-type text/html string "404 not found" if { status 404 }
|
||||
{%- endmacro -%}
|
||||
|
||||
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
|
||||
@ -60,6 +65,7 @@ backend admin from {{ haproxy.config.namespace }}
|
||||
|
||||
# Global config
|
||||
global
|
||||
lua-prepend-path {{ haproxy.config.dir }}/mods/?.so cpath
|
||||
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
|
||||
{%- for file in haproxy.scripts %}
|
||||
{%- if not file.lib %}
|
||||
@ -97,11 +103,21 @@ backend per_ip_rates from {{ haproxy.config.namespace }}
|
||||
frontend http from {{ haproxy.config.namespace }}
|
||||
bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
|
||||
mode http
|
||||
|
||||
## ACLs
|
||||
acl http ssl_fc,not
|
||||
acl path_host path /host
|
||||
acl path_date path /date
|
||||
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
||||
acl self_host req.hdr(Host) {{ fqdn }}
|
||||
acl path_root path -m dir /
|
||||
acl path_host path -m dir /host
|
||||
acl path_date path -m dir /date
|
||||
acl path_srchash path -m dir /srchash
|
||||
|
||||
## Basic rules
|
||||
http-request set-var(txn.srchash) src,crc32,mod(100)
|
||||
http-request set-var(txn.httpdate) date,http_date()
|
||||
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
|
||||
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
|
||||
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
|
||||
http-request redirect scheme https if http
|
||||
|
||||
# Default HTTPS frontend
|
||||
@ -110,12 +126,21 @@ frontend https from {{ haproxy.config.namespace }}
|
||||
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
||||
mode http
|
||||
option httplog
|
||||
|
||||
## ACLs
|
||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
|
||||
acl robots_txt path /robots.txt
|
||||
acl self_host req.hdr(Host) {{ fqdn }}
|
||||
acl path_root path /
|
||||
acl path_host path /host
|
||||
acl path_date path /date
|
||||
acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }}
|
||||
acl path_srchash path /srchash
|
||||
|
||||
## Basic rules
|
||||
http-request set-var(txn.random) rand,mul(5)
|
||||
http-request set-var(txn.httpdate) date,http_date()
|
||||
http-request set-var(txn.srchash) src,crc32,mod(100)
|
||||
http-request set-var(req.src) src
|
||||
http-request set-var(req.host) req.hdr(Host)
|
||||
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
||||
@ -131,26 +156,27 @@ frontend https from {{ haproxy.config.namespace }}
|
||||
|
||||
## Returns
|
||||
http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
|
||||
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
||||
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
|
||||
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
|
||||
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
|
||||
|
||||
## Headers
|
||||
http-request set-header X-Proxy-Id "%H"
|
||||
http-request set-header X-Proto https if { ssl_fc }
|
||||
|
||||
http-response set-header Date "%[date,http_date()]"
|
||||
http-response set-header Date "%[var(txn.httpdate)]"
|
||||
http-response set-header Server "{{ haproxy.config.servername }}"
|
||||
http-response set-header X-Random "%[rand,mul(5)]"
|
||||
http-response set-header X-Random "%[var(txn.random)]"
|
||||
|
||||
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||
http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
||||
http-request deny deny_status 404 unless domains
|
||||
{%- if haproxy.config.admin.enable %}
|
||||
use_backend admin if admin internal
|
||||
use_backend admin if self_host internal path_root
|
||||
{%- endif %}
|
||||
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
||||
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts)]
|
||||
monitor-uri /dead_or_alive
|
||||
default_backend nginx
|
||||
default_backend {{ ns.default_backend }}
|
||||
|
||||
# HTTP Backends
|
||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||
|
Loading…
Reference in New Issue
Block a user