updated haproxy state

2023-03-21 19:42:51 +01:00 · 2023-03-21 19:42:51 +01:00 · 7567a1d9ab
commit 7567a1d9ab
parent 5acf18c07f
4 changed files with 26 additions and 15 deletions
--- a/states/haproxy/defaults.yaml
+++ b/states/haproxy/defaults.yaml
@ -12,10 +12,16 @@ haproxy:
    - redirects
    - vhosts
  acme: false
+  hatop:
+    fetchurl: https://github.com/jhunt/hatop/releases/download
+    version: "0.8.2"
+    hash: sha256=6ba2136e98b9a436488be67a54a5295f55f38090157d09df0154dda493ac5815
  config:
    dir: /etc/haproxy
    configfile: haproxy.cfg
    peers:
+      hosts: []
+      port: 4096
    dirs:
      - geoip
      - maps
--- a/states/haproxy/install.sls
+++ b/states/haproxy/install.sls
@ -36,3 +36,12 @@ haproxy-script-{{ file.name }}:
    - watch_in:
      - service: haproxy-service
 {% endfor %}
+
+haproxy-hatop-download:
+  file.managed:
+    - name: /usr/bin/hatop
+    - source: {{ haproxy.hatop.fetchurl }}/v{{ haproxy.hatop.version }}/hatop
+    - source_hash: {{ haproxy.hatop.hash }}
+    - user: root
+    - group: root
+    - mode: "0755"
--- a/states/haproxy/map.jinja
+++ b/states/haproxy/map.jinja
@ -8,18 +8,13 @@
 {%- set net = salt['pillar.get']('net') -%}
 {%- set fqdn = salt['grains.get']('fqdn') -%}

-{% set peers = salt['mine.get'](
-                  tgt='G@lb:true',
-                  fun='internal_ip_addrs',
-                  tgt_type='compound') %}
-
 {% set peers_ip = [] %}
-{%- for k,v in peers.items() %}
-{%- if k != salt['grains.get']('fqdn') %}
+{%- for k,v in haproxy.peers.items() %}
+{%- if k != fqdn %}
 {%- for i in v %}
 {% set _ = peers_ip.append([k,i]) %}
 {%- endfor %}
 {%- endif %}
 {%- endfor %}

-{% do haproxy.config.update({"peers": peers_ip }) %}
+{% do haproxy.config.peers.update({"hosts": peers_ip }) %}
--- a/states/haproxy/templates/haproxy.cfg.j2
+++ b/states/haproxy/templates/haproxy.cfg.j2
@ -88,13 +88,13 @@ defaults {{ haproxy.config.namespace }}
  {{ key }} {{ value }}
 {%- endfor %}

-{% if haproxy.config.peers|length > 0 -%}
+{% if haproxy.config.peers.hosts -%}
 peers paulbsd
-  bind *:4096 ssl crt {{ haproxy.config.acme_fullchains_dir }}
+  bind *:{{ haproxy.config.peers.port }} ssl crt {{ haproxy.config.acme_fullchains_dir }}
  default-server ssl verify none
  server {{ salt['grains.get']('fqdn') }}
-{%- for peer in haproxy.config.peers %}
-  server {{ peer[0] }} {{ peer[1] }}:4096
+{%- for host in haproxy.config.peers.hosts %}
+  server {{ host[0] }} {{ host[1] }}:{{ haproxy.config.peers.port }}
 {%- endfor %}
 {%- endif %}

@ -106,7 +106,7 @@ cache static

 # Per IP rates stick table
 backend per_ip_rates from {{ haproxy.config.namespace }}
-  stick-table type string size {{ haproxy.config.ddos.size|default("1m") }} expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}}) peers paulbsd
+  stick-table type string size {{ haproxy.config.ddos.size|default("1m") }} expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}}) {{ "peers paulbsd" if haproxy.config.peers.hosts }}

 # Default HTTP frontend
 frontend http from {{ haproxy.config.namespace }}
@ -148,6 +148,7 @@ frontend https from {{ haproxy.config.namespace }}
  ## ACLs
  acl internal src -f {{ haproxy.config.dir }}/maps/access
  acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
+  acl security_txt path /.well-known/security.txt
  acl robots_txt path /robots.txt
  acl max_req_rate sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200) }}
  acl self_host req.hdr(Host) {{ fqdn }}
@ -174,7 +175,8 @@ frontend https from {{ haproxy.config.namespace }}
  http-request deny deny_status 429 if max_req_rate !internal

  ## Returns
-  http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
+  http-request return status 200 content-type text/plain string "User-agent: *\r\nAllow: /" if robots_txt
+  http-request return status 200 content-type text/plain string "Contact: mailto:paul@paulbsd.com" if security_txt
  http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
  http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
  http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
@ -211,7 +213,6 @@ backend {{ name }} from {{ haproxy.config.namespace }}
 {%- for step in values.check_steps|default([]) %}
  http-check {{ step }}
 {%- endfor %}
-  {{ statusresponses() }}
 {%- endif %}
 {%- if values.overrides|default([]) %}
 {%- for override in values.overrides %}