updated haproxy state

This commit is contained in:
Paul 2023-03-21 19:42:51 +01:00
parent 5acf18c07f
commit 7567a1d9ab
4 changed files with 26 additions and 15 deletions

View File

@ -12,10 +12,16 @@ haproxy:
- redirects - redirects
- vhosts - vhosts
acme: false acme: false
hatop:
fetchurl: https://github.com/jhunt/hatop/releases/download
version: "0.8.2"
hash: sha256=6ba2136e98b9a436488be67a54a5295f55f38090157d09df0154dda493ac5815
config: config:
dir: /etc/haproxy dir: /etc/haproxy
configfile: haproxy.cfg configfile: haproxy.cfg
peers: peers:
hosts: []
port: 4096
dirs: dirs:
- geoip - geoip
- maps - maps

View File

@ -36,3 +36,12 @@ haproxy-script-{{ file.name }}:
- watch_in: - watch_in:
- service: haproxy-service - service: haproxy-service
{% endfor %} {% endfor %}
haproxy-hatop-download:
file.managed:
- name: /usr/bin/hatop
- source: {{ haproxy.hatop.fetchurl }}/v{{ haproxy.hatop.version }}/hatop
- source_hash: {{ haproxy.hatop.hash }}
- user: root
- group: root
- mode: "0755"

View File

@ -8,18 +8,13 @@
{%- set net = salt['pillar.get']('net') -%} {%- set net = salt['pillar.get']('net') -%}
{%- set fqdn = salt['grains.get']('fqdn') -%} {%- set fqdn = salt['grains.get']('fqdn') -%}
{% set peers = salt['mine.get'](
tgt='G@lb:true',
fun='internal_ip_addrs',
tgt_type='compound') %}
{% set peers_ip = [] %} {% set peers_ip = [] %}
{%- for k,v in peers.items() %} {%- for k,v in haproxy.peers.items() %}
{%- if k != salt['grains.get']('fqdn') %} {%- if k != fqdn %}
{%- for i in v %} {%- for i in v %}
{% set _ = peers_ip.append([k,i]) %} {% set _ = peers_ip.append([k,i]) %}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- endfor %} {%- endfor %}
{% do haproxy.config.update({"peers": peers_ip }) %} {% do haproxy.config.peers.update({"hosts": peers_ip }) %}

View File

@ -88,13 +88,13 @@ defaults {{ haproxy.config.namespace }}
{{ key }} {{ value }} {{ key }} {{ value }}
{%- endfor %} {%- endfor %}
{% if haproxy.config.peers|length > 0 -%} {% if haproxy.config.peers.hosts -%}
peers paulbsd peers paulbsd
bind *:4096 ssl crt {{ haproxy.config.acme_fullchains_dir }} bind *:{{ haproxy.config.peers.port }} ssl crt {{ haproxy.config.acme_fullchains_dir }}
default-server ssl verify none default-server ssl verify none
server {{ salt['grains.get']('fqdn') }} server {{ salt['grains.get']('fqdn') }}
{%- for peer in haproxy.config.peers %} {%- for host in haproxy.config.peers.hosts %}
server {{ peer[0] }} {{ peer[1] }}:4096 server {{ host[0] }} {{ host[1] }}:{{ haproxy.config.peers.port }}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
@ -106,7 +106,7 @@ cache static
# Per IP rates stick table # Per IP rates stick table
backend per_ip_rates from {{ haproxy.config.namespace }} backend per_ip_rates from {{ haproxy.config.namespace }}
stick-table type string size {{ haproxy.config.ddos.size|default("1m") }} expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}}) peers paulbsd stick-table type string size {{ haproxy.config.ddos.size|default("1m") }} expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}}) {{ "peers paulbsd" if haproxy.config.peers.hosts }}
# Default HTTP frontend # Default HTTP frontend
frontend http from {{ haproxy.config.namespace }} frontend http from {{ haproxy.config.namespace }}
@ -148,6 +148,7 @@ frontend https from {{ haproxy.config.namespace }}
## ACLs ## ACLs
acl internal src -f {{ haproxy.config.dir }}/maps/access acl internal src -f {{ haproxy.config.dir }}/maps/access
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
acl security_txt path /.well-known/security.txt
acl robots_txt path /robots.txt acl robots_txt path /robots.txt
acl max_req_rate sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200) }} acl max_req_rate sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200) }}
acl self_host req.hdr(Host) {{ fqdn }} acl self_host req.hdr(Host) {{ fqdn }}
@ -174,7 +175,8 @@ frontend https from {{ haproxy.config.namespace }}
http-request deny deny_status 429 if max_req_rate !internal http-request deny deny_status 429 if max_req_rate !internal
## Returns ## Returns
http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt http-request return status 200 content-type text/plain string "User-agent: *\r\nAllow: /" if robots_txt
http-request return status 200 content-type text/plain string "Contact: mailto:paul@paulbsd.com" if security_txt
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
@ -211,7 +213,6 @@ backend {{ name }} from {{ haproxy.config.namespace }}
{%- for step in values.check_steps|default([]) %} {%- for step in values.check_steps|default([]) %}
http-check {{ step }} http-check {{ step }}
{%- endfor %} {%- endfor %}
{{ statusresponses() }}
{%- endif %} {%- endif %}
{%- if values.overrides|default([]) %} {%- if values.overrides|default([]) %}
{%- for override in values.overrides %} {%- for override in values.overrides %}