From 95a3b0e55dc27662e292e7085f5781303abe5ec8 Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Sat, 3 Dec 2022 00:07:39 +0100 Subject: [PATCH] updated haproxy state --- states/apt/init.sls | 2 +- states/apt/{ => templates}/apt.py.j2 | 0 states/haproxy/defaults.yaml | 10 ++++-- states/haproxy/templates/haproxy.cfg.j2 | 47 ++++++++++++++++++------- 4 files changed, 44 insertions(+), 15 deletions(-) rename states/apt/{ => templates}/apt.py.j2 (100%) diff --git a/states/apt/init.sls b/states/apt/init.sls index cbd9709..c0e68bd 100644 --- a/states/apt/init.sls +++ b/states/apt/init.sls @@ -9,7 +9,7 @@ apt-deps: apt-proxy-detect: file.managed: - name: /usr/local/bin/apt-proxy-detect.py - - source: salt://apt/apt.py.j2 + - source: salt://apt/templates/apt.py.j2 - template: jinja - mode: "0755" diff --git a/states/apt/apt.py.j2 b/states/apt/templates/apt.py.j2 similarity index 100% rename from states/apt/apt.py.j2 rename to states/apt/templates/apt.py.j2 diff --git a/states/haproxy/defaults.yaml b/states/haproxy/defaults.yaml index 5fa0835..a8d65fa 100644 --- a/states/haproxy/defaults.yaml +++ b/states/haproxy/defaults.yaml @@ -29,14 +29,17 @@ haproxy: timeout server: 30m timeout check: 5s balance: roundrobin - check: True + check: true dir: /etc/haproxy configfile: haproxy.cfg user: haproxy group: haproxy http_port: 80 https_port: 443 - admin: false + capture_length: 200 + admin: + enable: false + port: 7000 api: enable: true filesocket: /var/run/hap-lb.sock @@ -73,5 +76,8 @@ haproxy: - .js - .png - .jpg + ddos: + timeperiod: 10s + maxrequests: 200 vhosts: {} services: {} diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2 index d8f90e5..ec92b70 100644 --- a/states/haproxy/templates/haproxy.cfg.j2 +++ b/states/haproxy/templates/haproxy.cfg.j2 @@ -10,6 +10,10 @@ http-request return status 200 if { method -i HEAD } {%- endmacro -%} +{%- macro statusresponses() -%} + http-response return content-type text/html string "404 not found" if { status 404 } +{%- endmacro -%} + {%- macro serverheader() -%} http-response set-header server "{{ haproxy.config.servername }}" {%- endmacro -%} @@ -19,7 +23,7 @@ {%- macro httpendpoints(servers=[], check=True, ssl=False) -%} {%- for server in servers %} - server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules() if check }}{{ " " + httpsslrules() if ssl }} + server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }} {%- endfor %} {%- endmacro -%} @@ -43,10 +47,15 @@ # Stats listen stats mode http - bind *:7000,:::7000 v4v6 + bind *:{{ haproxy.config.admin.port }},:::{{ haproxy.config.admin.port }} v4v6 stats enable - stats refresh 5s + #stats hide-version + stats admin if TRUE + #stats refresh 5s + stats show-modules + stats show-legends stats uri / + monitor-uri /dead_or_alive {%- endmacro -%} {%- macro api() -%} @@ -80,33 +89,41 @@ defaults {{ key }} {{ value }} {%- endfor %} -{%- if haproxy.config.admin %} +{% if haproxy.config.admin.enable %} {{ admin() }} {%- endif %} # Cache cache static - total-max-size 256 + total-max-size 64 max-object-size 50000 max-age 120 # Per IP rates stick table backend per_ip_rates - stick-table type string size 1m expire 10s store http_req_rate(10s) + stick-table type string size 1m expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}}) # Default HTTP frontend frontend http - bind *:80,:::80 v4v6 + bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6 mode http acl http ssl_fc,not + acl path_host path /host + acl path_date path /date + http-request return status 200 content-type text/html lf-string "%H\n" if path_host + http-request return status 200 content-type text/html lf-string "%T\n" if path_date http-request redirect scheme https if http # Default HTTPS frontend frontend https - bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} + bind *:{{ haproxy.config.https_port }},:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} + #bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} mode http option httplog acl internal src -f {{ haproxy.config.dir }}/maps/access + acl robots_txt path /robots.txt + acl path_host path /host + acl path_date path /date http-request set-var(req.src) src http-request set-var(req.host) req.hdr(host) http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,) @@ -115,16 +132,20 @@ frontend https http-request capture req.hdr(Content-Type) len 200 http-request capture req.hdr(Referer) len 200 http-request capture sc_http_req_rate(0) len 4 - http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !internal + http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal + http-request return status 200 content-type text/html lf-string "%H\n" if path_host + http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt + http-request return status 200 content-type text/html lf-string "%H\n" if path_host + http-request return status 200 content-type text/html lf-string "%T\n" if path_date http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}" http-request set-header X-Proto https if { ssl_fc } log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" - http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom(/etc/haproxy/maps/redirects) -m found } + http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found } use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)] default_backend nginx # HTTP Backends -{% for name, values in haproxy.config.vhosts.items() %} +{%- for name, values in haproxy.config.vhosts.items() %} {%- if not values.redirect|default(False) %} backend {{ name }} balance {{ values.balance|default(haproxy.config.balance) }} @@ -136,6 +157,7 @@ backend {{ name }} http-check {{ step }} {%- endfor %} {%- endif %} + {{ statusresponses() }} {%- if values.head|default(False) %} {{ head() }} {%- endif %} @@ -160,13 +182,14 @@ backend {{ name }} {% endfor %} # TCP services -{% for name, values in haproxy.config.services.items() %} +{%- for name, values in haproxy.config.services.items() %} listen {{ name }} bind *:{{ values.port }},:::{{ values.port }} v4v6 mode tcp option tcplog {%- if values.type == "postgres" %} option pgsql-check user postgres + option tcpka {%- endif %} default-server inter 3s fall 3 {{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}