paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated haproxy state

Browse Source
This commit is contained in:
Paul 2022-12-03 00:07:39 +01:00
parent a350266b2c
commit 95a3b0e55d
4 changed files with 44 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
states/apt/init.sls
View File

@ -9,7 +9,7 @@ apt-deps:
apt-proxy-detect: apt-proxy-detect:
file.managed: file.managed:
- name: /usr/local/bin/apt-proxy-detect.py - name: /usr/local/bin/apt-proxy-detect.py
- source: salt://apt/apt.py.j2 - source: salt://apt/templates/apt.py.j2
- template: jinja - template: jinja
- mode: "0755" - mode: "0755"

0
states/apt/apt.py.j2 → states/apt/templates/apt.py.j2
View File

10
states/haproxy/defaults.yaml
View File

@ -29,14 +29,17 @@ haproxy:
timeout server: 30m timeout server: 30m
timeout check: 5s timeout check: 5s
balance: roundrobin balance: roundrobin
check: True check: true
dir: /etc/haproxy dir: /etc/haproxy
configfile: haproxy.cfg configfile: haproxy.cfg
user: haproxy user: haproxy
group: haproxy group: haproxy
http_port: 80 http_port: 80
https_port: 443 https_port: 443
admin: false capture_length: 200
admin:
enable: false
port: 7000
api: api:
enable: true enable: true
filesocket: /var/run/hap-lb.sock filesocket: /var/run/hap-lb.sock
@ -73,5 +76,8 @@ haproxy:
- .js - .js
- .png - .png
- .jpg - .jpg
ddos:
timeperiod: 10s
maxrequests: 200
vhosts: {} vhosts: {}
services: {} services: {}

47
states/haproxy/templates/haproxy.cfg.j2
View File

@ -10,6 +10,10 @@
http-request return status 200 if { method -i HEAD } http-request return status 200 if { method -i HEAD }
{%- endmacro -%} {%- endmacro -%}
{%- macro statusresponses() -%}
http-response return content-type text/html string "404 not found" if { status 404 }
{%- endmacro -%}
{%- macro serverheader() -%} {%- macro serverheader() -%}
http-response set-header server "{{ haproxy.config.servername }}" http-response set-header server "{{ haproxy.config.servername }}"
{%- endmacro -%} {%- endmacro -%}
@ -19,7 +23,7 @@
{%- macro httpendpoints(servers=[], check=True, ssl=False) -%} {%- macro httpendpoints(servers=[], check=True, ssl=False) -%}
{%- for server in servers %} {%- for server in servers %}
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules() if check }}{{ " " + httpsslrules() if ssl }} server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}
{%- endfor %} {%- endfor %}
{%- endmacro -%} {%- endmacro -%}
@ -43,10 +47,15 @@
# Stats # Stats
listen stats listen stats
mode http mode http
bind *:7000,:::7000 v4v6 bind *:{{ haproxy.config.admin.port }},:::{{ haproxy.config.admin.port }} v4v6
stats enable stats enable
stats refresh 5s #stats hide-version
stats admin if TRUE
#stats refresh 5s
stats show-modules
stats show-legends
stats uri / stats uri /
monitor-uri /dead_or_alive
{%- endmacro -%} {%- endmacro -%}
{%- macro api() -%} {%- macro api() -%}
@ -80,33 +89,41 @@ defaults
{{ key }} {{ value }} {{ key }} {{ value }}
{%- endfor %} {%- endfor %}
{%- if haproxy.config.admin %} {% if haproxy.config.admin.enable %}
{{ admin() }} {{ admin() }}
{%- endif %} {%- endif %}
# Cache # Cache
cache static cache static
total-max-size 256 total-max-size 64
max-object-size 50000 max-object-size 50000
max-age 120 max-age 120
# Per IP rates stick table # Per IP rates stick table
backend per_ip_rates backend per_ip_rates
stick-table type string size 1m expire 10s store http_req_rate(10s) stick-table type string size 1m expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}})
# Default HTTP frontend # Default HTTP frontend
frontend http frontend http
bind *:80,:::80 v4v6 bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
mode http mode http
acl http ssl_fc,not acl http ssl_fc,not
acl path_host path /host
acl path_date path /date
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
http-request redirect scheme https if http http-request redirect scheme https if http
# Default HTTPS frontend # Default HTTPS frontend
frontend https frontend https
bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} bind *:{{ haproxy.config.https_port }},:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
mode http mode http
option httplog option httplog
acl internal src -f {{ haproxy.config.dir }}/maps/access acl internal src -f {{ haproxy.config.dir }}/maps/access
acl robots_txt path /robots.txt
acl path_host path /host
acl path_date path /date
http-request set-var(req.src) src http-request set-var(req.src) src
http-request set-var(req.host) req.hdr(host) http-request set-var(req.host) req.hdr(host)
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,) http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
@ -115,16 +132,20 @@ frontend https
http-request capture req.hdr(Content-Type) len 200 http-request capture req.hdr(Content-Type) len 200
http-request capture req.hdr(Referer) len 200 http-request capture req.hdr(Referer) len 200
http-request capture sc_http_req_rate(0) len 4 http-request capture sc_http_req_rate(0) len 4
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !internal http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}" http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
http-request set-header X-Proto https if { ssl_fc } http-request set-header X-Proto https if { ssl_fc }
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom(/etc/haproxy/maps/redirects) -m found } http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)] use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
default_backend nginx default_backend nginx
# HTTP Backends # HTTP Backends
{% for name, values in haproxy.config.vhosts.items() %} {%- for name, values in haproxy.config.vhosts.items() %}
{%- if not values.redirect|default(False) %} {%- if not values.redirect|default(False) %}
backend {{ name }} backend {{ name }}
balance {{ values.balance|default(haproxy.config.balance) }} balance {{ values.balance|default(haproxy.config.balance) }}
@ -136,6 +157,7 @@ backend {{ name }}
http-check {{ step }} http-check {{ step }}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{{ statusresponses() }}
{%- if values.head|default(False) %} {%- if values.head|default(False) %}
{{ head() }} {{ head() }}
{%- endif %} {%- endif %}
@ -160,13 +182,14 @@ backend {{ name }}
{% endfor %} {% endfor %}
# TCP services # TCP services
{% for name, values in haproxy.config.services.items() %} {%- for name, values in haproxy.config.services.items() %}
listen {{ name }} listen {{ name }}
bind *:{{ values.port }},:::{{ values.port }} v4v6 bind *:{{ values.port }},:::{{ values.port }} v4v6
mode tcp mode tcp
option tcplog option tcplog
{%- if values.type == "postgres" %} {%- if values.type == "postgres" %}
option pgsql-check user postgres option pgsql-check user postgres
option tcpka
{%- endif %} {%- endif %}
default-server inter 3s fall 3 default-server inter 3s fall 3
{{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }} {{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}