updated haproxy state
This commit is contained in:
parent
a350266b2c
commit
95a3b0e55d
@ -9,7 +9,7 @@ apt-deps:
|
|||||||
apt-proxy-detect:
|
apt-proxy-detect:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: /usr/local/bin/apt-proxy-detect.py
|
- name: /usr/local/bin/apt-proxy-detect.py
|
||||||
- source: salt://apt/apt.py.j2
|
- source: salt://apt/templates/apt.py.j2
|
||||||
- template: jinja
|
- template: jinja
|
||||||
- mode: "0755"
|
- mode: "0755"
|
||||||
|
|
||||||
|
|||||||
@ -29,14 +29,17 @@ haproxy:
|
|||||||
timeout server: 30m
|
timeout server: 30m
|
||||||
timeout check: 5s
|
timeout check: 5s
|
||||||
balance: roundrobin
|
balance: roundrobin
|
||||||
check: True
|
check: true
|
||||||
dir: /etc/haproxy
|
dir: /etc/haproxy
|
||||||
configfile: haproxy.cfg
|
configfile: haproxy.cfg
|
||||||
user: haproxy
|
user: haproxy
|
||||||
group: haproxy
|
group: haproxy
|
||||||
http_port: 80
|
http_port: 80
|
||||||
https_port: 443
|
https_port: 443
|
||||||
admin: false
|
capture_length: 200
|
||||||
|
admin:
|
||||||
|
enable: false
|
||||||
|
port: 7000
|
||||||
api:
|
api:
|
||||||
enable: true
|
enable: true
|
||||||
filesocket: /var/run/hap-lb.sock
|
filesocket: /var/run/hap-lb.sock
|
||||||
@ -73,5 +76,8 @@ haproxy:
|
|||||||
- .js
|
- .js
|
||||||
- .png
|
- .png
|
||||||
- .jpg
|
- .jpg
|
||||||
|
ddos:
|
||||||
|
timeperiod: 10s
|
||||||
|
maxrequests: 200
|
||||||
vhosts: {}
|
vhosts: {}
|
||||||
services: {}
|
services: {}
|
||||||
|
|||||||
@ -10,6 +10,10 @@
|
|||||||
http-request return status 200 if { method -i HEAD }
|
http-request return status 200 if { method -i HEAD }
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
|
{%- macro statusresponses() -%}
|
||||||
|
http-response return content-type text/html string "404 not found" if { status 404 }
|
||||||
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro serverheader() -%}
|
{%- macro serverheader() -%}
|
||||||
http-response set-header server "{{ haproxy.config.servername }}"
|
http-response set-header server "{{ haproxy.config.servername }}"
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
@ -19,7 +23,7 @@
|
|||||||
|
|
||||||
{%- macro httpendpoints(servers=[], check=True, ssl=False) -%}
|
{%- macro httpendpoints(servers=[], check=True, ssl=False) -%}
|
||||||
{%- for server in servers %}
|
{%- for server in servers %}
|
||||||
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules() if check }}{{ " " + httpsslrules() if ssl }}
|
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
@ -43,10 +47,15 @@
|
|||||||
# Stats
|
# Stats
|
||||||
listen stats
|
listen stats
|
||||||
mode http
|
mode http
|
||||||
bind *:7000,:::7000 v4v6
|
bind *:{{ haproxy.config.admin.port }},:::{{ haproxy.config.admin.port }} v4v6
|
||||||
stats enable
|
stats enable
|
||||||
stats refresh 5s
|
#stats hide-version
|
||||||
|
stats admin if TRUE
|
||||||
|
#stats refresh 5s
|
||||||
|
stats show-modules
|
||||||
|
stats show-legends
|
||||||
stats uri /
|
stats uri /
|
||||||
|
monitor-uri /dead_or_alive
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro api() -%}
|
{%- macro api() -%}
|
||||||
@ -80,33 +89,41 @@ defaults
|
|||||||
{{ key }} {{ value }}
|
{{ key }} {{ value }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
{%- if haproxy.config.admin %}
|
{% if haproxy.config.admin.enable %}
|
||||||
{{ admin() }}
|
{{ admin() }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
||||||
# Cache
|
# Cache
|
||||||
cache static
|
cache static
|
||||||
total-max-size 256
|
total-max-size 64
|
||||||
max-object-size 50000
|
max-object-size 50000
|
||||||
max-age 120
|
max-age 120
|
||||||
|
|
||||||
# Per IP rates stick table
|
# Per IP rates stick table
|
||||||
backend per_ip_rates
|
backend per_ip_rates
|
||||||
stick-table type string size 1m expire 10s store http_req_rate(10s)
|
stick-table type string size 1m expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}})
|
||||||
|
|
||||||
# Default HTTP frontend
|
# Default HTTP frontend
|
||||||
frontend http
|
frontend http
|
||||||
bind *:80,:::80 v4v6
|
bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
|
||||||
mode http
|
mode http
|
||||||
acl http ssl_fc,not
|
acl http ssl_fc,not
|
||||||
|
acl path_host path /host
|
||||||
|
acl path_date path /date
|
||||||
|
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||||
|
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
||||||
http-request redirect scheme https if http
|
http-request redirect scheme https if http
|
||||||
|
|
||||||
# Default HTTPS frontend
|
# Default HTTPS frontend
|
||||||
frontend https
|
frontend https
|
||||||
bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
bind *:{{ haproxy.config.https_port }},:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
||||||
|
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
||||||
mode http
|
mode http
|
||||||
option httplog
|
option httplog
|
||||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||||
|
acl robots_txt path /robots.txt
|
||||||
|
acl path_host path /host
|
||||||
|
acl path_date path /date
|
||||||
http-request set-var(req.src) src
|
http-request set-var(req.src) src
|
||||||
http-request set-var(req.host) req.hdr(host)
|
http-request set-var(req.host) req.hdr(host)
|
||||||
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
||||||
@ -115,16 +132,20 @@ frontend https
|
|||||||
http-request capture req.hdr(Content-Type) len 200
|
http-request capture req.hdr(Content-Type) len 200
|
||||||
http-request capture req.hdr(Referer) len 200
|
http-request capture req.hdr(Referer) len 200
|
||||||
http-request capture sc_http_req_rate(0) len 4
|
http-request capture sc_http_req_rate(0) len 4
|
||||||
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !internal
|
http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
|
||||||
|
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||||
|
http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
|
||||||
|
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||||
|
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
||||||
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
|
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
|
||||||
http-request set-header X-Proto https if { ssl_fc }
|
http-request set-header X-Proto https if { ssl_fc }
|
||||||
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||||
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom(/etc/haproxy/maps/redirects) -m found }
|
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
||||||
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
||||||
default_backend nginx
|
default_backend nginx
|
||||||
|
|
||||||
# HTTP Backends
|
# HTTP Backends
|
||||||
{% for name, values in haproxy.config.vhosts.items() %}
|
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||||
{%- if not values.redirect|default(False) %}
|
{%- if not values.redirect|default(False) %}
|
||||||
backend {{ name }}
|
backend {{ name }}
|
||||||
balance {{ values.balance|default(haproxy.config.balance) }}
|
balance {{ values.balance|default(haproxy.config.balance) }}
|
||||||
@ -136,6 +157,7 @@ backend {{ name }}
|
|||||||
http-check {{ step }}
|
http-check {{ step }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
{{ statusresponses() }}
|
||||||
{%- if values.head|default(False) %}
|
{%- if values.head|default(False) %}
|
||||||
{{ head() }}
|
{{ head() }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
@ -160,13 +182,14 @@ backend {{ name }}
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
# TCP services
|
# TCP services
|
||||||
{% for name, values in haproxy.config.services.items() %}
|
{%- for name, values in haproxy.config.services.items() %}
|
||||||
listen {{ name }}
|
listen {{ name }}
|
||||||
bind *:{{ values.port }},:::{{ values.port }} v4v6
|
bind *:{{ values.port }},:::{{ values.port }} v4v6
|
||||||
mode tcp
|
mode tcp
|
||||||
option tcplog
|
option tcplog
|
||||||
{%- if values.type == "postgres" %}
|
{%- if values.type == "postgres" %}
|
||||||
option pgsql-check user postgres
|
option pgsql-check user postgres
|
||||||
|
option tcpka
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
default-server inter 3s fall 3
|
default-server inter 3s fall 3
|
||||||
{{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}
|
{{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user