From b044e3adbf4366de9de0a1d37df53c383102d47e Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Mon, 26 Dec 2022 18:13:39 +0100 Subject: [PATCH] updated haproxy state --- states/haproxy/defaults.yaml | 1 + states/haproxy/templates/haproxy.cfg.j2 | 26 ++++++++++--------------- 2 files changed, 11 insertions(+), 16 deletions(-) diff --git a/states/haproxy/defaults.yaml b/states/haproxy/defaults.yaml index 478649e..c9d1a05 100644 --- a/states/haproxy/defaults.yaml +++ b/states/haproxy/defaults.yaml @@ -20,6 +20,7 @@ haproxy: config: dir: /etc/haproxy configfile: haproxy.cfg + namespace: paulbsd servername: "High-performance Web Server" http2: true defaults: diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2 index 21ad632..6e7b692 100644 --- a/states/haproxy/templates/haproxy.cfg.j2 +++ b/states/haproxy/templates/haproxy.cfg.j2 @@ -14,10 +14,6 @@ http-response return content-type text/html string "404 not found" if { status 404 } {%- endmacro -%} -{%- macro serverheader() -%} - http-response set-header server "{{ haproxy.config.servername }}" -{%- endmacro -%} - {%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%} {%- macro httpsslrules() -%}ssl verify none{%- endmacro -%} @@ -46,7 +42,7 @@ {%- macro admin() -%} # Stats Backend -backend admin +backend admin from {{ haproxy.config.namespace }} mode http stats enable stats admin if TRUE @@ -82,7 +78,7 @@ global ssl-dh-param-file {{ haproxy.config.acme_dh_dir }}/dh.pem # Defaults values -defaults +defaults {{ haproxy.config.namespace }} {%- for key, value in haproxy.config.defaults.items() %} {{ key }} {{ value }} {%- endfor %} @@ -94,11 +90,11 @@ cache static max-age 120 # Per IP rates stick table -backend per_ip_rates +backend per_ip_rates from {{ haproxy.config.namespace }} stick-table type string size 1m expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}}) # Default HTTP frontend -frontend http +frontend http from {{ haproxy.config.namespace }} bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6 mode http acl http ssl_fc,not @@ -109,7 +105,7 @@ frontend http http-request redirect scheme https if http # Default HTTPS frontend -frontend https +frontend https from {{ haproxy.config.namespace }} bind *:{{ haproxy.config.https_port }},:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} #bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} mode http @@ -143,6 +139,8 @@ frontend https http-request set-header X-Proto https if { ssl_fc } http-response set-header Date "%[date,http_date()]" + http-response set-header Server "{{ haproxy.config.servername }}" + http-response set-header X-Random "%[rand,mul(5)]" log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found } @@ -157,7 +155,7 @@ frontend https # HTTP Backends {%- for name, values in haproxy.config.vhosts.items() %} {%- if not values.redirect|default(False) %} -backend {{ name }} +backend {{ name }} from {{ haproxy.config.namespace }} balance {{ values.balance|default(haproxy.config.balance) }} mode http option forwardfor @@ -180,10 +178,6 @@ backend {{ name }} {{ cache() }} {%- endif %} -{%- if values.serverheader|default(True) %} - {{ serverheader() }} -{%- endif %} - {%- if values.internal|default(False) %} {{ internal() }} {%- endif %} @@ -193,7 +187,7 @@ backend {{ name }} # TCP services {%- for name, values in haproxy.config.services.items() %} -listen {{ name }} +listen {{ name }} from {{ haproxy.config.namespace }} bind *:{{ values.port }},:::{{ values.port }} v4v6 mode tcp option tcplog @@ -207,7 +201,7 @@ listen {{ name }} # SPOE Agents {%- for name, values in haproxy.config.spoe.items() %} -listen {{ name }} +listen {{ name }} from {{ haproxy.config.namespace }} bind *:{{ values.port }},:::{{ values.port }} v4v6 {% endfor %}