paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated haproxy state

Browse Source
This commit is contained in:
Paul 2022-11-08 11:04:39 +01:00
parent 3d06ceecbc
commit c8806bd5be
7 changed files with 84 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
states/haproxy/defaults.yaml
View File

@ -14,8 +14,10 @@ haproxy:
lib: false lib: false
maps: maps:
- access - access
- redirects
- vhosts
config: config:
servername: "PaulBSD WebServer 1.0" servername: "High-performance Web Server"
http2: true http2: true
defaults: defaults:
#log: global #log: global
@ -58,5 +60,16 @@ haproxy:
ssl_options: ssl_options:
- no-sslv3 - no-sslv3
- no-tls-tickets - no-tls-tickets
gzip_mime_types:
- text/html
- text/plain
- text/css
- text/javascript
- application/javascript
cache_file_types:
- .css
- .js
- .png
- .jpg
vhosts: {} vhosts: {}
services: {} services: {}

15
states/haproxy/install.sls
View File

@ -1,17 +1,24 @@
--- ---
{%- from "haproxy/map.jinja" import haproxy with context %} {%- from "haproxy/map.jinja" import haproxy with context %}
haproxy-pkg: haproxy-pkg:
pkg.installed: pkg.latest:
- pkgs: {{ haproxy.packages }} - pkgs: {{ haproxy.packages }}
haproxy-maps-dir: haproxy-config-dir:
file.directory:
- name: {{ haproxy.config.dir }}
- user: {{ haproxy.config.user }}
- group: {{ haproxy.config.group }}
- mode: "0700"
haproxy-config-maps-dir:
file.directory: file.directory:
- name: {{ haproxy.config.dir }}/maps - name: {{ haproxy.config.dir }}/maps
- user: {{ haproxy.config.user }} - user: {{ haproxy.config.user }}
- group: {{ haproxy.config.group }} - group: {{ haproxy.config.group }}
- mode: "0700" - mode: "0700"
haproxy-script-dir: haproxy-config-script-dir:
file.directory: file.directory:
- name: {{ haproxy.config.dir }}/scripts - name: {{ haproxy.config.dir }}/scripts
- user: {{ haproxy.config.user }} - user: {{ haproxy.config.user }}
@ -34,7 +41,7 @@ haproxy-script-{{ file.name }}:
haproxy-maps-{{ filename }}: haproxy-maps-{{ filename }}:
file.managed: file.managed:
- name: {{ haproxy.config.dir }}/maps/{{ filename }} - name: {{ haproxy.config.dir }}/maps/{{ filename }}
- source: salt://haproxy/templates/{{ filename }}.j2 - source: salt://haproxy/maps/{{ filename }}.j2
- user: {{ haproxy.config.user }} - user: {{ haproxy.config.user }}
- group: {{ haproxy.config.group }} - group: {{ haproxy.config.group }}
- mode: "0600" - mode: "0600"

0
states/haproxy/templates/access.j2 → states/haproxy/maps/access.j2
View File

7
states/haproxy/maps/redirects.j2 Normal file
View File

@ -0,0 +1,7 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "haproxy/map.jinja" import haproxy with context %}
{%- for name, values in haproxy.config.vhosts.items() %}
{%- if values.redirect|default(false) %}
{{ values.host }} {{ values.redirect }}
{%- endif %}
{%- endfor %}

7
states/haproxy/maps/vhosts.j2 Normal file
View File

@ -0,0 +1,7 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "haproxy/map.jinja" import haproxy with context %}
{%- for name, values in haproxy.config.vhosts.items() %}
{%- if not values.redirect|default(false) %}
{{ values.host }} {{ name }}
{%- endif %}
{%- endfor %}

8
states/haproxy/scripts/weight_by_latency.lua
View File

@ -14,17 +14,19 @@ local function getmax(t)
end end
local function arrange_backends() local function arrange_backends()
local results = {}
while true do while true do
for _, backend in pairs(core.backends) do for _, backend in pairs(core.backends) do
results = {} local results = {}
for n,server in pairs(backend.servers) do for n,server in pairs(backend.servers) do
if server:get_stats()["check_status"] == "L4OK" then if server:get_stats()["check_status"] ~= nil then
if string.find(server:get_stats()["check_status"],"OK") ~= nil then
local svname = server:get_stats()["svname"] local svname = server:get_stats()["svname"]
local latency = server:get_stats()["check_duration"] local latency = server:get_stats()["check_duration"]
results[svname] = latency results[svname] = latency
end end
end end
end
local b,c = getmax(results) local b,c = getmax(results)
if b ~= nil then if b ~= nil then
for n,server in pairs(backend.servers) do for n,server in pairs(backend.servers) do

53
states/haproxy/templates/haproxy.cfg.j2
View File

@ -16,35 +16,37 @@
{%- macro endpoints(servers, check, ssl) -%} {%- macro endpoints(servers, check, ssl) -%}
{%- for server in servers %} {%- for server in servers %}
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " check observe layer7 inter 1s fall 5 rise 5 " if check|default(true) }}{{ " ssl verify none " if ssl|default(false) }} server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " check observe layer7 inter 2s fall 5 rise 5 " if check|default(true) }}{{ " ssl verify none " if ssl|default(false) }}
{%- endfor %} {%- endfor %}
{%- endmacro -%} {%- endmacro -%}
{%- macro cache() -%} {%- macro cache() -%}
http-request cache-use static if { path_end .css .js .png .jpg } http-request cache-use static if { path_end {{ haproxy.config.cache_file_types|join(" ") }} }
http-response cache-store static http-response cache-store static
{%- endmacro -%} {%- endmacro -%}
{%- macro compression() -%} {%- macro compression() -%}
compression algo gzip compression algo gzip
compression type text/html text/plain text/css text/javascript application/javascript compression type {{ haproxy.config.gzip_mime_types|join(' ') }}
{%- endmacro -%} {%- endmacro -%}
{%- macro admin() -%} {%- macro admin() -%}
# Stats
listen stats listen stats
mode http mode http
bind *:7000 v4v6 bind *:7000,:::7000 v4v6
stats enable stats enable
stats refresh 5s stats refresh 5s
stats uri / stats uri /
{%- endmacro -%} {%- endmacro -%}
{%- macro api() -%} {%- macro api() -%}
stats socket ipv4@127.0.0.1:9990 level admin # Runtime API
stats socket /var/run/hap-lb.sock mode 666 level admin stats socket {{ haproxy.config.api.tcpsocket }} level admin
stats timeout 2m stats socket {{ haproxy.config.api.filesocket }} mode 666 level admin
{%- endmacro %} {%- endmacro %}
# Global config
global global
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
{%- for file in haproxy.scripts %} {%- for file in haproxy.scripts %}
@ -52,10 +54,10 @@ global
lua-load {{ haproxy.config.dir }}/{{ file.name }} lua-load {{ haproxy.config.dir }}/{{ file.name }}
{%- endif %} {%- endif %}
{%- endfor %} {%- endfor %}
maxconn 1000
{%- if haproxy.config.api.enable %} {%- if haproxy.config.api.enable %}
{{ api() }} {{ api() }}
{%- endif %} {%- endif %}
maxconn 1000
ssl-default-bind-ciphers {{ haproxy.config.ssl_ciphers|join(":") }} ssl-default-bind-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
ssl-default-bind-options {{ haproxy.config.ssl_options|join(" ") }} ssl-default-bind-options {{ haproxy.config.ssl_options|join(" ") }}
ssl-default-server-ciphers {{ haproxy.config.ssl_ciphers|join(":") }} ssl-default-server-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
@ -63,6 +65,7 @@ global
crt-base {{ haproxy.config.acme_fullchains_dir }} crt-base {{ haproxy.config.acme_fullchains_dir }}
ssl-dh-param-file {{ haproxy.config.acme_dh_dir }}/dh.pem ssl-dh-param-file {{ haproxy.config.acme_dh_dir }}/dh.pem
# Defaults values
defaults defaults
{%- for key, value in haproxy.config.defaults.items() %} {%- for key, value in haproxy.config.defaults.items() %}
{{ key }} {{ value }} {{ key }} {{ value }}
@ -72,42 +75,58 @@ defaults
{{ admin() }} {{ admin() }}
{%- endif %} {%- endif %}
# Cache
cache static cache static
total-max-size 256 total-max-size 256
max-object-size 50000 max-object-size 50000
max-age 120 max-age 120
# Per IP rates stick table
backend per_ip_rates backend per_ip_rates
stick-table type string size 1m expire 10s store http_req_rate(10s) stick-table type string size 1m expire 10s store http_req_rate(10s)
# Default HTTP frontend
frontend http frontend http
bind *:80,:::80 v4v6 bind *:80,:::80 v4v6
mode http mode http
acl http ssl_fc,not acl http ssl_fc,not
http-request redirect scheme https if http http-request redirect scheme https if http
# Default HTTPS frontend
frontend https frontend https
bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %} bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
mode http mode http
option httplog option httplog
{%- for name, values in haproxy.config.vhosts.items() %} acl internal src -f {{ haproxy.config.dir }}/maps/access
use_backend {{ name }} if { hdr(Host) -i {{ values.host }} } http-request set-var(req.src) src
{%- endfor %} http-request set-var(req.host) req.hdr(host)
http-request track-sc0 src table per_ip_rates http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
http-request track-sc0 var(req.accesshash) table per_ip_rates
http-request capture req.hdr(User-Agent) len 200 http-request capture req.hdr(User-Agent) len 200
http-request capture req.hdr(Content-Type) len 200 http-request capture req.hdr(Content-Type) len 200
http-request capture req.hdr(Referer) len 200 http-request capture req.hdr(Referer) len 200
http-request capture sc_http_req_rate(0) len 4 http-request capture sc_http_req_rate(0) len 4
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !internal
http-request set-header x-proxy-id "{{ salt["grains.get"]("host") }}" http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
http-request set-header X-Proto https if { ssl_fc }
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom(/etc/haproxy/maps/redirects) -m found }
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
default_backend nginx default_backend nginx
# HTTP Backends
{% for name, values in haproxy.config.vhosts.items() %} {% for name, values in haproxy.config.vhosts.items() %}
{%- if not values.redirect|default(false) %}
backend {{ name }} backend {{ name }}
balance {{ values.balance|default("roundrobin") }} balance {{ values.balance|default("roundrobin") }}
mode http mode http
option forwardfor option forwardfor
{%- if values.check|default(false) %}
option httpchk
{%- for step in values.check_steps|default([]) %}
http-check {{ step }}
{%- endfor %}
{%- endif %}
{%- if values.head|default(false) %} {%- if values.head|default(false) %}
{{ head() }} {{ head() }}
{%- endif %} {%- endif %}
@ -128,11 +147,13 @@ backend {{ name }}
{{ internal() }} {{ internal() }}
{%- endif %} {%- endif %}
{{- endpoints(values.servers, values.check, values.ssl) }} {{- endpoints(values.servers, values.check, values.ssl) }}
{% endfor -%} {%- endif %}
{% endfor %}
# TCP services
{% for name, values in haproxy.config.services.items() %} {% for name, values in haproxy.config.services.items() %}
listen {{ name }} listen {{ name }}
bind :::{{ values.port }} v4v6 bind *:{{ values.port }},:::{{ values.port }} v4v6
mode tcp mode tcp
option tcplog option tcplog
{%- if values.type == "postgres" %} {%- if values.type == "postgres" %}