updated haproxy state
This commit is contained in:
parent
3d06ceecbc
commit
c8806bd5be
@ -14,8 +14,10 @@ haproxy:
|
||||
lib: false
|
||||
maps:
|
||||
- access
|
||||
- redirects
|
||||
- vhosts
|
||||
config:
|
||||
servername: "PaulBSD WebServer 1.0"
|
||||
servername: "High-performance Web Server"
|
||||
http2: true
|
||||
defaults:
|
||||
#log: global
|
||||
@ -58,5 +60,16 @@ haproxy:
|
||||
ssl_options:
|
||||
- no-sslv3
|
||||
- no-tls-tickets
|
||||
gzip_mime_types:
|
||||
- text/html
|
||||
- text/plain
|
||||
- text/css
|
||||
- text/javascript
|
||||
- application/javascript
|
||||
cache_file_types:
|
||||
- .css
|
||||
- .js
|
||||
- .png
|
||||
- .jpg
|
||||
vhosts: {}
|
||||
services: {}
|
||||
|
@ -1,17 +1,24 @@
|
||||
---
|
||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||
haproxy-pkg:
|
||||
pkg.installed:
|
||||
pkg.latest:
|
||||
- pkgs: {{ haproxy.packages }}
|
||||
|
||||
haproxy-maps-dir:
|
||||
haproxy-config-dir:
|
||||
file.directory:
|
||||
- name: {{ haproxy.config.dir }}
|
||||
- user: {{ haproxy.config.user }}
|
||||
- group: {{ haproxy.config.group }}
|
||||
- mode: "0700"
|
||||
|
||||
haproxy-config-maps-dir:
|
||||
file.directory:
|
||||
- name: {{ haproxy.config.dir }}/maps
|
||||
- user: {{ haproxy.config.user }}
|
||||
- group: {{ haproxy.config.group }}
|
||||
- mode: "0700"
|
||||
|
||||
haproxy-script-dir:
|
||||
haproxy-config-script-dir:
|
||||
file.directory:
|
||||
- name: {{ haproxy.config.dir }}/scripts
|
||||
- user: {{ haproxy.config.user }}
|
||||
@ -34,7 +41,7 @@ haproxy-script-{{ file.name }}:
|
||||
haproxy-maps-{{ filename }}:
|
||||
file.managed:
|
||||
- name: {{ haproxy.config.dir }}/maps/{{ filename }}
|
||||
- source: salt://haproxy/templates/{{ filename }}.j2
|
||||
- source: salt://haproxy/maps/{{ filename }}.j2
|
||||
- user: {{ haproxy.config.user }}
|
||||
- group: {{ haproxy.config.group }}
|
||||
- mode: "0600"
|
||||
|
7
states/haproxy/maps/redirects.j2
Normal file
7
states/haproxy/maps/redirects.j2
Normal file
@ -0,0 +1,7 @@
|
||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||
{%- if values.redirect|default(false) %}
|
||||
{{ values.host }} {{ values.redirect }}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
7
states/haproxy/maps/vhosts.j2
Normal file
7
states/haproxy/maps/vhosts.j2
Normal file
@ -0,0 +1,7 @@
|
||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||
{%- if not values.redirect|default(false) %}
|
||||
{{ values.host }} {{ name }}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
@ -14,17 +14,19 @@ local function getmax(t)
|
||||
end
|
||||
|
||||
local function arrange_backends()
|
||||
local results = {}
|
||||
while true do
|
||||
for _, backend in pairs(core.backends) do
|
||||
results = {}
|
||||
local results = {}
|
||||
for n,server in pairs(backend.servers) do
|
||||
if server:get_stats()["check_status"] == "L4OK" then
|
||||
local svname = server:get_stats()["svname"]
|
||||
local latency = server:get_stats()["check_duration"]
|
||||
results[svname] = latency
|
||||
if server:get_stats()["check_status"] ~= nil then
|
||||
if string.find(server:get_stats()["check_status"],"OK") ~= nil then
|
||||
local svname = server:get_stats()["svname"]
|
||||
local latency = server:get_stats()["check_duration"]
|
||||
results[svname] = latency
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
local b,c = getmax(results)
|
||||
if b ~= nil then
|
||||
for n,server in pairs(backend.servers) do
|
||||
|
@ -16,35 +16,37 @@
|
||||
|
||||
{%- macro endpoints(servers, check, ssl) -%}
|
||||
{%- for server in servers %}
|
||||
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " check observe layer7 inter 1s fall 5 rise 5 " if check|default(true) }}{{ " ssl verify none " if ssl|default(false) }}
|
||||
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " check observe layer7 inter 2s fall 5 rise 5 " if check|default(true) }}{{ " ssl verify none " if ssl|default(false) }}
|
||||
{%- endfor %}
|
||||
{%- endmacro -%}
|
||||
|
||||
{%- macro cache() -%}
|
||||
http-request cache-use static if { path_end .css .js .png .jpg }
|
||||
http-request cache-use static if { path_end {{ haproxy.config.cache_file_types|join(" ") }} }
|
||||
http-response cache-store static
|
||||
{%- endmacro -%}
|
||||
|
||||
{%- macro compression() -%}
|
||||
compression algo gzip
|
||||
compression type text/html text/plain text/css text/javascript application/javascript
|
||||
compression type {{ haproxy.config.gzip_mime_types|join(' ') }}
|
||||
{%- endmacro -%}
|
||||
|
||||
{%- macro admin() -%}
|
||||
# Stats
|
||||
listen stats
|
||||
mode http
|
||||
bind *:7000 v4v6
|
||||
bind *:7000,:::7000 v4v6
|
||||
stats enable
|
||||
stats refresh 5s
|
||||
stats uri /
|
||||
{%- endmacro -%}
|
||||
|
||||
{%- macro api() -%}
|
||||
stats socket ipv4@127.0.0.1:9990 level admin
|
||||
stats socket /var/run/hap-lb.sock mode 666 level admin
|
||||
stats timeout 2m
|
||||
# Runtime API
|
||||
stats socket {{ haproxy.config.api.tcpsocket }} level admin
|
||||
stats socket {{ haproxy.config.api.filesocket }} mode 666 level admin
|
||||
{%- endmacro %}
|
||||
|
||||
# Global config
|
||||
global
|
||||
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
|
||||
{%- for file in haproxy.scripts %}
|
||||
@ -52,10 +54,10 @@ global
|
||||
lua-load {{ haproxy.config.dir }}/{{ file.name }}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
maxconn 1000
|
||||
{%- if haproxy.config.api.enable %}
|
||||
{{ api() }}
|
||||
{%- endif %}
|
||||
maxconn 1000
|
||||
ssl-default-bind-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
|
||||
ssl-default-bind-options {{ haproxy.config.ssl_options|join(" ") }}
|
||||
ssl-default-server-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
|
||||
@ -63,6 +65,7 @@ global
|
||||
crt-base {{ haproxy.config.acme_fullchains_dir }}
|
||||
ssl-dh-param-file {{ haproxy.config.acme_dh_dir }}/dh.pem
|
||||
|
||||
# Defaults values
|
||||
defaults
|
||||
{%- for key, value in haproxy.config.defaults.items() %}
|
||||
{{ key }} {{ value }}
|
||||
@ -72,42 +75,58 @@ defaults
|
||||
{{ admin() }}
|
||||
{%- endif %}
|
||||
|
||||
# Cache
|
||||
cache static
|
||||
total-max-size 256
|
||||
max-object-size 50000
|
||||
max-age 120
|
||||
|
||||
# Per IP rates stick table
|
||||
backend per_ip_rates
|
||||
stick-table type string size 1m expire 10s store http_req_rate(10s)
|
||||
|
||||
# Default HTTP frontend
|
||||
frontend http
|
||||
bind *:80,:::80 v4v6
|
||||
mode http
|
||||
acl http ssl_fc,not
|
||||
http-request redirect scheme https if http
|
||||
|
||||
# Default HTTPS frontend
|
||||
frontend https
|
||||
bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
||||
mode http
|
||||
option httplog
|
||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||
use_backend {{ name }} if { hdr(Host) -i {{ values.host }} }
|
||||
{%- endfor %}
|
||||
http-request track-sc0 src table per_ip_rates
|
||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||
http-request set-var(req.src) src
|
||||
http-request set-var(req.host) req.hdr(host)
|
||||
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
||||
http-request track-sc0 var(req.accesshash) table per_ip_rates
|
||||
http-request capture req.hdr(User-Agent) len 200
|
||||
http-request capture req.hdr(Content-Type) len 200
|
||||
http-request capture req.hdr(Referer) len 200
|
||||
http-request capture sc_http_req_rate(0) len 4
|
||||
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
|
||||
http-request set-header x-proxy-id "{{ salt["grains.get"]("host") }}"
|
||||
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !internal
|
||||
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
|
||||
http-request set-header X-Proto https if { ssl_fc }
|
||||
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom(/etc/haproxy/maps/redirects) -m found }
|
||||
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
||||
default_backend nginx
|
||||
|
||||
# HTTP Backends
|
||||
{% for name, values in haproxy.config.vhosts.items() %}
|
||||
{%- if not values.redirect|default(false) %}
|
||||
backend {{ name }}
|
||||
balance {{ values.balance|default("roundrobin") }}
|
||||
mode http
|
||||
option forwardfor
|
||||
{%- if values.check|default(false) %}
|
||||
option httpchk
|
||||
{%- for step in values.check_steps|default([]) %}
|
||||
http-check {{ step }}
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- if values.head|default(false) %}
|
||||
{{ head() }}
|
||||
{%- endif %}
|
||||
@ -128,11 +147,13 @@ backend {{ name }}
|
||||
{{ internal() }}
|
||||
{%- endif %}
|
||||
{{- endpoints(values.servers, values.check, values.ssl) }}
|
||||
{% endfor -%}
|
||||
{%- endif %}
|
||||
{% endfor %}
|
||||
|
||||
# TCP services
|
||||
{% for name, values in haproxy.config.services.items() %}
|
||||
listen {{ name }}
|
||||
bind :::{{ values.port }} v4v6
|
||||
bind *:{{ values.port }},:::{{ values.port }} v4v6
|
||||
mode tcp
|
||||
option tcplog
|
||||
{%- if values.type == "postgres" %}
|
||||
|
Loading…
Reference in New Issue
Block a user