From dd0756186faac8af72d9bc99a1f6b2caa5f6b71b Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Fri, 9 Dec 2022 23:47:23 +0100 Subject: [PATCH] updated haproxy state --- states/haproxy/service.sls | 4 ++- states/haproxy/templates/haproxy.cfg.j2 | 35 +++++++++++++++++-------- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/states/haproxy/service.sls b/states/haproxy/service.sls index f64cd47..8755188 100644 --- a/states/haproxy/service.sls +++ b/states/haproxy/service.sls @@ -4,4 +4,6 @@ haproxy-service: service.running: - name: haproxy - enable: true - - reload: true \ No newline at end of file + - reload: true + - check_cmd: + - haproxy -f {{ haproxy.config.dir }}/{{ haproxy.config.configfile }} -c \ No newline at end of file diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2 index 06b7b0b..bd63c30 100644 --- a/states/haproxy/templates/haproxy.cfg.j2 +++ b/states/haproxy/templates/haproxy.cfg.j2 @@ -19,11 +19,12 @@ {%- endmacro -%} {%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%} + {%- macro httpsslrules() -%}ssl verify none{%- endmacro -%} -{%- macro httpendpoints(servers=[], check=True, ssl=False) -%} +{%- macro httpendpoints(servers=[], check=True, ssl=False, disabled=False) -%} {%- for server in servers %} - server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }} + server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}{{ " disabled" if server.disabled|default(False) }} {%- endfor %} {%- endmacro -%} @@ -44,10 +45,9 @@ {%- endmacro -%} {%- macro admin() -%} -# Stats -listen stats +# Stats Backend +backend admin mode http - bind *:{{ haproxy.config.admin.port }},:::{{ haproxy.config.admin.port }} v4v6 stats enable #stats hide-version stats admin if TRUE @@ -55,7 +55,6 @@ listen stats stats show-modules stats show-legends stats uri / - monitor-uri /dead_or_alive {%- endmacro -%} {%- macro api() -%} @@ -89,10 +88,6 @@ defaults {{ key }} {{ value }} {%- endfor %} -{% if haproxy.config.admin.enable %} -{{ admin() }} -{%- endif %} - # Cache cache static total-max-size 64 @@ -121,29 +116,43 @@ frontend https mode http option httplog acl internal src -f {{ haproxy.config.dir }}/maps/access - acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found + acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(Host) -m str %H acl robots_txt path /robots.txt acl path_host path /host acl path_date path /date +{%- if haproxy.config.admin.enable %} + acl admin path /server-status +{%- endif %} http-request set-var(req.src) src http-request set-var(req.host) req.hdr(host) http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,) http-request track-sc0 var(req.accesshash) table per_ip_rates + http-request capture req.hdr(User-Agent) len 200 http-request capture req.hdr(Content-Type) len 200 http-request capture req.hdr(Referer) len 200 http-request capture sc_http_req_rate(0) len 4 + + ## DDoS http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal + + ## Returns http-request return status 200 content-type text/html lf-string "%H\n" if path_host http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt http-request return status 200 content-type text/html lf-string "%H\n" if path_host http-request return status 200 content-type text/html lf-string "%T\n" if path_date + + ## Headers http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}" http-request set-header X-Proto https if { ssl_fc } log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found } http-request deny deny_status 404 unless domains +{%- if haproxy.config.admin.enable %} + use_backend admin if admin internal +{%- endif %} use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)] + monitor-uri /dead_or_alive default_backend nginx # HTTP Backends @@ -196,3 +205,7 @@ listen {{ name }} default-server inter 3s fall 3 {{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }} {% endfor -%} + +{% if haproxy.config.admin.enable %} +{{ admin() }} +{%- endif %}