updated haproxy state
This commit is contained in:
parent
25ca5bbeac
commit
dd0756186f
@ -4,4 +4,6 @@ haproxy-service:
|
|||||||
service.running:
|
service.running:
|
||||||
- name: haproxy
|
- name: haproxy
|
||||||
- enable: true
|
- enable: true
|
||||||
- reload: true
|
- reload: true
|
||||||
|
- check_cmd:
|
||||||
|
- haproxy -f {{ haproxy.config.dir }}/{{ haproxy.config.configfile }} -c
|
||||||
@ -19,11 +19,12 @@
|
|||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
|
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro httpsslrules() -%}ssl verify none{%- endmacro -%}
|
{%- macro httpsslrules() -%}ssl verify none{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro httpendpoints(servers=[], check=True, ssl=False) -%}
|
{%- macro httpendpoints(servers=[], check=True, ssl=False, disabled=False) -%}
|
||||||
{%- for server in servers %}
|
{%- for server in servers %}
|
||||||
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}
|
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}{{ " disabled" if server.disabled|default(False) }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
@ -44,10 +45,9 @@
|
|||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro admin() -%}
|
{%- macro admin() -%}
|
||||||
# Stats
|
# Stats Backend
|
||||||
listen stats
|
backend admin
|
||||||
mode http
|
mode http
|
||||||
bind *:{{ haproxy.config.admin.port }},:::{{ haproxy.config.admin.port }} v4v6
|
|
||||||
stats enable
|
stats enable
|
||||||
#stats hide-version
|
#stats hide-version
|
||||||
stats admin if TRUE
|
stats admin if TRUE
|
||||||
@ -55,7 +55,6 @@ listen stats
|
|||||||
stats show-modules
|
stats show-modules
|
||||||
stats show-legends
|
stats show-legends
|
||||||
stats uri /
|
stats uri /
|
||||||
monitor-uri /dead_or_alive
|
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro api() -%}
|
{%- macro api() -%}
|
||||||
@ -89,10 +88,6 @@ defaults
|
|||||||
{{ key }} {{ value }}
|
{{ key }} {{ value }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
{% if haproxy.config.admin.enable %}
|
|
||||||
{{ admin() }}
|
|
||||||
{%- endif %}
|
|
||||||
|
|
||||||
# Cache
|
# Cache
|
||||||
cache static
|
cache static
|
||||||
total-max-size 64
|
total-max-size 64
|
||||||
@ -121,29 +116,43 @@ frontend https
|
|||||||
mode http
|
mode http
|
||||||
option httplog
|
option httplog
|
||||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||||
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found
|
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(Host) -m str %H
|
||||||
acl robots_txt path /robots.txt
|
acl robots_txt path /robots.txt
|
||||||
acl path_host path /host
|
acl path_host path /host
|
||||||
acl path_date path /date
|
acl path_date path /date
|
||||||
|
{%- if haproxy.config.admin.enable %}
|
||||||
|
acl admin path /server-status
|
||||||
|
{%- endif %}
|
||||||
http-request set-var(req.src) src
|
http-request set-var(req.src) src
|
||||||
http-request set-var(req.host) req.hdr(host)
|
http-request set-var(req.host) req.hdr(host)
|
||||||
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
||||||
http-request track-sc0 var(req.accesshash) table per_ip_rates
|
http-request track-sc0 var(req.accesshash) table per_ip_rates
|
||||||
|
|
||||||
http-request capture req.hdr(User-Agent) len 200
|
http-request capture req.hdr(User-Agent) len 200
|
||||||
http-request capture req.hdr(Content-Type) len 200
|
http-request capture req.hdr(Content-Type) len 200
|
||||||
http-request capture req.hdr(Referer) len 200
|
http-request capture req.hdr(Referer) len 200
|
||||||
http-request capture sc_http_req_rate(0) len 4
|
http-request capture sc_http_req_rate(0) len 4
|
||||||
|
|
||||||
|
## DDoS
|
||||||
http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
|
http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
|
||||||
|
|
||||||
|
## Returns
|
||||||
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||||
http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
|
http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
|
||||||
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||||
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
||||||
|
|
||||||
|
## Headers
|
||||||
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
|
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
|
||||||
http-request set-header X-Proto https if { ssl_fc }
|
http-request set-header X-Proto https if { ssl_fc }
|
||||||
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||||
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
||||||
http-request deny deny_status 404 unless domains
|
http-request deny deny_status 404 unless domains
|
||||||
|
{%- if haproxy.config.admin.enable %}
|
||||||
|
use_backend admin if admin internal
|
||||||
|
{%- endif %}
|
||||||
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
||||||
|
monitor-uri /dead_or_alive
|
||||||
default_backend nginx
|
default_backend nginx
|
||||||
|
|
||||||
# HTTP Backends
|
# HTTP Backends
|
||||||
@ -196,3 +205,7 @@ listen {{ name }}
|
|||||||
default-server inter 3s fall 3
|
default-server inter 3s fall 3
|
||||||
{{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}
|
{{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}
|
||||||
{% endfor -%}
|
{% endfor -%}
|
||||||
|
|
||||||
|
{% if haproxy.config.admin.enable %}
|
||||||
|
{{ admin() }}
|
||||||
|
{%- endif %}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user