updated haproxy state

2022-12-09 23:47:23 +01:00 · 2022-12-09 23:47:23 +01:00 · dd0756186f
commit dd0756186f
parent 25ca5bbeac
2 changed files with 27 additions and 12 deletions
--- a/states/haproxy/service.sls
+++ b/states/haproxy/service.sls
@ -5,3 +5,5 @@ haproxy-service:
    - name: haproxy
    - enable: true
    - reload: true
+    - check_cmd:
+      - haproxy -f {{ haproxy.config.dir }}/{{ haproxy.config.configfile }} -c
--- a/states/haproxy/templates/haproxy.cfg.j2
+++ b/states/haproxy/templates/haproxy.cfg.j2
@ -19,11 +19,12 @@
 {%- endmacro -%}

 {%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
+
 {%- macro httpsslrules() -%}ssl verify none{%- endmacro -%}

-{%- macro httpendpoints(servers=[], check=True, ssl=False) -%}
+{%- macro httpendpoints(servers=[], check=True, ssl=False, disabled=False) -%}
  {%- for server in servers %}
-  server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}
+  server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}{{ " disabled" if server.disabled|default(False) }}
  {%- endfor %}
 {%- endmacro -%}

@ -44,10 +45,9 @@
 {%- endmacro -%}

 {%- macro admin() -%}
-# Stats
-listen stats
+# Stats Backend
+backend admin
  mode http
-  bind *:{{ haproxy.config.admin.port }},:::{{ haproxy.config.admin.port }} v4v6
  stats enable
  #stats hide-version
  stats admin if TRUE
@ -55,7 +55,6 @@ listen stats
  stats show-modules
  stats show-legends
  stats uri /
-  monitor-uri /dead_or_alive
 {%- endmacro -%}

 {%- macro api() -%}
@ -89,10 +88,6 @@ defaults
  {{ key }} {{ value }}
 {%- endfor %}

-{% if haproxy.config.admin.enable %}
-{{ admin() }}
-{%- endif %}
-
 # Cache
 cache static
  total-max-size 64
@ -121,29 +116,43 @@ frontend https
  mode http
  option httplog
  acl internal src -f {{ haproxy.config.dir }}/maps/access
-  acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found
+  acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(Host) -m str %H
  acl robots_txt path /robots.txt
  acl path_host path /host
  acl path_date path /date
+{%- if haproxy.config.admin.enable %}
+  acl admin path /server-status
+{%- endif %}
  http-request set-var(req.src) src
  http-request set-var(req.host) req.hdr(host)
  http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
  http-request track-sc0 var(req.accesshash) table per_ip_rates
+
  http-request capture req.hdr(User-Agent) len 200
  http-request capture req.hdr(Content-Type) len 200
  http-request capture req.hdr(Referer) len 200
  http-request capture sc_http_req_rate(0) len 4
+
+  ## DDoS
  http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
+
+  ## Returns
  http-request return status 200 content-type text/html lf-string "%H\n" if path_host
  http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
  http-request return status 200 content-type text/html lf-string "%H\n" if path_host
  http-request return status 200 content-type text/html lf-string "%T\n" if path_date
+
+  ## Headers
  http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
  http-request set-header X-Proto https if { ssl_fc }
  log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
  http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
  http-request deny deny_status 404 unless domains
+{%- if haproxy.config.admin.enable %}
+  use_backend admin if admin internal
+{%- endif %}
  use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
+  monitor-uri /dead_or_alive
  default_backend nginx

 # HTTP Backends
@ -196,3 +205,7 @@ listen {{ name }}
  default-server inter 3s fall 3
  {{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}
 {% endfor -%}
+
+{% if haproxy.config.admin.enable %}
+{{ admin() }}
+{%- endif %}