parent
8ca47b2f12
commit
ebf74d4df6
@ -45,7 +45,7 @@ haproxy:
|
|||||||
port: 7000
|
port: 7000
|
||||||
api:
|
api:
|
||||||
enable: true
|
enable: true
|
||||||
filesocket: /var/run/haproxy-admin.sock
|
filesocket: /var/run/haproxy.sock
|
||||||
tcpsocket: ipv4@127.0.0.1:9990
|
tcpsocket: ipv4@127.0.0.1:9990
|
||||||
acme_dir: /etc/acme
|
acme_dir: /etc/acme
|
||||||
acme_fullchains_dir: /etc/acme/fullchains
|
acme_fullchains_dir: /etc/acme/fullchains
|
||||||
|
@ -25,13 +25,6 @@ haproxy-config-script-dir:
|
|||||||
- group: {{ haproxy.config.group }}
|
- group: {{ haproxy.config.group }}
|
||||||
- mode: "0700"
|
- mode: "0700"
|
||||||
|
|
||||||
haproxy-config-mods-dir:
|
|
||||||
file.directory:
|
|
||||||
- name: {{ haproxy.config.dir }}/mods
|
|
||||||
- user: {{ haproxy.config.user }}
|
|
||||||
- group: {{ haproxy.config.group }}
|
|
||||||
- mode: "0700"
|
|
||||||
|
|
||||||
{% for file in haproxy.scripts %}
|
{% for file in haproxy.scripts %}
|
||||||
haproxy-script-{{ file.name }}:
|
haproxy-script-{{ file.name }}:
|
||||||
file.managed:
|
file.managed:
|
||||||
|
@ -2,6 +2,6 @@
|
|||||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||||
{%- if values.redirect|default(false) %}
|
{%- if values.redirect|default(false) %}
|
||||||
{{ name }} {{ values.redirect }}
|
{{ values.host }} {{ values.redirect }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
@ -2,6 +2,6 @@
|
|||||||
{%- from "haproxy/map.jinja" import haproxy with context %}
|
{%- from "haproxy/map.jinja" import haproxy with context %}
|
||||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||||
{%- if not values.redirect|default(false) %}
|
{%- if not values.redirect|default(false) %}
|
||||||
{{ name }} {{ name }}
|
{{ values.host }} {{ name }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
@ -1,14 +1,9 @@
|
|||||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||||
{%- from "haproxy/map.jinja" import haproxy,certs with context %}
|
{%- from "haproxy/map.jinja" import haproxy,certs with context %}
|
||||||
|
|
||||||
{%- set fqdn = salt["grains.get"]("fqdn") %}
|
|
||||||
{%- set default_backend = "test" %}
|
|
||||||
{% set ns = namespace(default_backend='notdefined') %}
|
|
||||||
{%- for name, values in haproxy.config.vhosts.items() %}{% if values.default_backend|default(false) %}{% set ns.default_backend = name %}{% endif %}{% endfor %}
|
|
||||||
|
|
||||||
{%- macro internal() -%}
|
{%- macro internal() -%}
|
||||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||||
http-response return status 403 content-type text/html string "403 forbidden" if ! internal
|
http-response return status 403 default-errorfiles if ! internal
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro head() -%}
|
{%- macro head() -%}
|
||||||
@ -16,7 +11,7 @@
|
|||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro statusresponses() -%}
|
{%- macro statusresponses() -%}
|
||||||
http-response return status 404 content-type text/html string "404 not found" if { status 404 }
|
http-response return content-type text/html string "404 not found" if { status 404 }
|
||||||
{%- endmacro -%}
|
{%- endmacro -%}
|
||||||
|
|
||||||
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
|
{%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
|
||||||
@ -65,7 +60,6 @@ backend admin from {{ haproxy.config.namespace }}
|
|||||||
|
|
||||||
# Global config
|
# Global config
|
||||||
global
|
global
|
||||||
lua-prepend-path {{ haproxy.config.dir }}/mods/?.so cpath
|
|
||||||
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
|
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
|
||||||
{%- for file in haproxy.scripts %}
|
{%- for file in haproxy.scripts %}
|
||||||
{%- if not file.lib %}
|
{%- if not file.lib %}
|
||||||
@ -103,21 +97,11 @@ backend per_ip_rates from {{ haproxy.config.namespace }}
|
|||||||
frontend http from {{ haproxy.config.namespace }}
|
frontend http from {{ haproxy.config.namespace }}
|
||||||
bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
|
bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
|
||||||
mode http
|
mode http
|
||||||
|
|
||||||
## ACLs
|
|
||||||
acl http ssl_fc,not
|
acl http ssl_fc,not
|
||||||
acl self_host req.hdr(Host) {{ fqdn }}
|
acl path_host path /host
|
||||||
acl path_root path -m dir /
|
acl path_date path /date
|
||||||
acl path_host path -m dir /host
|
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||||
acl path_date path -m dir /date
|
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
||||||
acl path_srchash path -m dir /srchash
|
|
||||||
|
|
||||||
## Basic rules
|
|
||||||
http-request set-var(txn.srchash) src,crc32,mod(100)
|
|
||||||
http-request set-var(txn.httpdate) date,http_date()
|
|
||||||
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
|
|
||||||
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
|
|
||||||
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
|
|
||||||
http-request redirect scheme https if http
|
http-request redirect scheme https if http
|
||||||
|
|
||||||
# Default HTTPS frontend
|
# Default HTTPS frontend
|
||||||
@ -126,21 +110,12 @@ frontend https from {{ haproxy.config.namespace }}
|
|||||||
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
#bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
||||||
mode http
|
mode http
|
||||||
option httplog
|
option httplog
|
||||||
|
|
||||||
## ACLs
|
|
||||||
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
||||||
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
|
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
|
||||||
acl robots_txt path /robots.txt
|
acl robots_txt path /robots.txt
|
||||||
acl self_host req.hdr(Host) {{ fqdn }}
|
|
||||||
acl path_root path /
|
|
||||||
acl path_host path /host
|
acl path_host path /host
|
||||||
acl path_date path /date
|
acl path_date path /date
|
||||||
acl path_srchash path /srchash
|
acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }}
|
||||||
|
|
||||||
## Basic rules
|
|
||||||
http-request set-var(txn.random) rand,mul(5)
|
|
||||||
http-request set-var(txn.httpdate) date,http_date()
|
|
||||||
http-request set-var(txn.srchash) src,crc32,mod(100)
|
|
||||||
http-request set-var(req.src) src
|
http-request set-var(req.src) src
|
||||||
http-request set-var(req.host) req.hdr(Host)
|
http-request set-var(req.host) req.hdr(Host)
|
||||||
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
||||||
@ -156,27 +131,26 @@ frontend https from {{ haproxy.config.namespace }}
|
|||||||
|
|
||||||
## Returns
|
## Returns
|
||||||
http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
|
http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
|
||||||
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
|
http-request return status 200 content-type text/html lf-string "%H\n" if path_host
|
||||||
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
|
http-request return status 200 content-type text/html lf-string "%T\n" if path_date
|
||||||
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
|
|
||||||
|
|
||||||
## Headers
|
## Headers
|
||||||
http-request set-header X-Proxy-Id "%H"
|
http-request set-header X-Proxy-Id "%H"
|
||||||
http-request set-header X-Proto https if { ssl_fc }
|
http-request set-header X-Proto https if { ssl_fc }
|
||||||
|
|
||||||
http-response set-header Date "%[var(txn.httpdate)]"
|
http-response set-header Date "%[date,http_date()]"
|
||||||
http-response set-header Server "{{ haproxy.config.servername }}"
|
http-response set-header Server "{{ haproxy.config.servername }}"
|
||||||
http-response set-header X-Random "%[var(txn.random)]"
|
http-response set-header X-Random "%[rand,mul(5)]"
|
||||||
|
|
||||||
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||||
http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
|
||||||
http-request deny deny_status 404 unless domains
|
http-request deny deny_status 404 unless domains
|
||||||
{%- if haproxy.config.admin.enable %}
|
{%- if haproxy.config.admin.enable %}
|
||||||
use_backend admin if self_host internal path_root
|
use_backend admin if admin internal
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts)]
|
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
||||||
monitor-uri /dead_or_alive
|
monitor-uri /dead_or_alive
|
||||||
default_backend {{ ns.default_backend }}
|
default_backend nginx
|
||||||
|
|
||||||
# HTTP Backends
|
# HTTP Backends
|
||||||
{%- for name, values in haproxy.config.vhosts.items() %}
|
{%- for name, values in haproxy.config.vhosts.items() %}
|
||||||
|
@ -6,4 +6,4 @@
|
|||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
{%- for hostname in salt['pillar.get']('mail:hostnames') %}
|
{%- for hostname in salt['pillar.get']('mail:hostnames') %}
|
||||||
{{ hostname }}
|
{{ hostname }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
@ -10,7 +10,7 @@ opendkim-config-dir:
|
|||||||
opendkim-configuration-key:
|
opendkim-configuration-key:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: {{ opendkim.config.dir }}/{{ opendkim.config.key.name }}
|
- name: {{ opendkim.config.dir }}/{{ opendkim.config.key.name }}
|
||||||
- source: salt://opendkim/templates/key.j2
|
- source: salt://opendkim/key.j2
|
||||||
- user: {{ opendkim.config.user }}
|
- user: {{ opendkim.config.user }}
|
||||||
- group: {{ opendkim.config.group }}
|
- group: {{ opendkim.config.group }}
|
||||||
- mode: 600
|
- mode: 600
|
||||||
@ -21,7 +21,7 @@ opendkim-configuration-key:
|
|||||||
opendkim-trusted-hosts:
|
opendkim-trusted-hosts:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: {{ opendkim.config.dir }}/TrustedHosts
|
- name: {{ opendkim.config.dir }}/TrustedHosts
|
||||||
- source: salt://opendkim/templates/TrustedHosts.j2
|
- source: salt://opendkim/TrustedHosts.j2
|
||||||
- user: {{ opendkim.config.user }}
|
- user: {{ opendkim.config.user }}
|
||||||
- group: {{ opendkim.config.group }}
|
- group: {{ opendkim.config.group }}
|
||||||
- mode: 644
|
- mode: 644
|
||||||
@ -32,7 +32,7 @@ opendkim-trusted-hosts:
|
|||||||
opendkim-service-defaults:
|
opendkim-service-defaults:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: {{ opendkim.config.default_file }}
|
- name: {{ opendkim.config.default_file }}
|
||||||
- source: salt://opendkim/templates/service_defaults.j2
|
- source: salt://opendkim/service_defaults.j2
|
||||||
- user: {{ opendkim.config.user }}
|
- user: {{ opendkim.config.user }}
|
||||||
- group: {{ opendkim.config.group }}
|
- group: {{ opendkim.config.group }}
|
||||||
- mode: 644
|
- mode: 644
|
||||||
@ -43,7 +43,7 @@ opendkim-service-defaults:
|
|||||||
opendkim-config-file:
|
opendkim-config-file:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: {{ opendkim.config.file }}
|
- name: {{ opendkim.config.file }}
|
||||||
- source: salt://opendkim/templates/opendkim.conf.j2
|
- source: salt://opendkim/opendkim.conf.j2
|
||||||
- user: {{ opendkim.config.user }}
|
- user: {{ opendkim.config.user }}
|
||||||
- group: {{ opendkim.config.group }}
|
- group: {{ opendkim.config.group }}
|
||||||
- mode: 644
|
- mode: 644
|
||||||
|
@ -1,9 +1,6 @@
|
|||||||
---
|
---
|
||||||
opendkim:
|
opendkim:
|
||||||
enabled: true
|
enabled: true
|
||||||
pkgs:
|
|
||||||
- opendkim
|
|
||||||
- opendkim-tools
|
|
||||||
config:
|
config:
|
||||||
dir: '/etc/opendkim'
|
dir: '/etc/opendkim'
|
||||||
file: '/etc/opendkim.conf'
|
file: '/etc/opendkim.conf'
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
---
|
---
|
||||||
|
{%- from "opendkim/map.jinja" import opendkim with context %}
|
||||||
include:
|
include:
|
||||||
- .install
|
- .install
|
||||||
- .config
|
- .config
|
||||||
|
@ -2,4 +2,6 @@
|
|||||||
{%- from "opendkim/map.jinja" import opendkim with context %}
|
{%- from "opendkim/map.jinja" import opendkim with context %}
|
||||||
opendkim-pkg:
|
opendkim-pkg:
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
- pkgs: {{ opendkim.pkgs }}
|
- pkgs:
|
||||||
|
- opendkim
|
||||||
|
- opendkim-tools
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
{%- from "opendkim/map.jinja" import opendkim with context -%}
|
{%- from "opendkim/map.jinja" import opendkim with context -%}
|
||||||
{{ opendkim.config.key.content }}
|
{{ opendkim.config.key.content }}
|
@ -20,4 +20,4 @@ PidFile {{ opendkim.config.pid_file }}
|
|||||||
Socket inet:{{ opendkim.config.port }}@{{ opendkim.config.host }}
|
Socket inet:{{ opendkim.config.port }}@{{ opendkim.config.host }}
|
||||||
|
|
||||||
ReportAddress {{ opendkim.config.notify_addr }}
|
ReportAddress {{ opendkim.config.notify_addr }}
|
||||||
SendReports {{ opendkim.config.notify_report }}
|
SendReports {{ opendkim.config.notify_report }}
|
@ -1,2 +1,2 @@
|
|||||||
{%- from "opendkim/map.jinja" import opendkim with context %}
|
{%- from "opendkim/map.jinja" import opendkim with context %}
|
||||||
SOCKET="inet:{{ opendkim.config.port }}@{{ opendkim.config.host }}"
|
SOCKET="inet:{{ opendkim.config.port }}@{{ opendkim.config.host }}"
|
Loading…
Reference in New Issue
Block a user