167 lines
5.2 KiB
Django/Jinja
167 lines
5.2 KiB
Django/Jinja
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
|
{%- from "haproxy/map.jinja" import haproxy,certs with context %}
|
|
|
|
{%- macro internal() -%}
|
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
|
http-response return status 403 default-errorfiles if ! internal
|
|
{%- endmacro -%}
|
|
|
|
{%- macro head() -%}
|
|
http-request return status 200 if { method -i HEAD }
|
|
{%- endmacro -%}
|
|
|
|
{%- macro serverheader() -%}
|
|
http-response set-header server "{{ haproxy.config.servername }}"
|
|
{%- endmacro -%}
|
|
|
|
{%- macro endpoints(servers, check, ssl) -%}
|
|
{%- for server in servers %}
|
|
server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " check observe layer7 inter 2s fall 5 rise 5 " if check|default(true) }}{{ " ssl verify none " if ssl|default(false) }}
|
|
{%- endfor %}
|
|
{%- endmacro -%}
|
|
|
|
{%- macro cache() -%}
|
|
http-request cache-use static if { path_end {{ haproxy.config.cache_file_types|join(" ") }} }
|
|
http-response cache-store static
|
|
{%- endmacro -%}
|
|
|
|
{%- macro compression() -%}
|
|
compression algo gzip
|
|
compression type {{ haproxy.config.gzip_mime_types|join(' ') }}
|
|
{%- endmacro -%}
|
|
|
|
{%- macro admin() -%}
|
|
# Stats
|
|
listen stats
|
|
mode http
|
|
bind *:7000,:::7000 v4v6
|
|
stats enable
|
|
stats refresh 5s
|
|
stats uri /
|
|
{%- endmacro -%}
|
|
|
|
{%- macro api() -%}
|
|
# Runtime API
|
|
stats socket {{ haproxy.config.api.tcpsocket }} level admin
|
|
stats socket {{ haproxy.config.api.filesocket }} mode 666 level admin
|
|
{%- endmacro %}
|
|
|
|
# Global config
|
|
global
|
|
lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
|
|
{%- for file in haproxy.scripts %}
|
|
{%- if not file.lib %}
|
|
lua-load {{ haproxy.config.dir }}/{{ file.name }}
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
{%- if haproxy.config.api.enable %}
|
|
{{ api() }}
|
|
{%- endif %}
|
|
maxconn 1000
|
|
ssl-default-bind-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
|
|
ssl-default-bind-options {{ haproxy.config.ssl_options|join(" ") }}
|
|
ssl-default-server-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
|
|
ssl-default-server-options {{ haproxy.config.ssl_options|join(" ") }}
|
|
crt-base {{ haproxy.config.acme_fullchains_dir }}
|
|
ssl-dh-param-file {{ haproxy.config.acme_dh_dir }}/dh.pem
|
|
|
|
# Defaults values
|
|
defaults
|
|
{%- for key, value in haproxy.config.defaults.items() %}
|
|
{{ key }} {{ value }}
|
|
{%- endfor %}
|
|
|
|
{%- if haproxy.config.admin %}
|
|
{{ admin() }}
|
|
{%- endif %}
|
|
|
|
# Cache
|
|
cache static
|
|
total-max-size 256
|
|
max-object-size 50000
|
|
max-age 120
|
|
|
|
# Per IP rates stick table
|
|
backend per_ip_rates
|
|
stick-table type string size 1m expire 10s store http_req_rate(10s)
|
|
|
|
# Default HTTP frontend
|
|
frontend http
|
|
bind *:80,:::80 v4v6
|
|
mode http
|
|
acl http ssl_fc,not
|
|
http-request redirect scheme https if http
|
|
|
|
# Default HTTPS frontend
|
|
frontend https
|
|
bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
|
|
mode http
|
|
option httplog
|
|
acl internal src -f {{ haproxy.config.dir }}/maps/access
|
|
http-request set-var(req.src) src
|
|
http-request set-var(req.host) req.hdr(host)
|
|
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
|
|
http-request track-sc0 var(req.accesshash) table per_ip_rates
|
|
http-request capture req.hdr(User-Agent) len 200
|
|
http-request capture req.hdr(Content-Type) len 200
|
|
http-request capture req.hdr(Referer) len 200
|
|
http-request capture sc_http_req_rate(0) len 4
|
|
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !internal
|
|
http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
|
|
http-request set-header X-Proto https if { ssl_fc }
|
|
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
|
http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom(/etc/haproxy/maps/redirects) -m found }
|
|
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
|
|
default_backend nginx
|
|
|
|
# HTTP Backends
|
|
{% for name, values in haproxy.config.vhosts.items() %}
|
|
{%- if not values.redirect|default(false) %}
|
|
backend {{ name }}
|
|
balance {{ values.balance|default("roundrobin") }}
|
|
mode http
|
|
option forwardfor
|
|
{%- if values.check|default(false) %}
|
|
option httpchk
|
|
{%- for step in values.check_steps|default([]) %}
|
|
http-check {{ step }}
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- if values.head|default(false) %}
|
|
{{ head() }}
|
|
{%- endif %}
|
|
|
|
{%- if values.compression|default(true) %}
|
|
{{ compression() }}
|
|
{%- endif %}
|
|
|
|
{%- if values.usecache|default(true) %}
|
|
{{ cache() }}
|
|
{%- endif %}
|
|
|
|
{%- if values.serverheader|default(true) %}
|
|
{{ serverheader() }}
|
|
{%- endif %}
|
|
|
|
{%- if values.internal|default(false) %}
|
|
{{ internal() }}
|
|
{%- endif %}
|
|
{{- endpoints(values.servers, values.check, values.ssl) }}
|
|
{%- endif %}
|
|
{% endfor %}
|
|
|
|
# TCP services
|
|
{% for name, values in haproxy.config.services.items() %}
|
|
listen {{ name }}
|
|
bind *:{{ values.port }},:::{{ values.port }} v4v6
|
|
mode tcp
|
|
option tcplog
|
|
{%- if values.type == "postgres" %}
|
|
option pgsql-check user postgres
|
|
{%- endif %}
|
|
default-server inter 3s fall 3
|
|
{%- for server in values.servers %}
|
|
server {{ server.name }} {{ server.name }}:{{ server.port }} check {{ "backup" if server.backup|default(false) }} port {{ server.port }}
|
|
{%- endfor %}
|
|
{% endfor -%}
|