parent
a434363727
commit
16e9dce12b
@ -0,0 +1 @@ |
||||
../roles/core/files/root-dotfiles |
@ -0,0 +1,13 @@ |
||||
--- |
||||
- hosts: load-balancers |
||||
become: yes |
||||
become_method: sudo |
||||
roles: |
||||
# - common |
||||
#- core |
||||
#- static-ipv6 |
||||
#- generate-hosts |
||||
#- auth |
||||
#- csc-packages |
||||
- load-balancer |
||||
- cleanup |
@ -0,0 +1,75 @@ |
||||
global |
||||
log /dev/log local0 |
||||
log /dev/log local1 notice |
||||
chroot /var/lib/haproxy |
||||
stats socket /run/haproxy/admin.sock mode 660 level admin |
||||
stats timeout 30s |
||||
user haproxy |
||||
group haproxy |
||||
daemon |
||||
|
||||
# Default SSL material locations |
||||
ca-base /etc/ssl/certs |
||||
crt-base /etc/ssl/private |
||||
|
||||
# Default ciphers to use on SSL-enabled listening sockets. |
||||
# For more information, see ciphers(1SSL). This list is from: |
||||
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
||||
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS |
||||
#ssl-default-bind-options no-sslv3 |
||||
|
||||
tune.ssl.default-dh-param 2048 |
||||
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS |
||||
ssl-default-bind-options no-sslv3 no-tls-tickets |
||||
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS |
||||
ssl-default-server-options no-sslv3 no-tls-tickets |
||||
|
||||
|
||||
defaults |
||||
log global |
||||
mode http |
||||
option httplog |
||||
option dontlognull |
||||
timeout connect 5000 |
||||
timeout client 50000 |
||||
timeout server 50000 |
||||
errorfile 400 /etc/haproxy/errors/400.http |
||||
errorfile 403 /etc/haproxy/errors/403.http |
||||
errorfile 408 /etc/haproxy/errors/408.http |
||||
errorfile 500 /etc/haproxy/errors/500.http |
||||
errorfile 502 /etc/haproxy/errors/502.http |
||||
errorfile 503 /etc/haproxy/errors/503.http |
||||
errorfile 504 /etc/haproxy/errors/504.http |
||||
|
||||
frontend ssh |
||||
bind :2222 |
||||
mode tcp |
||||
default_backend ssh-backend |
||||
|
||||
frontend http |
||||
bind :::80 v4v6 |
||||
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem |
||||
mode http |
||||
default_backend http-backend |
||||
|
||||
stats enable |
||||
stats uri /status |
||||
|
||||
backend ssh-backend |
||||
balance roundrobin |
||||
mode tcp |
||||
|
||||
server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22 |
||||
server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22 |
||||
server sucrose sucrose.csclub.uwaterloo.ca check port 22 |
||||
|
||||
backend http-backend |
||||
balance leastconn |
||||
mode http |
||||
option forwardfor |
||||
|
||||
cookie SERVERID insert indirect nocache |
||||
|
||||
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00 |
||||
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01 |
||||
|
@ -0,0 +1,49 @@ |
||||
--- |
||||
|
||||
# HAPROXY |
||||
- name: Install haproxy |
||||
package: |
||||
name: haproxy |
||||
state: latest |
||||
|
||||
- name: Copy haproxy configuration |
||||
copy: |
||||
src: haproxy.cfg |
||||
dest: /etc/haproxy/haproxy.cfg |
||||
backup: no |
||||
register: haproxy_configuration |
||||
|
||||
- name: Restart haproxy |
||||
service: |
||||
name: haproxy |
||||
state: restarted |
||||
when: haproxy_configuration.changed |
||||
|
||||
- name: Ensure that haproxy is running |
||||
service: |
||||
name: haproxy |
||||
state: running |
||||
|
||||
# KEEPALIVED |
||||
- name: Install keepalived |
||||
package: |
||||
name: keepalived |
||||
state: latest |
||||
|
||||
- name: Copy keepalived config |
||||
template: |
||||
src: keepalived.conf |
||||
dest: /etc/keepalived/keepalived.conf |
||||
backup: no |
||||
register: keepalived_configuration |
||||
|
||||
- name: Restart keepalived |
||||
service: |
||||
name: keepalived |
||||
state: restarted |
||||
when: keepalived_configuration.changed |
||||
|
||||
- name: Ensure keepalived is running |
||||
service: |
||||
name: keepalived |
||||
state: running |
@ -0,0 +1,23 @@ |
||||
global_defs { |
||||
notification_email { |
||||
ztseguin+notifications@csclub.uwaterloo.ca |
||||
} |
||||
notification_email_from load-balancer@csclub.uwaterloo.ca |
||||
} |
||||
|
||||
! load-balancer.csclub.uwaterloo.ca |
||||
vrrp_instance VI_10 { |
||||
state MASTER |
||||
interface eth0 |
||||
virtual_router_id 10 |
||||
priority {{ lb_priority }} |
||||
advert_int 1 |
||||
authentication { |
||||
auth_type PASS |
||||
auth_pass CSC_VRRP |
||||
} |
||||
virtual_ipaddress { |
||||
129.97.134.10 |
||||
2620:101:f000:4901:c5c::10ad |
||||
} |
||||
} |
Loading…
Reference in new issue