148 lines
4.3 KiB
Mako
148 lines
4.3 KiB
Mako
global
|
|
log /dev/log local0
|
|
log /dev/log local1 notice
|
|
chroot /var/lib/haproxy
|
|
stats socket /run/haproxy/admin.sock mode 660 level admin
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH
|
|
ssl-default-bind-options no-sslv3 no-tls-tickets
|
|
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
|
|
ssl-default-server-options no-sslv3 no-tls-tickets
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
% for frontend in config.get('frontends'):
|
|
frontend ${frontend['name']}
|
|
% for bind in frontend['bind']:
|
|
bind ${bind['host']}:${bind['port']}${' v4v6' if bind.get('v4v6', False) else ''}${' ssl crt {}'.format(' crt '.join(bind['certs'])) if bind.get('ssl', False) else ''}
|
|
% endfor
|
|
|
|
mode ${frontend.get('mode', 'http')}
|
|
|
|
% if frontend.get('mode', 'http') == 'http':
|
|
option forwardfor
|
|
option http-server-close
|
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
|
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
|
% endif
|
|
|
|
% if frontend.get('stats') and frontend['stats'].get('enable', False):
|
|
stats enable
|
|
stats uri ${frontend['stats'].get('uri', '/')}
|
|
% endif
|
|
|
|
% for restriction in frontend.get('restrict', []):
|
|
acl network_allowed src ${restriction}
|
|
% endfor
|
|
|
|
% if frontend.get('restrict', None):
|
|
http-request deny if !network_allowed
|
|
% endif
|
|
|
|
% if not frontend.get('multiple', False):
|
|
# SSL
|
|
% if frontend.get('force_ssl', False):
|
|
redirect scheme https if !{ ssl_fc }
|
|
% endif
|
|
|
|
# Backend
|
|
% if frontend.get('backends'):
|
|
use_backend ${frontend['name']}
|
|
% endif
|
|
% else:
|
|
# Determine which virtual host is being requested
|
|
% for project in frontend['projects']:
|
|
# ${project}
|
|
% for proxy in frontend['projects'][project]['proxies']:
|
|
acl ${proxy['host']} hdr(host) -i ${proxy['host']}
|
|
% endfor
|
|
|
|
% endfor
|
|
|
|
# Redirect SSL
|
|
% for project in frontend['projects']:
|
|
# ${project}
|
|
% for proxy in frontend['projects'][project]['proxies']:
|
|
% if proxy.get('force_ssl', False):
|
|
redirect scheme https if !{ ssl_fc } ${proxy['host']}
|
|
% endif
|
|
% endfor
|
|
|
|
% endfor
|
|
|
|
# Select backend
|
|
% for project in frontend['projects']:
|
|
# ${project}
|
|
% for proxy in frontend['projects'][project]['proxies']:
|
|
% if proxy.get('force_ssl', False):
|
|
redirect scheme https if !{ ssl_fc } ${proxy['host']}
|
|
% endif
|
|
% endfor
|
|
|
|
% endfor
|
|
|
|
# Select backend
|
|
% for project in frontend['projects']:
|
|
# ${project}
|
|
% for proxy in frontend['projects'][project]['proxies']:
|
|
use_backend ${frontend['name']}_${project}_${proxy['host']} if ${proxy['host']}
|
|
% endfor
|
|
|
|
% endfor
|
|
% endif
|
|
|
|
% endfor
|
|
|
|
#
|
|
# BACKENDS
|
|
#
|
|
<%def name="backend(name, definition)">
|
|
backend ${name}
|
|
balance ${definition.get('balance', 'leastconn')}
|
|
mode http
|
|
% if definition.get('cookie', False):
|
|
|
|
cookie serverid insert indirect nocache
|
|
% endif
|
|
|
|
% for index, server in enumerate(definition.get('backends')):
|
|
server ${server['host']}:${server['port']} ${server['host']}:${server['port']} check ${ 'cookie {}'.format(index) if definition.get('cookie', False) else ''}
|
|
% endfor
|
|
</%def>
|
|
% for frontend in config.get('frontends', []):
|
|
% if not frontend.get('multiple', False) and frontend.get('backends'):
|
|
${backend(frontend['name'], frontend)}
|
|
% elif frontend.get('multiple', False):
|
|
% for project in frontend['projects']:
|
|
# ${project}
|
|
% for proxy in frontend['projects'][project]['proxies']:
|
|
${backend('{}_{}_{}'.format(frontend['name'], project, proxy['host']), proxy)}
|
|
|
|
% endfor
|
|
% endfor
|
|
% endif
|
|
% endfor
|