CSC Ansible Playbooks
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
ansible-playbooks/roles/load-balancer/files/haproxy/haproxy.cfg.mako

147 lines
4.3 KiB

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
% for frontend in config.get('frontends'):
frontend ${frontend['name']}
% for bind in frontend['bind']:
bind ${bind['host']}:${bind['port']}${' v4v6' if bind.get('v4v6', False) else ''}${' ssl crt {}'.format(' crt '.join(bind['certs'])) if bind.get('ssl', False) else ''}
% endfor
mode ${frontend.get('mode', 'http')}
% if frontend.get('mode', 'http') == 'http':
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
% endif
% if frontend.get('stats') and frontend['stats'].get('enable', False):
stats enable
stats uri ${frontend['stats'].get('uri', '/')}
% endif
% for restriction in frontend.get('restrict', []):
acl network_allowed src ${restriction}
% endfor
% if frontend.get('restrict', None):
http-request deny if !network_allowed
% endif
% if not frontend.get('multiple', False):
# SSL
% if frontend.get('force_ssl', False):
redirect scheme https if !{ ssl_fc }
% endif
# Backend
% if frontend.get('backends'):
use_backend ${frontend['name']}
% endif
% else:
# Determine which virtual host is being requested
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
acl ${proxy['host']} hdr(host) -i ${proxy['host']}
% endfor
% endfor
# Redirect SSL
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
% if proxy.get('force_ssl', False):
redirect scheme https if !{ ssl_fc } ${proxy['host']}
% endif
% endfor
% endfor
# Select backend
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
% if proxy.get('force_ssl', False):
redirect scheme https if !{ ssl_fc } ${proxy['host']}
% endif
% endfor
% endfor
# Select backend
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
use_backend ${frontend['name']}_${project}_${proxy['host']} if ${proxy['host']}
% endfor
% endfor
% endif
% endfor
#
# BACKENDS
#
<%def name="backend(name, definition)">
backend ${name}
balance ${definition.get('balance', 'leastconn')}
mode http
% if definition.get('cookie', False):
cookie serverid insert indirect nocache
% endif
% for index, server in enumerate(definition.get('backends')):
server ${server['host']}:${server['port']} ${server['host']}:${server['port']} check ${ 'cookie {}'.format(index) if definition.get('cookie', False) else ''}
% endfor
</%def>
% for frontend in config.get('frontends', []):
% if not frontend.get('multiple', False) and frontend.get('backends'):
${backend(frontend['name'], frontend)}
% elif frontend.get('multiple', False):
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
${backend('{}_{}_{}'.format(frontend['name'], project, proxy['host']), proxy)}
% endfor
% endfor
% endif
% endfor