| {%- from "haproxy/map.jinja" import proxy with context -%} |
| |
| global |
| {%- if proxy.nbproc is defined %} |
| nbproc {{ proxy.nbproc }} |
| {%- endif %} |
| {%- for process, cpu in proxy.get('cpu_map', {}).iteritems() %} |
| cpu-map {{ process }} {{ cpu }} |
| {%- endfor %} |
| log /dev/log local0 |
| log /dev/log local1 notice |
| chroot /var/lib/haproxy |
| stats socket {{ proxy.stats_socket }} mode 660 level admin |
| stats timeout 30s |
| {%- if proxy.stats_bind_process is defined %} |
| stats bind-process {{ proxy.stats_bind_process }} |
| {%- endif %} |
| user haproxy |
| group haproxy |
| daemon |
| pidfile /var/run/haproxy.pid |
| spread-checks 4 |
| tune.maxrewrite 1024 |
| tune.bufsize 32768 |
| maxconn 16000 |
| {%- if salt['pkg.version']('haproxy')[:3] >= '1.6' %} |
| # SSL options |
| ca-base /etc/haproxy/ssl |
| crt-base /etc/haproxy/ssl |
| tune.ssl.default-dh-param 2048 |
| ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS |
| ssl-default-bind-options no-sslv3 no-tls-tickets |
| ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS |
| ssl-default-server-options no-sslv3 no-tls-tickets |
| {%- endif %} |
| |
| defaults |
| log global |
| mode http |
| |
| maxconn {{ proxy.maxconn|default(8000) }} |
| {%- if proxy.get('forwardfor', {}).enabled|default(False) %} |
| option forwardfor{% if proxy.forwardfor.get('except', False) %} except {{proxy.forwardfor.except}}{% endif %}{% if proxy.forwardfor.get('header', False) %} header {{proxy.forwardfor.header}}{% endif %}{% if proxy.forwardfor.get('if-none') %} if-none{% endif %} |
| {%- endif %} |
| option redispatch |
| retries {{ proxy.retries|default(3) }} |
| stats enable |
| |
| timeout http-request {{ proxy.get('timeout', {}).get('http-request','10s') }} |
| timeout queue {{ proxy.get('timeout', {}).get('queue', '1m') }} |
| timeout connect {{ proxy.get('timeout', {}).get('connect', '10s') }} |
| timeout client {{ proxy.get('timeout', {}).get('client', '1m') }} |
| timeout server {{ proxy.get('timeout', {}).get('server', '1m') }} |
| timeout check {{ proxy.get('timeout', {}).get('check', '10s') }} |
| |
| {%- if proxy.get('listen') is mapping and proxy.listen.admin_page is defined and proxy.listen.admin_page.user is defined %} |
| |
| userlist STATSUSERS |
| group admin users admin |
| user {{ proxy.listen.admin_page.user }} insecure-password {{ proxy.listen.admin_page.password }} |
| user stats insecure-password {{ proxy.listen.admin_page.password }} |
| {# |
| {%- for listen_name, listen in proxy.get('listen', {}).iteritems() %} |
| {%- if listen.user is defined %} |
| user {{ listen.user }} insecure-password {{ listen.password }} |
| {%- endif %} |
| {%- endfor %} |
| #} |
| |
| {%- endif %} |
| |
| {%- for listen_name, listen in proxy.get('listen', {}).iteritems() %} |
| {%- if listen.get('enabled', True) %} |
| {%- if listen.get('format', 'listen') == 'listen' %} |
| |
| listen {{ listen_name }} |
| {%- for bind in listen.binds %} |
| bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %}{% if bind.ssl.pem_file is defined %}ssl crt {{ bind.ssl.pem_file }}{% else %}ssl crt /etc/haproxy/ssl/{{ listen_name }}{% endif %}{% endif %} |
| {%- endfor %} |
| {%- if listen.bind_process is defined %} |
| bind-process {{ listen.bind_process }} |
| {%- endif %} |
| {%- if listen.get('type', None) == 'http' %} |
| mode http |
| balance {{ listen.get('balance', 'roundrobin') }} |
| option httplog |
| {%- elif listen.get('type', None) == 'rabbitmq' %} |
| balance {{ listen.get('balance', 'roundrobin') }} |
| mode tcp |
| option tcpka |
| timeout client 300s |
| timeout server 300s |
| {%- elif listen.get('type', None) == 'mysql' %} |
| balance {{ listen.get('balance', 'leastconn') }} |
| mode tcp |
| option httpchk |
| option tcplog |
| option clitcpka |
| option srvtcpka |
| timeout client 300s |
| timeout server 300s |
| {%- if listen.get('health-check', {}).get('mysql', {}).get('enabled', True) %} |
| # option conflict's with port check of clustercheck script, if enabled haproxy reports invalid reponse |
| option mysql-check user haproxy |
| {%- endif %} |
| {%- elif listen.get('type', None) == 'pgsql' %} |
| balance {{ listen.get('balance', 'leastconn') }} |
| mode tcp |
| option httpchk |
| option tcplog |
| option clitcpka |
| option srvtcpka |
| timeout client 28801s |
| timeout server 28801s |
| {%- if listen.get('health-check', {}).get('pgsql', {}).get('enabled', True) %} |
| option pgsql-check user postgres |
| {%- endif %} |
| {%- elif listen.get('type', None) == 'horizon' %} |
| balance {{ listen.get('balance', 'source') }} |
| capture cookie vgnvisitor= len 32 |
| cookie SERVERID insert indirect nocache |
| mode http |
| option forwardfor |
| option httpchk |
| option httpclose |
| option httplog |
| rspidel ^Set-cookie:\ IP= |
| {%- elif listen.get('type', None) == 'general-service' %} |
| mode http |
| balance {{ listen.get('balance', 'roundrobin') }} |
| option httplog |
| {%- elif listen.get('type', None) == 'openstack-service' %} |
| option httpchk |
| option httplog |
| option httpclose |
| {%- elif listen.get('type', None) == 'heat' %} |
| balance source |
| option tcpka |
| option httpchk |
| option tcplog |
| {%- elif listen.get('type', None) == 'contrail-config' %} |
| mode http |
| stats enable |
| stats uri / |
| stats auth {{ listen.user }}:{{ listen.password }} |
| {%- elif listen.get('type', None) == 'contrail-api' %} |
| option nolinger |
| balance {{ listen.get('balance', 'roundrobin') }} |
| {%- elif listen.get('type', None) == 'contrail-analytics' %} |
| option nolinger |
| balance {{ listen.get('balance', 'roundrobin') }} |
| option tcp-check |
| tcp-check connect port 6379 |
| default-server error-limit 1 on-error mark-down |
| {%- elif listen.get('type', None) == 'stats' %} |
| mode http |
| stats enable |
| stats uri / |
| {%- if listen.user is defined %} |
| stats auth {{ listen.user }}:{{ listen.password }} |
| {%- endif %} |
| {%- elif listen.get('type', None) == 'admin' %} |
| mode http |
| acl AuthOkay_ReadOnly http_auth(STATSUSERS) |
| acl AuthOkay_Admin http_auth_group(STATSUSERS) {{ listen.user }} |
| stats enable |
| stats refresh 60s |
| stats uri / |
| stats http-request auth realm admin_page unless AuthOkay_ReadOnly |
| stats admin if AuthOkay_Admin |
| {%- else %} |
| {# no type specified #} |
| mode {{ listen.mode|default('tcp') }} |
| balance {{ listen.balance|default('roundrobin') }} |
| {%- for ttype, timeout in listen.get('timeout', {}).iteritems() %} |
| timeout {{ ttype }} {{ timeout }} |
| {%- endfor %} |
| {%- for aclname, acl in listen.get('acl', {}).iteritems() %} |
| acl {{ aclname }} {{ acl }} |
| {%- endfor %} |
| {%- for http_request in listen.get('http_request', []) %} |
| http-request {{ http_request.action }}{% if http_request.condition is defined %} {{ http_request.condition }}{% endif %} |
| {%- endfor %} |
| {%- for http_response in listen.get('http_response', []) %} |
| http-response {{ http_response.action }}{% if http_response.condition is defined %} {{ http_response.condition }}{% endif %} |
| {%- endfor %} |
| {%- for option in listen.get('options', []) %} |
| option {{ option }} |
| {%- endfor %} |
| {%- for type, checks in listen.get('health-check', {}).iteritems() %} |
| {%- if checks.get('enabled', True) %} |
| {%- if type == 'http' and 'httpchk' not in listen.get('options', [])|join('|') %} |
| option httpchk |
| {%- endif %} |
| {%- if type == 'tcp' and 'tcp-check' not in listen.get('options', [])|join('|') %} |
| option tcp-check |
| {%- endif %} |
| {%- for option in checks.get('options', []) %} |
| {{ type }}-check {{ option }} |
| {%- endfor %} |
| {%- endif %} |
| {%- endfor %} |
| {%- for stick in listen.get('sticks', []) %} |
| {{ stick }} |
| {%- endfor %} |
| {%- for reqadd in listen.get('reqadd', []) %} |
| reqadd {{ reqadd }} |
| {%- endfor %} |
| {%- for reqirep in listen.get('reqirep', []) %} |
| reqirep {{ reqirep }} |
| {%- endfor %} |
| {%- endif %} |
| {%- for server in listen.get('servers', []) %} |
| server {{ server.name }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }} |
| {%- endfor %} |
| {%- endif %} |
| {%- endif %} |
| {%- endfor %} |
| |
| {%- for listen_name, listen in proxy.get('listen', {}).iteritems() %} |
| {%- if listen.get('format', 'listen') == 'end' %} |
| |
| frontend {{ listen_name }} |
| {%- for bind in listen.binds %} |
| bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %} {% if bind.ssl.pem_file is defined %}ssl crt {{ bind.ssl.pem_file }}{% else %}ssl crt /etc/haproxy/ssl/{{ listen_name }}{% endif %} {% endif %} |
| {% endfor %} |
| {% if listen.get('force_ssl') == true %} |
| redirect scheme https code 301 if !{ ssl_fc } |
| {% endif %} |
| {%- for redirect in listen.get('redirects', []) %} |
| {%- for condition in redirect.get('conditions', []) %} |
| redirect {% if redirect.code is defined %} code {{ redirect.code }} {% endif %} location {{ redirect.location }} if { {{ condition.type }} {{ condition.condition }} } |
| {%- endfor %} |
| {%- endfor %} |
| {%- for acl in listen.get('acls', []) %} |
| {%- for condition in acl.get('conditions', []) %} |
| acl {{ acl.name }} {{ condition.type }} {{ condition.condition }} |
| {%- endfor %} |
| {%- if listen_name == 'service_proxy' %} |
| use_backend {{ acl.backend|default(acl.name, true) }} if {{ acl.name }} |
| {% else %} |
| use_backend {{ acl.name }}-backend if {{ acl.name }} |
| {% endif %} |
| {%- endfor %} |
| default_backend {{ listen_name }}-backend |
| |
| backend {{ listen_name }}-backend |
| {%- if listen.get('type', None) == 'http' %} |
| balance {{ listen.get('balance', 'roundrobin') }} |
| {%- endif %} |
| {%- for option in listen.get('options', []) %} |
| option {{ option }} |
| {%- endfor %} |
| {%- for server in listen.get('servers', []) %} |
| server {{ server.get('name', server.host) }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }} |
| {%- endfor %} |
| {%- if listen_name != 'service_proxy' %} |
| {%- for acl in listen.get('acls', []) %} |
| |
| backend {{ acl.name }}-backend |
| balance {{ acl.get('balance', 'roundrobin') }} |
| {%- for option in acl.get('options', []) %} |
| option {{ option }} |
| {%- endfor %} |
| {%- for server in acl.get('servers', []) %} |
| server {{ server.get('name', server.host) }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }} |
| {%- endfor %} |
| {%- endfor %} |
| {%- endif %} |
| {%- endif %} |
| {%- endfor %} |