=====
Usage
=====

The Reliable, High Performance TCP/HTTP Load Balancer.

Sample pillars
==============

Simple admin listener

.. code-block:: yaml

    haproxy:
      proxy:
        enabled: True
        listen:
          admin_page:
            type: admin
            binds:
            - address: 0.0.0.0
              port: 8801
            user: fsdfdsfds
            password: dsfdsf

Simple stats listener

.. code-block:: yaml

    haproxy:
      proxy:
        enabled: True
        listen:
          admin_page:
            type: stats
            binds:
            - address: 0.0.0.0
              port: 8801



Sample pillar with admin

.. code-block:: yaml

    haproxy:
      proxy:
        enabled: True
        maxconn: 1024
        timeout:
          connect: 5000ms
          client: 50000ms
          server: 50000ms
        listen:
          https-in:
            binds:
            - address: 0.0.0.0
              port: 443
            servers:
            - name: server1
              host: 10.0.0.1
              port: 8443
            - name: server2
              host: 10.0.0.2
              port: 8443
              params: 'maxconn 256'

.. note::

    Timeout values are assumed to be defined in 'ms' if no other unit is specifically defined.


Sample pillar with custom logging

.. code-block:: yaml

    haproxy:
      proxy:
        enabled: True
        maxconn: 1024
        timeout:
          connect: 5000ms
          client: 50000ms
          server: 50000ms
        listen:
          https-in:
            binds:
              address: 0.0.0.0
              port: 443
            servers:
            - name: server1
              host: 10.0.0.1
              port: 8443
            - name: server2
              host: 10.0.0.2
              port: 8443
              params: 'maxconn 256'


.. note::

    Timeout values are assumed to be defined in 'ms' if no other unit is specifically defined.

.. code-block:: yaml

      haproxy:
        proxy:
          enabled: true
          listen:
            mysql:
              type: mysql
              binds:
              - address: 10.0.88.70
                port: 3306
              servers:
              - name: node1
                host: 10.0.88.13
                port: 3306
                params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
              - name: node2
                host: 10.0.88.14
                port: 3306
                params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
              - name: node3
                host: 10.0.88.15
                port: 3306
                params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
            rabbitmq:
              type: rabbitmq
              binds:
              - address: 10.0.88.70
                port: 5672
              servers:
              - name: node1
                host: 10.0.88.13
                port: 5673
                params: check inter 5000 rise 2 fall 3
              - name: node2
                host: 10.0.88.14
                port: 5673
                params: check inter 5000 rise 2 fall 3 backup
              - name: node3
                host: 10.0.88.15
                port: 5673
                params: check inter 5000 rise 2 fall 3 backup
            keystone-1:
              type: general-service
              binds:
              - address: 10.0.106.170
                port: 5000
              servers:
              - name: node1
                host: 10.0.88.13
                port: 5000
                params: check

.. code-block:: yaml

      haproxy:
        proxy:
          enabled: true
          listen:
            mysql:
              type: mysql
              binds:
              - address: 10.0.88.70
                port: 3306
              servers:
              - name: node1
                host: 10.0.88.13
                port: 3306
                params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
              - name: node2
                host: 10.0.88.14
                port: 3306
                params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
              - name: node3
                host: 10.0.88.15
                port: 3306
                params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
            rabbitmq:
              type: rabbitmq
              binds:
              - address: 10.0.88.70
                port: 5672
              servers:
              - name: node1
                host: 10.0.88.13
                port: 5673
                params: check inter 5000 rise 2 fall 3
              - name: node2
                host: 10.0.88.14
                port: 5673
                params: check inter 5000 rise 2 fall 3 backup
              - name: node3
                host: 10.0.88.15
                port: 5673
                params: check inter 5000 rise 2 fall 3 backup
            keystone-1:
              type: general-service
              binds:
              - address: 10.0.106.170
                port: 5000
              servers:
              - name: node1
                host: 10.0.88.13
                port: 5000
                params: check

Sample pillar with port range and port offset

This is usefull in listen blocks for definition of multiple servers
that differs only by port number in port range block. This situation
can be result of multiple single-thread servers deployed in multi-core
environment to better utilize the available cores.

For example, five contrail-api workers occupy ports ``9100-9104``.
This can be achieved by using ``port_range_length`` in the pillar,
``port_range_length: 5`` in this case.
For skipping first worker (``worker_id 0``), because it has other
responsibilities and to avoid overloading it by http requests
use the ``port_range_start_offset`` in the pillar,
``port_range_start_offset: 1`` in this case, it will only use ports
9101-9104 (skipping 9100).

- ``port_range_length`` parameter is used to calculate port range end
- ``port_range_start_offset`` will skip first n ports in port range

For backward compatibility, the name of the first server in port range
has no ``pN`` suffix.

The following sample will result in

.. code-block:: text

    listen contrail_api
      bind 172.16.10.252:8082
      balance leastconn
      server ntw01p1 172.16.10.95:9101 check inter 2000 rise 2 fall 3
      server ntw01p2 172.16.10.95:9102 check inter 2000 rise 2 fall 3
      server ntw01p3 172.16.10.95:9103 check inter 2000 rise 2 fall 3
      server ntw01p4 172.16.10.95:9104 check inter 2000 rise 2 fall 3
      server ntw02 172.16.10.96:9100 check inter 2000 rise 2 fall 3
      server ntw02p1 172.16.10.96:9101 check inter 2000 rise 2 fall 3
      server ntw02p2 172.16.10.96:9102 check inter 2000 rise 2 fall 3
      server ntw02p3 172.16.10.96:9103 check inter 2000 rise 2 fall 3
      server ntw02p4 172.16.10.96:9104 check inter 2000 rise 2 fall 3
      server ntw03 172.16.10.94:9100 check inter 2000 rise 2 fall 3
      server ntw03p1 172.16.10.94:9101 check inter 2000 rise 2 fall 3
      server ntw03p2 172.16.10.94:9102 check inter 2000 rise 2 fall 3
      server ntw03p3 172.16.10.94:9103 check inter 2000 rise 2 fall 3
      server ntw03p4 172.16.10.94:9104 check inter 2000 rise 2 fall 3

.. code-block:: yaml

    haproxy:
      proxy:
        listen:
          contrail_api:
            type: contrail-api
            service_name: contrail
            balance: leastconn
            binds:
            - address: 10.10.10.10
              port: 8082
            servers:
            - name: ntw01
              host: 10.10.10.11
              port: 9100
              port_range_length: 5
              port_range_start_offset: 1
              params: check inter 2000 rise 2 fall 3
            - name: ntw02
              host: 10.10.10.12
              port: 9100
              port_range_length: 5
              port_range_start_offset: 0
              params: check inter 2000 rise 2 fall 3
            - name: ntw03
              host: 10.10.10.13
              port: 9100
              port_range_length: 5
              params: check inter 2000 rise 2 fall 3


Custom more complex listener (for Artifactory and subdomains for docker
registries)

.. code-block:: yaml

    haproxy:
      proxy:
        listen:
          artifactory:
            mode: http
            options:
              - forwardfor
              - forwardfor header X-Real-IP
              - httpchk
              - httpclose
              - httplog
            sticks:
              - stick on src
              - stick-table type ip size 200k expire 2m
            acl:
              is_docker: "path_reg ^/v[12][/.]*"
            http_request:
              - action: "set-path /artifactory/api/docker/%[req.hdr(host),lower,field(1,'.')]%[path]"
                condition: "if is_docker"
            balance: source
            binds:
              - address: ${_param:cluster_vip_address}
                port: 8082
                ssl:
                  enabled: true
                  # This PEM file needs to contain key, cert, CA and possibly
                  # intermediate certificates
                  pem_file: /etc/haproxy/ssl/server.pem
            servers:
              - name: ${_param:cluster_node01_name}
                host: ${_param:cluster_node01_address}
                port: 8082
                params: check
              - name: ${_param:cluster_node02_name}
                host: ${_param:cluster_node02_address}
                port: 8082
                params: backup check

It's also possible to use multiple certificates for one listener (eg. when
it's bind on multiple interfaces):

.. code-block:: yaml

    haproxy:
      proxy:
        listen:
          dummy_site:
            mode: http
            binds:
              - address: 127.0.0.1
                port: 8080
                ssl:
                  enabled: true
                  key: |
                    my super secret key follows
                  cert: |
                    certificate
                  chain: |
                    CA chain (if any)
              - address: 127.0.1.1
                port: 8081
                ssl:
                  enabled: true
                  key: |
                    my super secret key follows
                  cert: |
                    certificate
                  chain: |
                    CA chain (if any)

Definition above will result in creation of ``/etc/haproxy/ssl/dummy_site``
directory with files ``1-all.pem`` and ``2-all.pem`` (per binds).

Custom listener with http-check options specified

.. code-block:: yaml

  haproxy:
    proxy:
      enabled: true
      forwardfor:
        enabled: true
        except: 127.0.0.1
        header: X-Forwarded-For
        if-none: false
      listen:
        glance_api:
          binds:
          - address: 192.168.2.11
            port: 9292
            ssl:
              enabled: true
              pem_file: /etc/haproxy/ssl/all.pem
          http_request:
          - action: set-header X-Forwarded-Proto https
          mode: http
          options:
          - httpchk GET /
          - httplog
          - httpclose
          servers:
          - host: 127.0.0.1
            name: ctl01
            params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
            port: 9292

Custom listener with tcp-check options specified (for Redis cluster with Sentinel)

.. code-block:: yaml

  haproxy:
    proxy:
      listen:
        redis_cluster:
          service_name: redis
          health-check:
            tcp:
              enabled: True
              options:
                - send PING\r\n
                - expect string +PONG
                - send info\ replication\r\n
                - expect string role:master
                - send QUIT\r\n
                - expect string +OK
          binds:
            - address: ${_param:cluster_address}
              port: 6379
          servers:
            - name: ${_param:cluster_node01_name}
              host: ${_param:cluster_node01_address}
              port: 6379
              params: check inter 1s
            - name: ${_param:cluster_node02_name}
              host: ${_param:cluster_node02_address}
              port: 6379
              params: check inter 1s
            - name: ${_param:cluster_node03_name}
              host: ${_param:cluster_node03_address}
              port: 6379
              params: check inter 1s

Frontend for routing between exists listeners via URL with SSL an redirects.
You can use one backend for several URLs.

.. code-block:: yaml

  haproxy:
    proxy:
      listen:
        service_proxy:
          mode: http
          balance: source
          format: end
          binds:
           - address: ${_param:haproxy_bind_address}
             port: 80
             ssl: ${_param:haproxy_frontend_ssl}
             ssl_port: 443
          redirects:
           - code: 301
             location: domain.com/images
             conditions:
               - type: hdr_dom(host)
                 condition: images.domain.com
          acls:
           - name: gerrit
             conditions:
               - type: hdr_dom(host)
                 condition: gerrit.domain.com
           - name: jenkins
             conditions:
               - type: hdr_dom(host)
                 condition: jenkins.domain.com
           - name: docker
             backend: artifactroy
             conditions:
               - type: hdr_dom(host)
                 condition: docker.domain.com

Enable customisable ``forwardfor`` option in ``defaults`` section.

.. code-block:: yaml

  haproxy:
    proxy:
      enabled: true
      forwardfor:
        enabled: true
        except:
        header:
        if-none: false

.. code-block:: yaml

  haproxy:
    proxy:
      enabled: true
      forwardfor:
        enabled: true
        except: 127.0.0.1
        header: X-Real-IP
        if-none: false

Sample pillar with multiprocess multicore configuration

.. code-block:: yaml

  haproxy:
    proxy:
      enabled: True
      nbproc: 4
      cpu_map:
        1: 0
        2: 1
        3: 2
        4: 3
      stats_bind_process: "1 2"
      maxconn: 1024
      timeout:
        connect: 5000ms
        client: 50000ms
        server: 50000ms
      listen:
        https-in:
          bind_process: "1 2 3 4"
          binds:
          - address: 0.0.0.0
            port: 443
          servers:
          - name: server1
            host: 10.0.0.1
            port: 8443
          - name: server2
            host: 10.0.0.2
            port: 8443
            params: 'maxconn 256'

.. note::

    Timeout values are assumed to be defined in 'ms' if no other unit is specifically defined.

Implement rate limiting, to prevent excessive requests
This feature only works if using 'format: end'

.. code-block:: yaml

  haproxy:
    proxy:
      ...
      listen:
        nova_metadata_api:
          ...
          format: end
          options:
          - httpchk
          - httpclose
          - httplog
          rate_limit:
            duration: 900s
            enabled: true
            requests: 125
            track: content
          servers:
            ...
          type: http

Implement haproxy configuration without specifying certain type or with type='None'.
This approach allows to set all major haproxy parameters manually.
Sample pillar:

.. code-block:: yaml

  haproxy:
    proxy:
      listen:
        manila_api:
          type: None
          mode: tcp
          balance: roundrobin
          timeout:
            check: 10s
            client: 20s
          http_request:
            - action: "add-header X-Forwarded-Proto https"
              condition: "if { ssl_fc }"
          options: ${_param:haproxy_https_check_options}
          capture:
          - cookie ASPSESSION len 32
          - request header Host len 15
          compression:
          - algo gzip
          - type text/html text/plain
          declare_capture: request len 50
          email_alert:
          - myhostname myserver
          - from server@localhost
          - level warning
          errorfile:
            file_500:
              code: 500
              file: /tmp/error_500.log
            file_404:
              code: 400
              file: /tmp/error_400.log
          max_keep_alive_queue: 100
          maxconn: 10000
          reqadd:
          - X-Proto:\ SSL  if is-ssl
          reqirep:
          - ^Host:\ www.mydomain.com   Host:\ www
          modify_headers:
          - reqallow ^Host:\ www\.
          - reqdel ^Host:\ .*\.local
          - reqdeny ^Host:\ .*\.local
          - reqiallow ^Host:\ www\.
          - reqidel ^Host:\ .*\.local
          - reqideny ^Host:\ .*\.local
          - reqipass ^Host:\ .*\.local
          - reqpass ^Host:\ .*\.local
          - reqitarpit ^Host:\ .*\.local
          - reqtarpit ^Host:\ .*\.local
          retries: 10
          stats:
          - enable
          - auth admin1:AdMiN123
          rate_limit_sessions: 1000

.. note::

    Timeout values are assumed to be defined in 'ms' if no other unit is specifically defined.

Implement rate limiting, to prevent excessive requests
using 'format: listen'

.. code-block:: yaml

  haproxy:
    proxy:
      ...
      listen:
        nova_metadata_api:
          ...
          rate_limit:
            duration: 3s
            enabled: true
            requests: 60
            track: connection
          servers:
            ...
Implement rate limiting, to prevent excessive requests
using 'format: listen' and acls/request/backend stick list

.. code-block:: yaml

  haproxy:
    proxy:
      listen:
        nova_metadata_api:
          options:
          - httplog
          rate_limit:
            enabled: true
            type: string
            len: 36
            size: 10m
            duration: 60s
            acls:
              101:
                enabled: true
                value: acl too_many_requests_3 sc0_gpc0_rate() gt 3
              102:
                enabled: true
                value: acl mark_seen sc0_inc_gpc0 gt 0
              110:
                enabled: true
                value: acl x_instance_id hdr(x-instance-id) -i 4777e8e0-16e8-46ce-a3fe-0a1ad9b3ebdc
              111:
                enabled: true
                value: acl x_instance_id hdr(x-instance-id) -i ca2395dd-f73f-4d43-8fe7-f7078a0920af
              201:
                enabled: true
                value: acl too_many_requests_6 sc0_gpc0_rate() gt 6
              202:
                enabled: true
                value: acl mark_seen sc0_inc_gpc0 gt 0
              210:
                enabled: true
                value: acl x_tenant_id hdr(x-tenant-id) -i 2b76cc56a437404bb8cb6cb20dbb0ea4
            tcp_request:
              001:
                enabled: true
                value: tcp-request inspect-delay 5s
              101:
                enabled: true
                value: tcp-request content track-sc0 hdr(x-instance-id) if ! too_many_requests_3
              201:
                enabled: true
                value: tcp-request content track-sc0 hdr(x-tenant-id) if ! too_many_requests_6
            use_backend:
              101:
                enabled: true
                value: use_backend nova_metadata_api-rate_limit if mark_seen too_many_requests_3 x_instance_id
              201:
                enabled: true
                value: use_backend nova_metadata_api-rate_limit if mark_seen too_many_requests_6 x_tenant_id

Pillar demostrating all global variables which are parametrized

  All values may be defined as a single element or a list of elements with the same keyword
  Keyword is added automatically and should not be included in the value

.. code-block:: yaml

  haproxy:
    proxy:
      global:
        chroot: /var/lib/haproxy
        daemon: true
        gid: ''
        group: haproxy
        cpu-map:
        - '0 1'
        - '1 2'
        log:
        - '/dev/log local0'
        - '/dev/log local1 notice'
        log-send-hostname: ''
        nbproc: 5
        pidfile: '/var/run/haproxy.pid'
        uid: ''
        ulimit-n: ''
        user: 'haproxy'
        stats:
        - 'socket /var/run/new.sock mode 660 level admin'
        - 'timeout 30s'
        - 'bind-process 1 2'
        node: ''
        description: ''
        maxconn: 25000
        maxpipes: ''
        noepoll: ''
        nokqueue: ''
        nopoll: ''
        nosepoll: ''
        nosplice: ''
        spread-checks: 4
        tune_bufsize: 32768
        tune_chksize: ''
        tune_maxaccept: ''
        tune_maxpollevents: ''
        tune_maxrewrite: 1024
        tune_rcvbuf_client: ''
        tune_rcvbuf_server: ''
        tune_sndbuf_client: ''
        tune_sndbuf_server: ''

Read more
=========

* https://github.com/jesusaurus/hpcs-salt-state/tree/master/haproxy
* http://www.nineproductions.com/saltstack-ossec-state-using-reactor/
* https://gist.github.com/tomeduarte/6340205 - example on how to use peer
  from within a config file (using jinja)
* http://youtu.be/jJJ8cfDjcTc?t=8m58s - from 9:00 on, a good overview
  of peer vs mine
* https://github.com/russki/cluster-agents
