blob: 513db532290b4869694dbbde61523075865bb169 [file] [log] [blame]
{%- from "haproxy/map.jinja" import proxy with context -%}
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket {{ proxy.stats_socket }} mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
pidfile /var/run/haproxy.pid
spread-checks 4
tune.maxrewrite 1024
tune.bufsize 32768
maxconn 16000
{%- if salt['pkg.version']('haproxy')[:3] >= '1.6' %}
# SSL options
ca-base /etc/haproxy/ssl
crt-base /etc/haproxy/ssl
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
{%- endif %}
defaults
log global
mode http
maxconn {{ proxy.maxconn|default(8000) }}
{%- if proxy.get('forwardfor', {}).enabled|default(False) %}
option forwardfor{% if proxy.forwardfor.get('except', False) %} except {{proxy.forwardfor.except}}{% endif %}{% if proxy.forwardfor.get('header', False) %} header {{proxy.forwardfor.header}}{% endif %}{% if proxy.forwardfor.get('if-none') %} if-none{% endif %}
{%- endif %}
option redispatch
retries {{ proxy.retries|default(3) }}
stats enable
timeout http-request {{ proxy.get('timeout', {}).get('http-request','10s') }}
timeout queue {{ proxy.get('timeout', {}).get('queue', '1m') }}
timeout connect {{ proxy.get('timeout', {}).get('connect', '10s') }}
timeout client {{ proxy.get('timeout', {}).get('client', '1m') }}
timeout server {{ proxy.get('timeout', {}).get('server', '1m') }}
timeout check {{ proxy.get('timeout', {}).get('check', '10s') }}
{%- if proxy.listen.admin_page is defined and proxy.listen.admin_page.user is defined %}
userlist STATSUSERS
group admin users admin
user {{ proxy.listen.admin_page.user }} insecure-password {{ proxy.listen.admin_page.password }}
user stats insecure-password {{ proxy.listen.admin_page.password }}
{#
{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
{%- if listen.user is defined %}
user {{ listen.user }} insecure-password {{ listen.password }}
{%- endif %}
{%- endfor %}
#}
{%- endif %}
{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
{%- if listen.get('enabled', True) %}
{%- if listen.get('format', 'listen') == 'listen' %}
listen {{ listen_name }}
{%- for bind in listen.binds %}
bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %}{% if bind.ssl.pem_file is defined %}ssl crt {{ bind.ssl.pem_file }}{% else %}ssl crt /etc/haproxy/ssl/{{ listen_name }}{% endif %}{% endif %}
{%- endfor %}
{%- if listen.get('type', None) == 'http' %}
mode http
balance {{ listen.get('balance', 'roundrobin') }}
option httplog
{%- elif listen.get('type', None) == 'rabbitmq' %}
balance {{ listen.get('balance', 'roundrobin') }}
mode tcp
option tcpka
timeout client 300s
timeout server 300s
{%- elif listen.get('type', None) == 'mysql' %}
balance {{ listen.get('balance', 'leastconn') }}
mode tcp
option httpchk
option tcplog
option clitcpka
option srvtcpka
timeout client 300s
timeout server 300s
{%- if listen.get('health-check', {}).get('mysql', {}).get('enabled', True) %}
# option conflict's with port check of clustercheck script, if enabled haproxy reports invalid reponse
option mysql-check user haproxy
{%- endif %}
{%- elif listen.get('type', None) == 'pgsql' %}
balance {{ listen.get('balance', 'leastconn') }}
mode tcp
option httpchk
option tcplog
option clitcpka
option srvtcpka
timeout client 28801s
timeout server 28801s
{%- if listen.get('health-check', {}).get('pgsql', {}).get('enabled', True) %}
option pgsql-check user postgres
{%- endif %}
{%- elif listen.get('type', None) == 'horizon' %}
balance {{ listen.get('balance', 'source') }}
capture cookie vgnvisitor= len 32
cookie SERVERID insert indirect nocache
mode http
option forwardfor
option httpchk
option httpclose
option httplog
rspidel ^Set-cookie:\ IP=
{%- elif listen.get('type', None) == 'general-service' %}
mode http
balance {{ listen.get('balance', 'roundrobin') }}
option httplog
{%- elif listen.get('type', None) == 'openstack-service' %}
option httpchk
option httplog
option httpclose
{%- elif listen.get('type', None) == 'heat' %}
balance source
option tcpka
option httpchk
option tcplog
{%- elif listen.get('type', None) == 'contrail-config' %}
mode http
stats enable
stats uri /
stats auth {{ listen.user }}:{{ listen.password }}
{%- elif listen.get('type', None) == 'contrail-api' %}
option nolinger
balance {{ listen.get('balance', 'roundrobin') }}
{%- elif listen.get('type', None) == 'contrail-analytics' %}
option nolinger
balance {{ listen.get('balance', 'roundrobin') }}
option tcp-check
tcp-check connect port 6379
default-server error-limit 1 on-error mark-down
{%- elif listen.get('type', None) == 'stats' %}
mode http
stats enable
stats uri /
{%- if listen.user is defined %}
stats auth {{ listen.user }}:{{ listen.password }}
{%- endif %}
{%- elif listen.get('type', None) == 'admin' %}
mode http
acl AuthOkay_ReadOnly http_auth(STATSUSERS)
acl AuthOkay_Admin http_auth_group(STATSUSERS) {{ listen.user }}
stats enable
stats refresh 60s
stats uri /
stats http-request auth realm admin_page unless AuthOkay_ReadOnly
stats admin if AuthOkay_Admin
{%- else %}
{# no type specified #}
mode {{ listen.mode|default('tcp') }}
balance {{ listen.balance|default('roundrobin') }}
{%- for ttype, timeout in listen.get('timeout', {}).iteritems() %}
timeout {{ ttype }} {{ timeout }}
{%- endfor %}
{%- for aclname, acl in listen.get('acl', {}).iteritems() %}
acl {{ aclname }} {{ acl }}
{%- endfor %}
{%- for http_request in listen.get('http_request', []) %}
http-request {{ http_request.action }}{% if http_request.condition is defined %} {{ http_request.condition }}{% endif %}
{%- endfor %}
{%- for http_response in listen.get('http_response', []) %}
http-response {{ http_response.action }}{% if http_response.condition is defined %} {{ http_response.condition }}{% endif %}
{%- endfor %}
{%- for option in listen.get('options', []) %}
option {{ option }}
{%- endfor %}
{%- for type, checks in listen.get('health-check', {}).iteritems() %}
{%- if checks.get('enabled', True) %}
{%- if type == 'http' and 'httpchk' not in listen.get('options', [])|join('|') %}
option httpchk
{%- endif %}
{%- if type == 'tcp' and 'tcp-check' not in listen.get('options', [])|join('|') %}
option tcp-check
{%- endif %}
{%- for option in checks.get('options', []) %}
{{ type }}-check {{ option }}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- for stick in listen.get('sticks', []) %}
{{ stick }}
{%- endfor %}
{%- for reqadd in listen.get('reqadd', []) %}
reqadd {{ reqadd }}
{%- endfor %}
{%- for reqirep in listen.get('reqirep', []) %}
reqirep {{ reqirep }}
{%- endfor %}
{%- endif %}
{%- for server in listen.get('servers', []) %}
server {{ server.name }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
{%- endfor %}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
{%- if listen.get('format', 'listen') == 'end' %}
frontend {{ listen_name }}
{%- for bind in listen.binds %}
bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %} {% if bind.ssl.pem_file is defined %}ssl crt {{ bind.ssl.pem_file }}{% else %}ssl crt /etc/haproxy/ssl/{{ listen_name }}{% endif %} {% endif %}
{% endfor %}
{% if listen.get('force_ssl') == true %}
redirect scheme https code 301 if !{ ssl_fc }
{% endif %}
{%- for redirect in listen.get('redirects', []) %}
{%- for condition in redirect.get('conditions', []) %}
redirect {% if redirect.code is defined %} code {{ redirect.code }} {% endif %} location {{ redirect.location }} if { {{ condition.type }} {{ condition.condition }} }
{%- endfor %}
{%- endfor %}
{%- for acl in listen.get('acls', []) %}
{%- for condition in acl.get('conditions', []) %}
acl {{ acl.name }} {{ condition.type }} {{ condition.condition }}
{%- endfor %}
{%- if listen_name == 'service_proxy' %}
use_backend {{ acl.backend|default(acl.name, true) }} if {{ acl.name }}
{% else %}
use_backend {{ acl.name }}-backend if {{ acl.name }}
{% endif %}
{%- endfor %}
default_backend {{ listen_name }}-backend
backend {{ listen_name }}-backend
{%- if listen.get('type', None) == 'http' %}
balance {{ listen.get('balance', 'roundrobin') }}
{%- endif %}
{%- for option in listen.get('options', []) %}
option {{ option }}
{%- endfor %}
{%- for server in listen.get('servers', []) %}
server {{ server.get('name', server.host) }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
{%- endfor %}
{%- if listen_name != 'service_proxy' %}
{%- for acl in listen.get('acls', []) %}
backend {{ acl.name }}-backend
balance {{ acl.get('balance', 'roundrobin') }}
{%- for option in acl.get('options', []) %}
option {{ option }}
{%- endfor %}
{%- for server in acl.get('servers', []) %}
server {{ server.get('name', server.host) }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
{%- endfor %}
{%- endfor %}
{%- endif %}
{%- endif %}
{%- endfor %}