commit 78944bc12f3d8111b5f11fe3da445641947fb698
author Filip Pytloun <filip@pytloun.cz> Wed Apr 13 13:03:54 2016 +0200
committer Filip Pytloun <filip@pytloun.cz> Wed Apr 13 13:03:54 2016 +0200
tree 4b5d7df59b3bdfa543c3ddfe75cb2e1ee68f53ee
parent 9898b0efdd41ff6f375f38eb5e03f8566f49f889

Fix logging, chroot by default

haproxy/files/haproxy.cfg

diff --git a/haproxy/files/haproxy.cfg b/haproxy/files/haproxy.cfg
index 3ef3ce8..990f01c 100644
--- a/haproxy/files/haproxy.cfg
+++ b/haproxy/files/haproxy.cfg
@@ -1,27 +1,27 @@
-{%- set proxy = pillar.haproxy.proxy %}
-{%- set haproxy_logging = pillar.haproxy.proxy.get('logging', "") %}
+{%- from "haproxy/map.jinja" import proxy with context -%}
 
 global
-{%- if grains.os_family == "RedHat" %}
-  chroot  /var/lib/haproxy
-  stats  socket /var/lib/haproxy/stats
-{%- endif %}
-  daemon  
-  maxconn  16000
-  pidfile  /var/run/haproxy.pid
+  log /dev/log  local0
+  log /dev/log  local1 notice
+  chroot /var/lib/haproxy
+  stats  socket {{ proxy.stats_socket }} mode 660 level admin
+  stats timeout 30s
   user  haproxy
-  group  haproxy
+  group haproxy
+  daemon
+  pidfile  /var/run/haproxy.pid
   spread-checks 4
   tune.maxrewrite 1024
   tune.bufsize 32768
-
+  maxconn  16000
+  ca-base /etc/ssl/certs
+  crt-base /etc/ssl/private
+  ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+  ssl-default-bind-options no-sslv3
 
 defaults
   log  global
   mode http
-  {%- if haproxy_logging == 'syslog' %}
-  log 127.0.0.1 local0
-  {%- endif %}
 
   maxconn 8000
   {#
@@ -128,7 +128,7 @@
   option tcp-check
   tcp-check connect port 6379
   default-server error-limit 1 on-error mark-down
-  {%- endif %}    
+  {%- endif %}
   {%- if listen.type == 'stats' %}
   mode http
   stats enable

haproxy/map.jinja

diff --git a/haproxy/map.jinja b/haproxy/map.jinja
index 2c4ec04..8649956 100644
--- a/haproxy/map.jinja
+++ b/haproxy/map.jinja
@@ -2,9 +2,11 @@
     'Debian': {
         'pkgs': ['haproxy'],
         'service': 'haproxy',
+        'stats_socket': '/run/haproxy/admin.sock',
     },
     'RedHat': {
         'pkgs': ['haproxy'],
         'service': 'haproxy',
+        'stats_socket': '/run/haproxy/admin.sock',
     },
 }, merge=salt['pillar.get']('haproxy:proxy')) %}