Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / haproxy / 0a99f8af68ff801f2e08ca1b613e48d98258fcfd / . / README.rst
blob: 264cd21a61aca2c1468e158711036723ee2ece68 [file] [log] [blame]
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]1=====
2Usage
3=====
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]4
Ildar Svetlov77636142017-09-28 16:42:16 +0400[diff] [blame]5The Reliable, High Performance TCP/HTTP Load Balancer.
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]6
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]7Sample pillars
8==============
9
10Simple admin listener
11
12.. code-block:: yaml
13
14 haproxy:
15 proxy:
16 enabled: True
17 listen:
18 admin_page:
19 type: admin
20 binds:
21 - address: 0.0.0.0
22 port: 8801
23 user: fsdfdsfds
24 password: dsfdsf
25
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]26Simple stats listener
27
28.. code-block:: yaml
29
30 haproxy:
31 proxy:
32 enabled: True
33 listen:
34 admin_page:
35 type: stats
36 binds:
37 - address: 0.0.0.0
38 port: 8801
39
40
41
42Sample pillar with admin
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]43
44.. code-block:: yaml
45
46 haproxy:
47 proxy:
48 enabled: True
49 mode: http/tcp
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]50 logging: syslog
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]51 maxconn: 1024
52 timeout:
53 connect: 5000
54 client: 50000
55 server: 50000
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]56 listen:
57 https-in:
58 binds:
59 - address: 0.0.0.0
60 port: 443
61 servers:
62 - name: server1
63 host: 10.0.0.1
64 port: 8443
65 - name: server2
66 host: 10.0.0.2
67 port: 8443
68 params: 'maxconn 256'
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]69
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]70
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]71Sample pillar with custom logging
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]72
73.. code-block:: yaml
74
75 haproxy:
76 proxy:
77 enabled: True
78 mode: http/tcp
79 logging: syslog
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]80 maxconn: 1024
81 timeout:
82 connect: 5000
83 client: 50000
84 server: 50000
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]85 listen:
86 https-in:
87 binds:
88 address: 0.0.0.0
89 port: 443
90 servers:
91 - name: server1
92 host: 10.0.0.1
93 port: 8443
94 - name: server2
95 host: 10.0.0.2
96 port: 8443
97 params: 'maxconn 256'
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]98
99.. code-block:: yaml
100
101 haproxy:
102 proxy:
103 enabled: true
104 mode: tcp
105 logging: syslog
106 max_connections: 1024
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]107 listen:
108 mysql:
109 type: mysql
110 binds:
111 - address: 10.0.88.70
112 port: 3306
113 servers:
114 - name: node1
115 host: 10.0.88.13
116 port: 3306
117 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
118 - name: node2
119 host: 10.0.88.14
120 port: 3306
121 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
122 - name: node3
123 host: 10.0.88.15
124 port: 3306
125 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
126 rabbitmq:
127 type: rabbitmq
128 binds:
129 - address: 10.0.88.70
130 port: 5672
131 servers:
132 - name: node1
133 host: 10.0.88.13
134 port: 5673
135 params: check inter 5000 rise 2 fall 3
136 - name: node2
137 host: 10.0.88.14
138 port: 5673
139 params: check inter 5000 rise 2 fall 3 backup
140 - name: node3
141 host: 10.0.88.15
142 port: 5673
143 params: check inter 5000 rise 2 fall 3 backup
144 keystone-1:
145 type: general-service
146 binds:
147 - address: 10.0.106.170
148 port: 5000
149 servers:
150 - name: node1
151 host: 10.0.88.13
152 port: 5000
153 params: check
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]154
155.. code-block:: yaml
156
157 haproxy:
158 proxy:
159 enabled: true
160 mode: tcp
161 logging: syslog
162 max_connections: 1024
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]163 listen:
164 mysql:
165 type: mysql
166 binds:
167 - address: 10.0.88.70
168 port: 3306
169 servers:
170 - name: node1
171 host: 10.0.88.13
172 port: 3306
173 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
174 - name: node2
175 host: 10.0.88.14
176 port: 3306
177 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
178 - name: node3
179 host: 10.0.88.15
180 port: 3306
181 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
182 rabbitmq:
183 type: rabbitmq
184 binds:
185 - address: 10.0.88.70
186 port: 5672
187 servers:
188 - name: node1
189 host: 10.0.88.13
190 port: 5673
191 params: check inter 5000 rise 2 fall 3
192 - name: node2
193 host: 10.0.88.14
194 port: 5673
195 params: check inter 5000 rise 2 fall 3 backup
196 - name: node3
197 host: 10.0.88.15
198 port: 5673
199 params: check inter 5000 rise 2 fall 3 backup
200 keystone-1:
201 type: general-service
202 binds:
203 - address: 10.0.106.170
204 port: 5000
205 servers:
206 - name: node1
207 host: 10.0.88.13
208 port: 5000
209 params: check
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]210
Petr Jedinýc1461642018-04-17 17:21:28 +0200[diff] [blame]211Sample pillar with port range and port offset
212
213This is usefull in listen blocks for definition of multiple servers
214that differs only by port number in port range block. This situation
215can be result of multiple single-thread servers deployed in multi-core
216environment to better utilize the available cores.
217
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]218For example, five contrail-api workers occupy ports ``9100-9104``.
Petr Jedinýc1461642018-04-17 17:21:28 +0200[diff] [blame]219This can be achieved by using ``port_range_length`` in the pillar,
220``port_range_length: 5`` in this case.
221For skipping first worker (``worker_id 0``), because it has other
222responsibilities and to avoid overloading it by http requests
223use the ``port_range_start_offset`` in the pillar,
224``port_range_start_offset: 1`` in this case, it will only use ports
2259101-9104 (skipping 9100).
226
227- ``port_range_length`` parameter is used to calculate port range end
228- ``port_range_start_offset`` will skip first n ports in port range
229
230For backward compatibility, the name of the first server in port range
231has no ``pN`` suffix.
232
233The following sample will result in
234
235.. code-block:: text
236
237 listen contrail_api
238 bind 172.16.10.252:8082
239 option nolinger
240 balance leastconn
241 server ntw01p1 172.16.10.95:9101 check inter 2000 rise 2 fall 3
242 server ntw01p2 172.16.10.95:9102 check inter 2000 rise 2 fall 3
243 server ntw01p3 172.16.10.95:9103 check inter 2000 rise 2 fall 3
244 server ntw01p4 172.16.10.95:9104 check inter 2000 rise 2 fall 3
245 server ntw02 172.16.10.96:9100 check inter 2000 rise 2 fall 3
246 server ntw02p1 172.16.10.96:9101 check inter 2000 rise 2 fall 3
247 server ntw02p2 172.16.10.96:9102 check inter 2000 rise 2 fall 3
248 server ntw02p3 172.16.10.96:9103 check inter 2000 rise 2 fall 3
249 server ntw02p4 172.16.10.96:9104 check inter 2000 rise 2 fall 3
250 server ntw03 172.16.10.94:9100 check inter 2000 rise 2 fall 3
251 server ntw03p1 172.16.10.94:9101 check inter 2000 rise 2 fall 3
252 server ntw03p2 172.16.10.94:9102 check inter 2000 rise 2 fall 3
253 server ntw03p3 172.16.10.94:9103 check inter 2000 rise 2 fall 3
254 server ntw03p4 172.16.10.94:9104 check inter 2000 rise 2 fall 3
255
256.. code-block:: yaml
257
258 haproxy:
259 proxy:
260 listen:
261 contrail_api:
262 type: contrail-api
263 service_name: contrail
264 balance: leastconn
265 binds:
266 - address: 10.10.10.10
267 port: 8082
268 servers:
269 - name: ntw01
270 host: 10.10.10.11
271 port: 9100
272 port_range_length: 5
273 port_range_start_offset: 1
274 params: check inter 2000 rise 2 fall 3
275 - name: ntw02
276 host: 10.10.10.12
277 port: 9100
278 port_range_length: 5
279 port_range_start_offset: 0
280 params: check inter 2000 rise 2 fall 3
281 - name: ntw03
282 host: 10.10.10.13
283 port: 9100
284 port_range_length: 5
285 params: check inter 2000 rise 2 fall 3
286
287
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]288Custom more complex listener (for Artifactory and subdomains for docker
289registries)
290
291.. code-block:: yaml
292
293 haproxy:
294 proxy:
295 listen:
296 artifactory:
297 mode: http
298 options:
299 - forwardfor
300 - forwardfor header X-Real-IP
301 - httpchk
302 - httpclose
303 - httplog
Jakub Pavlikc9f84c42016-12-10 16:16:08 +0100[diff] [blame]304 sticks:
305 - stick on src
306 - stick-table type ip size 200k expire 2m
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]307 acl:
308 is_docker: "path_reg ^/v[12][/.]*"
309 http_request:
310 - action: "set-path /artifactory/api/docker/%[req.hdr(host),lower,field(1,'.')]%[path]"
311 condition: "if is_docker"
312 balance: source
313 binds:
314 - address: ${_param:cluster_vip_address}
315 port: 8082
Filip Pytloun4201b382016-09-09 12:21:18 +0200[diff] [blame]316 ssl:
317 enabled: true
318 # This PEM file needs to contain key, cert, CA and possibly
319 # intermediate certificates
320 pem_file: /etc/haproxy/ssl/server.pem
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]321 servers:
322 - name: ${_param:cluster_node01_name}
323 host: ${_param:cluster_node01_address}
324 port: 8082
325 params: check
326 - name: ${_param:cluster_node02_name}
327 host: ${_param:cluster_node02_address}
328 port: 8082
329 params: backup check
330
Filip Pytlound95069e2017-03-10 16:12:03 +0100[diff] [blame]331It's also possible to use multiple certificates for one listener (eg. when
332it's bind on multiple interfaces):
333
334.. code-block:: yaml
335
336 haproxy:
337 proxy:
338 listen:
339 dummy_site:
340 mode: http
341 binds:
342 - address: 127.0.0.1
343 port: 8080
344 ssl:
345 enabled: true
346 key: |
347 my super secret key follows
348 cert: |
349 certificate
350 chain: |
351 CA chain (if any)
352 - address: 127.0.1.1
353 port: 8081
354 ssl:
355 enabled: true
356 key: |
357 my super secret key follows
358 cert: |
359 certificate
360 chain: |
361 CA chain (if any)
362
363Definition above will result in creation of ``/etc/haproxy/ssl/dummy_site``
364directory with files ``1-all.pem`` and ``2-all.pem`` (per binds).
365
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]366Custom listener with tcp-check options specified (for Redis cluster with Sentinel)
367
368.. code-block:: yaml
369
370 haproxy:
371 proxy:
372 listen:
373 redis_cluster:
374 service_name: redis
Guillaume Thouvenin3adff8c2017-02-21 14:29:07 +0100[diff] [blame]375 health-check:
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]376 tcp:
377 enabled: True
378 options:
379 - send PING\r\n
380 - expect string +PONG
381 - send info\ replication\r\n
382 - expect string role:master
383 - send QUIT\r\n
384 - expect string +OK
385 binds:
386 - address: ${_param:cluster_address}
387 port: 6379
388 servers:
389 - name: ${_param:cluster_node01_name}
390 host: ${_param:cluster_node01_address}
391 port: 6379
392 params: check inter 1s
393 - name: ${_param:cluster_node02_name}
394 host: ${_param:cluster_node02_address}
395 port: 6379
396 params: check inter 1s
397 - name: ${_param:cluster_node03_name}
398 host: ${_param:cluster_node03_address}
399 port: 6379
400 params: check inter 1s
401
Sergey Otpuschennikov3e831332017-08-01 13:31:03 +0400[diff] [blame]402Frontend for routing between exists listeners via URL with SSL an redirects.
403You can use one backend for several URLs.
404
405.. code-block:: yaml
406
407 haproxy:
408 proxy:
409 listen:
410 service_proxy:
411 mode: http
412 balance: source
413 format: end
414 binds:
415 - address: ${_param:haproxy_bind_address}
416 port: 80
417 ssl: ${_param:haproxy_frontend_ssl}
418 ssl_port: 443
419 redirects:
420 - code: 301
421 location: domain.com/images
422 conditions:
423 - type: hdr_dom(host)
424 condition: images.domain.com
425 acls:
426 - name: gerrit
427 conditions:
428 - type: hdr_dom(host)
429 condition: gerrit.domain.com
430 - name: jenkins
431 conditions:
432 - type: hdr_dom(host)
433 condition: jenkins.domain.com
434 - name: docker
435 backend: artifactroy
436 conditions:
437 - type: hdr_dom(host)
438 condition: docker.domain.com
439
Ildar Svetlov77636142017-09-28 16:42:16 +0400[diff] [blame]440Enable customisable ``forwardfor`` option in ``defaults`` section.
441
442.. code-block:: yaml
443
444 haproxy:
445 proxy:
446 enabled: true
447 mode: tcp
448 logging: syslog
449 max_connections: 1024
450 forwardfor:
451 enabled: true
452 except:
453 header:
454 if-none: false
455
456.. code-block:: yaml
457
458 haproxy:
459 proxy:
460 enabled: true
461 mode: tcp
462 logging: syslog
463 max_connections: 1024
464 forwardfor:
465 enabled: true
466 except: 127.0.0.1
467 header: X-Real-IP
468 if-none: false
469
stelucz01752fe2018-01-26 12:39:23 +0100[diff] [blame]470Sample pillar with multiprocess multicore configuration
471
472.. code-block:: yaml
473
474 haproxy:
475 proxy:
476 enabled: True
477 nbproc: 4
478 cpu_map:
479 1: 0
480 2: 1
481 3: 2
482 4: 3
483 stats_bind_process: "1 2"
484 mode: http/tcp
485 logging: syslog
486 maxconn: 1024
487 timeout:
488 connect: 5000
489 client: 50000
490 server: 50000
491 listen:
492 https-in:
493 bind_process: "1 2 3 4"
494 binds:
495 - address: 0.0.0.0
496 port: 443
497 servers:
498 - name: server1
499 host: 10.0.0.1
500 port: 8443
501 - name: server2
502 host: 10.0.0.2
503 port: 8443
504 params: 'maxconn 256'
505
Michel Nederlof14da7092018-03-12 22:46:36 +0100[diff] [blame]506Implement rate limiting, to prevent excessive requests
507This feature only works if using 'format: end'
508
509.. code-block:: yaml
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]510
Michel Nederlof14da7092018-03-12 22:46:36 +0100[diff] [blame]511 haproxy:
512 proxy:
513 ...
514 listen:
515 nova_metadata_api:
516 ...
517 format: end
518 options:
519 - httpchk
520 - httpclose
521 - httplog
522 rate_limit:
523 duration: 900s
524 enabled: true
525 requests: 125
526 track: content
527 servers:
528 ...
529 type: http
530
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]531Read more
532=========
533
534* https://github.com/jesusaurus/hpcs-salt-state/tree/master/haproxy
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]535* http://www.nineproductions.com/saltstack-ossec-state-using-reactor/
536* https://gist.github.com/tomeduarte/6340205 - example on how to use peer
537 from within a config file (using jinja)
538* http://youtu.be/jJJ8cfDjcTc?t=8m58s - from 9:00 on, a good overview
539 of peer vs mine
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]540* https://github.com/russki/cluster-agents
Filip Pytloun5cde0482017-02-02 13:02:03 +0100[diff] [blame]541
542Documentation and Bugs
543======================
544
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]545* http://salt-formulas.readthedocs.io/
546 Learn how to install and update salt-formulas
Filip Pytloun5cde0482017-02-02 13:02:03 +0100[diff] [blame]547
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]548* https://github.com/salt-formulas/salt-formula-haproxy/issues
549 In the unfortunate event that bugs are discovered, report the issue to the
550 appropriate issue tracker. Use the Github issue tracker for a specific salt
551 formula
Filip Pytloun5cde0482017-02-02 13:02:03 +0100[diff] [blame]552
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]553* https://launchpad.net/salt-formulas
554 For feature requests, bug reports, or blueprints affecting the entire
555 ecosystem, use the Launchpad salt-formulas project
Filip Pytloun5cde0482017-02-02 13:02:03 +0100[diff] [blame]556
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]557* https://launchpad.net/~salt-formulas-users
558 Join the salt-formulas-users team and subscribe to mailing list if required
Filip Pytloun5cde0482017-02-02 13:02:03 +0100[diff] [blame]559
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]560* https://github.com/salt-formulas/salt-formula-haproxy
561 Develop the salt-formulas projects in the master branch and then submit pull
562 requests against a specific formula
Filip Pytloun5cde0482017-02-02 13:02:03 +0100[diff] [blame]563
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame^]564* #salt-formulas @ irc.freenode.net
565 Use this IRC channel in case of any questions or feedback which is always
566 welcome
Filip Pytloun5cde0482017-02-02 13:02:03 +0100[diff] [blame]567