Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / haproxy / 5f022655233e9da861a4a31199892941e66e7663 / . / haproxy / files / haproxy.cfg
blob: 0cdfcbdf623c032997c7af3401e001d3185ddea6 [file] [log] [blame]
Filip Pytloun78944bc2016-04-13 13:03:54 +0200[diff] [blame]1{%- from "haproxy/map.jinja" import proxy with context -%}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]2
3global
Filip Pytloun78944bc2016-04-13 13:03:54 +0200[diff] [blame]4 log /dev/log local0
5 log /dev/log local1 notice
6 chroot /var/lib/haproxy
7 stats socket {{ proxy.stats_socket }} mode 660 level admin
8 stats timeout 30s
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]9 user haproxy
Filip Pytloun78944bc2016-04-13 13:03:54 +0200[diff] [blame]10 group haproxy
11 daemon
12 pidfile /var/run/haproxy.pid
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]13 spread-checks 4
14 tune.maxrewrite 1024
15 tune.bufsize 32768
Filip Pytloun78944bc2016-04-13 13:03:54 +0200[diff] [blame]16 maxconn 16000
Ales Komarekc07297c2016-10-14 16:43:09 +0200[diff] [blame]17 {%- if salt['pkg.version']('haproxy')[:3] >= '1.6' %}
Filip Pytloun4201b382016-09-09 12:21:18 +0200[diff] [blame]18 # SSL options
19 ca-base /etc/haproxy/ssl
20 crt-base /etc/haproxy/ssl
21 tune.ssl.default-dh-param 2048
22 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
23 ssl-default-bind-options no-sslv3 no-tls-tickets
24 ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
25 ssl-default-server-options no-sslv3 no-tls-tickets
Ales Komarekc07297c2016-10-14 16:43:09 +0200[diff] [blame]26 {%- endif %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]27
28defaults
29 log global
30 mode http
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]31
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]32 maxconn {{ proxy.maxconn|default(8000) }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]33 option redispatch
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]34 retries {{ proxy.retries|default(3) }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]35 stats enable
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]36
37 timeout http-request {{ proxy.get('timeout', {}).get('http-request','10s') }}
38 timeout queue {{ proxy.get('timeout', {}).get('queue', '1m') }}
39 timeout connect {{ proxy.get('timeout', {}).get('connect', '10s') }}
40 timeout client {{ proxy.get('timeout', {}).get('client', '1m') }}
41 timeout server {{ proxy.get('timeout', {}).get('server', '1m') }}
42 timeout check {{ proxy.get('timeout', {}).get('check', '10s') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]43
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]44{%- if proxy.listen.admin_page is defined and proxy.listen.admin_page.user is defined %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]45
46userlist STATSUSERS
47 group admin users admin
48 user {{ proxy.listen.admin_page.user }} insecure-password {{ proxy.listen.admin_page.password }}
49 user stats insecure-password {{ proxy.listen.admin_page.password }}
50{#
51{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
52{%- if listen.user is defined %}
53 user {{ listen.user }} insecure-password {{ listen.password }}
54{%- endif %}
55{%- endfor %}
56#}
57
58{%- endif %}
59
60{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
Filip Pytloun7dd858c2016-12-05 15:01:48 +0100[diff] [blame]61{%- if listen.get('enabled', True) %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]62{%- if listen.get('format', 'listen') == 'listen' %}
63
64listen {{ listen_name }}
65 {%- for bind in listen.binds %}
Filip Pytloun217805d2017-03-13 12:28:04 +0100[diff] [blame]66 bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %}{% if bind.ssl.pem_file is defined %}ssl crt {{ bind.ssl.pem_file }}{% else %}crt /etc/haproxy/ssl/{{ listen_name }}{% endif %}{% endif %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]67 {%- endfor %}
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]68 {%- if listen.get('type', None) == 'http' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]69 mode http
Petr Michalec7ed1fb92017-05-02 15:04:41 +0200[diff] [blame]70 balance {{ listen.get('balance', 'roundrobin') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]71 option httplog
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]72 {%- elif listen.get('type', None) == 'rabbitmq' %}
Petr Michalec7ed1fb92017-05-02 15:04:41 +0200[diff] [blame]73 balance {{ listen.get('balance', 'roundrobin') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]74 mode tcp
75 option tcpka
Damian Szeluga8efcf2e2016-12-22 16:03:48 +0100[diff] [blame]76 timeout client 300s
77 timeout server 300s
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]78 {%- elif listen.get('type', None) == 'mysql' %}
Filip Pytloun34cfd562017-06-05 17:50:41 +0200[diff] [blame]79 balance {{ listen.get('balance', 'leastconn') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]80 mode tcp
81 option httpchk
82 option tcplog
83 option clitcpka
84 option srvtcpka
Damian Szeluga8efcf2e2016-12-22 16:03:48 +0100[diff] [blame]85 timeout client 300s
86 timeout server 300s
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]87 option mysql-check user haproxy
roote03c4bf2017-01-19 18:20:46 +0000[diff] [blame]88 {%- elif listen.get('type', None) == 'pgsql' %}
Filip Pytloun34cfd562017-06-05 17:50:41 +0200[diff] [blame]89 balance {{ listen.get('balance', 'leastconn') }}
roote03c4bf2017-01-19 18:20:46 +0000[diff] [blame]90 mode tcp
91 option httpchk
92 option tcplog
93 option clitcpka
94 option srvtcpka
95 timeout client 28801s
96 timeout server 28801s
97 option pgsql-check user postgres
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]98 {%- elif listen.get('type', None) == 'horizon' %}
Filip Pytloun34cfd562017-06-05 17:50:41 +0200[diff] [blame]99 balance {{ listen.get('balance', 'source') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]100 capture cookie vgnvisitor= len 32
101 cookie SERVERID insert indirect nocache
102 mode http
103 option forwardfor
104 option httpchk
105 option httpclose
106 option httplog
107 rspidel ^Set-cookie:\ IP=
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]108 {%- elif listen.get('type', None) == 'general-service' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]109 mode http
Petr Michalec7ed1fb92017-05-02 15:04:41 +0200[diff] [blame]110 balance {{ listen.get('balance', 'roundrobin') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]111 option httplog
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]112 {%- elif listen.get('type', None) == 'openstack-service' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]113 option httpchk
114 option httplog
115 option httpclose
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]116 {%- elif listen.get('type', None) == 'heat' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]117 balance source
118 option tcpka
119 option httpchk
120 option tcplog
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]121 {%- elif listen.get('type', None) == 'contrail-config' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]122 mode http
123 stats enable
124 stats uri /
125 stats auth {{ listen.user }}:{{ listen.password }}
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]126 {%- elif listen.get('type', None) == 'contrail-api' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]127 option nolinger
Petr Michalec7ed1fb92017-05-02 15:04:41 +0200[diff] [blame]128 balance {{ listen.get('balance', 'roundrobin') }}
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]129 {%- elif listen.get('type', None) == 'contrail-analytics' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]130 option nolinger
Petr Michalec7ed1fb92017-05-02 15:04:41 +0200[diff] [blame]131 balance {{ listen.get('balance', 'roundrobin') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]132 option tcp-check
133 tcp-check connect port 6379
134 default-server error-limit 1 on-error mark-down
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]135 {%- elif listen.get('type', None) == 'stats' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]136 mode http
137 stats enable
138 stats uri /
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]139 {%- if listen.user is defined %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]140 stats auth {{ listen.user }}:{{ listen.password }}
141 {%- endif %}
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]142 {%- elif listen.get('type', None) == 'admin' %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]143 mode http
144 acl AuthOkay_ReadOnly http_auth(STATSUSERS)
145 acl AuthOkay_Admin http_auth_group(STATSUSERS) {{ listen.user }}
146 stats enable
147 stats refresh 60s
148 stats uri /
149 stats http-request auth realm admin_page unless AuthOkay_ReadOnly
150 stats admin if AuthOkay_Admin
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]151 {%- else %}
152 {# no type specified #}
153 mode {{ listen.mode|default('tcp') }}
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]154 balance {{ listen.balance|default('roundrobin') }}
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]155 {%- for ttype, timeout in listen.get('timeout', {}).iteritems() %}
156 timeout {{ ttype }} {{ timeout }}
157 {%- endfor %}
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]158 {%- for aclname, acl in listen.get('acl', {}).iteritems() %}
159 acl {{ aclname }} {{ acl }}
160 {%- endfor %}
161 {%- for http_request in listen.get('http_request', []) %}
162 http-request {{ http_request.action }}{% if http_request.condition is defined %} {{ http_request.condition }}{% endif %}
163 {%- endfor %}
Filip Pytlounf93ef1c2016-08-31 17:46:16 +0200[diff] [blame]164 {%- for http_response in listen.get('http_response', []) %}
165 http-response {{ http_response.action }}{% if http_response.condition is defined %} {{ http_response.condition }}{% endif %}
166 {%- endfor %}
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]167 {%- for option in listen.get('options', []) %}
168 option {{ option }}
169 {%- endfor %}
Guillaume Thouvenin3adff8c2017-02-21 14:29:07 +0100[diff] [blame]170 {%- for type, checks in listen.get('health-check', {}).iteritems() %}
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]171 {%- if checks.get('enabled', True) %}
Volodymyr Stoiko5f022652017-06-21 18:53:26 +0300[diff] [blame^]172 {%- if type == 'http' and 'httpchk' not in listen.get('options', [])|join('|') %}
Filip Pytloune63bc4e2017-04-12 12:03:26 +0200[diff] [blame]173 option httpchk
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]174 {%- endif %}
Volodymyr Stoiko5f022652017-06-21 18:53:26 +0300[diff] [blame^]175 {%- if type == 'tcp' and 'tcp-check' not in listen.get('options', [])|join('|') %}
Simon Pasquier3632e2b2017-06-16 12:00:10 +0200[diff] [blame]176 option tcp-check
177 {%- endif %}
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]178 {%- for option in checks.get('options', []) %}
179 {{ type }}-check {{ option }}
180 {%- endfor %}
181 {%- endif %}
182 {%- endfor %}
Jakub Pavlikc9f84c42016-12-10 16:16:08 +0100[diff] [blame]183 {%- for stick in listen.get('sticks', []) %}
184 {{ stick }}
185 {%- endfor %}
Filip Pytloun161572b2016-08-26 10:28:29 +0200[diff] [blame]186 {%- for reqadd in listen.get('reqadd', []) %}
Filip Pytloune9e246f2016-08-26 09:44:51 +0200[diff] [blame]187 reqadd {{ reqadd }}
188 {%- endfor %}
Filip Pytloun161572b2016-08-26 10:28:29 +0200[diff] [blame]189 {%- for reqirep in listen.get('reqirep', []) %}
Filip Pytloune9e246f2016-08-26 09:44:51 +0200[diff] [blame]190 reqirep {{ reqirep }}
191 {%- endfor %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]192 {%- endif %}
193 {%- for server in listen.get('servers', []) %}
194 server {{ server.name }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
195 {%- endfor %}
196{%- endif %}
Filip Pytloun7dd858c2016-12-05 15:01:48 +0100[diff] [blame]197{%- endif %}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]198{%- endfor %}
199
200{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
201{%- if listen.get('format', 'listen') == 'end' %}
202
203frontend {{ listen_name }} {{ listen.binds[0].address }}:{{ listen.binds[0].port }}
204 {%- for acl in listen.get('acls', []) %}
205 {%- for condition in acl.get('conditions', []) %}
206 acl {{ acl.name }} {{ condition.type }} {{ condition.condition }}
207 {%- endfor %}
208 use_backend {{ acl.name }}-backend if {{ acl.name }}
209 {%- endfor %}
210 default_backend {{ listen_name }}-backend
211
212backend {{ listen_name }}-backend
Filip Pytloun70473662016-08-25 17:08:20 +0200[diff] [blame]213 {%- if listen.get('type', None) == 'http' %}
Petr Michalec7ed1fb92017-05-02 15:04:41 +0200[diff] [blame]214 balance {{ listen.get('balance', 'roundrobin') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]215 {%- endif %}
216 {%- for server in listen.get('servers', []) %}
217 server {{ server.get('name', server.host) }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
218 {%- endfor %}
219{%- for acl in listen.get('acls', []) %}
220
221backend {{ acl.name }}-backend
Petr Michalec7ed1fb92017-05-02 15:04:41 +0200[diff] [blame]222 balance {{ acl.get('balance', 'roundrobin') }}
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]223 {%- for server in acl.get('servers', []) %}
224 server {{ server.get('name', server.host) }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
225 {%- endfor %}
226{%- endfor %}
227{%- endif %}
228{%- endfor %}