haproxy/files/haproxy.cfg

{%- from "haproxy/map.jinja" import proxy with context -%}

global
  log /dev/log  local0
  log /dev/log  local1 notice
  chroot /var/lib/haproxy
  stats  socket {{ proxy.stats_socket }} mode 660 level admin
  stats timeout 30s
  user  haproxy
  group haproxy
  daemon
  pidfile  /var/run/haproxy.pid
  spread-checks 4
  tune.maxrewrite 1024
  tune.bufsize 32768
  maxconn  16000
  {%- if salt['pkg.version']('haproxy')[:3] >= '1.6' %}
  # SSL options
  ca-base /etc/haproxy/ssl
  crt-base /etc/haproxy/ssl
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-bind-options no-sslv3 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-server-options no-sslv3 no-tls-tickets
  {%- endif %}

defaults
  log  global
  mode http

  maxconn {{ proxy.maxconn|default(8000) }}
  option  redispatch
  retries  {{ proxy.retries|default(3) }}
  stats  enable

  timeout http-request {{ proxy.get('timeout', {}).get('http-request','10s') }}
  timeout queue {{ proxy.get('timeout', {}).get('queue', '1m') }}
  timeout connect {{ proxy.get('timeout', {}).get('connect', '10s') }}
  timeout client {{ proxy.get('timeout', {}).get('client', '1m') }}
  timeout server {{ proxy.get('timeout', {}).get('server', '1m') }}
  timeout check {{ proxy.get('timeout', {}).get('check', '10s') }}

{%- if proxy.listen.admin_page is defined and proxy.listen.admin_page.user is defined %}

userlist STATSUSERS
  group admin users admin
  user {{ proxy.listen.admin_page.user }} insecure-password {{ proxy.listen.admin_page.password }}
  user stats insecure-password {{ proxy.listen.admin_page.password }}
{#
{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
{%- if listen.user is defined %}
  user {{ listen.user }} insecure-password {{ listen.password }}
{%- endif %}
{%- endfor %}
#}

{%- endif %}

{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
{%- if listen.get('format', 'listen') == 'listen' %}

listen {{ listen_name }}
  {%- for bind in listen.binds %}
  bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %}ssl crt {{ bind.ssl.pem_file }}{% endif %}
  {%- endfor %}
  {%- if listen.get('type', None) == 'http' %}
  mode http
  balance  roundrobin
  option  httplog
  {%- elif listen.get('type', None) == 'rabbitmq' %}
  balance roundrobin
  mode tcp
  option tcpka
  timeout client 48h
  timeout server 48h
  {%- elif listen.get('type', None) == 'mysql' %}
  balance leastconn
  mode tcp
  option httpchk
  option tcplog
  option clitcpka
  option srvtcpka
  timeout client  28801s
  timeout server  28801s
  option mysql-check user haproxy
  {%- elif listen.get('type', None) == 'horizon' %}
  balance  source
  capture  cookie vgnvisitor= len 32
  cookie  SERVERID insert indirect nocache
  mode http
  option forwardfor
  option httpchk
  option httpclose
  option httplog
  rspidel ^Set-cookie:\ IP=
  {%- elif listen.get('type', None) == 'general-service' %}
  mode http
  balance  roundrobin
  option  httplog
  {%- elif listen.get('type', None) == 'openstack-service' %}
  option  httpchk
  option  httplog
  option  httpclose
  {%- elif listen.get('type', None) == 'heat' %}
  balance  source
  option tcpka
  option httpchk
  option tcplog
  {%- elif listen.get('type', None) == 'contrail-config' %}
  mode http
  stats enable
  stats uri /
  stats auth {{ listen.user }}:{{ listen.password }}
  {%- elif listen.get('type', None) == 'contrail-api' %}
  option nolinger
  balance roundrobin
  {%- elif listen.get('type', None) == 'contrail-analytics' %}
  option nolinger
  balance roundrobin
  option tcp-check
  tcp-check connect port 6379
  default-server error-limit 1 on-error mark-down
  {%- elif listen.get('type', None) == 'stats' %}
  mode http
  stats enable
  stats uri /
  {%- if listen.user is defined %}
  stats auth {{ listen.user }}:{{ listen.password }}
  {%- endif %}
  {%- elif listen.get('type', None) == 'admin' %}
  mode  http
  acl  AuthOkay_ReadOnly http_auth(STATSUSERS)
  acl  AuthOkay_Admin http_auth_group(STATSUSERS) {{ listen.user }}
  stats  enable
  stats  refresh 60s
  stats  uri /
  stats  http-request auth realm admin_page unless AuthOkay_ReadOnly
  stats  admin if AuthOkay_Admin
  {%- else %}
  {# no type specified #}
  mode {{ listen.mode|default('tcp') }}
  balance {{ listen.balance|default('roundrobin') }}
  {%- for ttype, timeout in listen.get('timeout', {}).iteritems() %}
  timeout {{ ttype }} {{ timeout }}
  {%- endfor %}
  {%- for aclname, acl in listen.get('acl', {}).iteritems() %}
  acl {{ aclname }} {{ acl }}
  {%- endfor %}
  {%- for http_request in listen.get('http_request', []) %}
  http-request {{ http_request.action }}{% if http_request.condition is defined %} {{ http_request.condition }}{% endif %}
  {%- endfor %}
  {%- for http_response in listen.get('http_response', []) %}
  http-response {{ http_response.action }}{% if http_response.condition is defined %} {{ http_response.condition }}{% endif %}
  {%- endfor %}
  {%- for option in listen.get('options', []) %}
  option {{ option }}
  {%- endfor %}
  {%- for reqadd in listen.get('reqadd', []) %}
  reqadd {{ reqadd }}
  {%- endfor %}
  {%- for reqirep in listen.get('reqirep', []) %}
  reqirep {{ reqirep }}
  {%- endfor %}
  {%- endif %}
  {%- for server in listen.get('servers', []) %}
  server {{ server.name }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
  {%- endfor %}
{%- endif %}
{%- endfor %}

{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
{%- if listen.get('format', 'listen') == 'end' %}

frontend  {{ listen_name }} {{ listen.binds[0].address }}:{{ listen.binds[0].port }}
  {%- for acl in listen.get('acls', []) %}
  {%- for condition in acl.get('conditions', []) %}
  acl {{ acl.name }} {{ condition.type }} {{ condition.condition }}
  {%- endfor %}
  use_backend {{ acl.name }}-backend   if {{ acl.name }}
  {%- endfor %}
  default_backend {{ listen_name }}-backend

backend {{ listen_name }}-backend
  {%- if listen.get('type', None) == 'http' %}
  balance roundrobin
  {%- endif %}
  {%- for server in listen.get('servers', []) %}
  server {{ server.get('name', server.host) }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
  {%- endfor %}
{%- for acl in listen.get('acls', []) %}

backend {{ acl.name }}-backend
  balance     roundrobin
  {%- for server in acl.get('servers', []) %}
  server {{ server.get('name', server.host) }} {{ server.host }}:{{ server.port }} {{ server.get('params', '') }}
  {%- endfor %}
{%- endfor %}
{%- endif %}
{%- endfor %}