Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / haproxy / c1461640379eebc1c4304fbc824fce25b323a860 / . / README.rst
blob: 1be4d81a034a5ab4de2abd6d7769ce8a79929b5c [file] [log] [blame]
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]1=======
2HAproxy
3=======
4
Ildar Svetlov77636142017-09-28 16:42:16 +0400[diff] [blame]5The Reliable, High Performance TCP/HTTP Load Balancer.
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]6
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]7
8Sample pillars
9==============
10
11Simple admin listener
12
13.. code-block:: yaml
14
15 haproxy:
16 proxy:
17 enabled: True
18 listen:
19 admin_page:
20 type: admin
21 binds:
22 - address: 0.0.0.0
23 port: 8801
24 user: fsdfdsfds
25 password: dsfdsf
26
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]27Simple stats listener
28
29.. code-block:: yaml
30
31 haproxy:
32 proxy:
33 enabled: True
34 listen:
35 admin_page:
36 type: stats
37 binds:
38 - address: 0.0.0.0
39 port: 8801
40
41
42
43Sample pillar with admin
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]44
45.. code-block:: yaml
46
47 haproxy:
48 proxy:
49 enabled: True
50 mode: http/tcp
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]51 logging: syslog
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]52 maxconn: 1024
53 timeout:
54 connect: 5000
55 client: 50000
56 server: 50000
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]57 listen:
58 https-in:
59 binds:
60 - address: 0.0.0.0
61 port: 443
62 servers:
63 - name: server1
64 host: 10.0.0.1
65 port: 8443
66 - name: server2
67 host: 10.0.0.2
68 port: 8443
69 params: 'maxconn 256'
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]70
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]71
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]72Sample pillar with custom logging
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]73
74.. code-block:: yaml
75
76 haproxy:
77 proxy:
78 enabled: True
79 mode: http/tcp
80 logging: syslog
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]81 maxconn: 1024
82 timeout:
83 connect: 5000
84 client: 50000
85 server: 50000
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]86 listen:
87 https-in:
88 binds:
89 address: 0.0.0.0
90 port: 443
91 servers:
92 - name: server1
93 host: 10.0.0.1
94 port: 8443
95 - name: server2
96 host: 10.0.0.2
97 port: 8443
98 params: 'maxconn 256'
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]99
100.. code-block:: yaml
101
102 haproxy:
103 proxy:
104 enabled: true
105 mode: tcp
106 logging: syslog
107 max_connections: 1024
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]108 listen:
109 mysql:
110 type: mysql
111 binds:
112 - address: 10.0.88.70
113 port: 3306
114 servers:
115 - name: node1
116 host: 10.0.88.13
117 port: 3306
118 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
119 - name: node2
120 host: 10.0.88.14
121 port: 3306
122 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
123 - name: node3
124 host: 10.0.88.15
125 port: 3306
126 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
127 rabbitmq:
128 type: rabbitmq
129 binds:
130 - address: 10.0.88.70
131 port: 5672
132 servers:
133 - name: node1
134 host: 10.0.88.13
135 port: 5673
136 params: check inter 5000 rise 2 fall 3
137 - name: node2
138 host: 10.0.88.14
139 port: 5673
140 params: check inter 5000 rise 2 fall 3 backup
141 - name: node3
142 host: 10.0.88.15
143 port: 5673
144 params: check inter 5000 rise 2 fall 3 backup
145 keystone-1:
146 type: general-service
147 binds:
148 - address: 10.0.106.170
149 port: 5000
150 servers:
151 - name: node1
152 host: 10.0.88.13
153 port: 5000
154 params: check
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]155
156.. code-block:: yaml
157
158 haproxy:
159 proxy:
160 enabled: true
161 mode: tcp
162 logging: syslog
163 max_connections: 1024
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]164 listen:
165 mysql:
166 type: mysql
167 binds:
168 - address: 10.0.88.70
169 port: 3306
170 servers:
171 - name: node1
172 host: 10.0.88.13
173 port: 3306
174 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
175 - name: node2
176 host: 10.0.88.14
177 port: 3306
178 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
179 - name: node3
180 host: 10.0.88.15
181 port: 3306
182 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
183 rabbitmq:
184 type: rabbitmq
185 binds:
186 - address: 10.0.88.70
187 port: 5672
188 servers:
189 - name: node1
190 host: 10.0.88.13
191 port: 5673
192 params: check inter 5000 rise 2 fall 3
193 - name: node2
194 host: 10.0.88.14
195 port: 5673
196 params: check inter 5000 rise 2 fall 3 backup
197 - name: node3
198 host: 10.0.88.15
199 port: 5673
200 params: check inter 5000 rise 2 fall 3 backup
201 keystone-1:
202 type: general-service
203 binds:
204 - address: 10.0.106.170
205 port: 5000
206 servers:
207 - name: node1
208 host: 10.0.88.13
209 port: 5000
210 params: check
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]211
Petr Jedinýc1461642018-04-17 17:21:28 +0200[diff] [blame^]212Sample pillar with port range and port offset
213
214This is usefull in listen blocks for definition of multiple servers
215that differs only by port number in port range block. This situation
216can be result of multiple single-thread servers deployed in multi-core
217environment to better utilize the available cores.
218
219For example five contrail-api workers occupy ports ``9100-9104``.
220This can be achieved by using ``port_range_length`` in the pillar,
221``port_range_length: 5`` in this case.
222For skipping first worker (``worker_id 0``), because it has other
223responsibilities and to avoid overloading it by http requests
224use the ``port_range_start_offset`` in the pillar,
225``port_range_start_offset: 1`` in this case, it will only use ports
2269101-9104 (skipping 9100).
227
228- ``port_range_length`` parameter is used to calculate port range end
229- ``port_range_start_offset`` will skip first n ports in port range
230
231For backward compatibility, the name of the first server in port range
232has no ``pN`` suffix.
233
234The following sample will result in
235
236.. code-block:: text
237
238 listen contrail_api
239 bind 172.16.10.252:8082
240 option nolinger
241 balance leastconn
242 server ntw01p1 172.16.10.95:9101 check inter 2000 rise 2 fall 3
243 server ntw01p2 172.16.10.95:9102 check inter 2000 rise 2 fall 3
244 server ntw01p3 172.16.10.95:9103 check inter 2000 rise 2 fall 3
245 server ntw01p4 172.16.10.95:9104 check inter 2000 rise 2 fall 3
246 server ntw02 172.16.10.96:9100 check inter 2000 rise 2 fall 3
247 server ntw02p1 172.16.10.96:9101 check inter 2000 rise 2 fall 3
248 server ntw02p2 172.16.10.96:9102 check inter 2000 rise 2 fall 3
249 server ntw02p3 172.16.10.96:9103 check inter 2000 rise 2 fall 3
250 server ntw02p4 172.16.10.96:9104 check inter 2000 rise 2 fall 3
251 server ntw03 172.16.10.94:9100 check inter 2000 rise 2 fall 3
252 server ntw03p1 172.16.10.94:9101 check inter 2000 rise 2 fall 3
253 server ntw03p2 172.16.10.94:9102 check inter 2000 rise 2 fall 3
254 server ntw03p3 172.16.10.94:9103 check inter 2000 rise 2 fall 3
255 server ntw03p4 172.16.10.94:9104 check inter 2000 rise 2 fall 3
256
257.. code-block:: yaml
258
259 haproxy:
260 proxy:
261 listen:
262 contrail_api:
263 type: contrail-api
264 service_name: contrail
265 balance: leastconn
266 binds:
267 - address: 10.10.10.10
268 port: 8082
269 servers:
270 - name: ntw01
271 host: 10.10.10.11
272 port: 9100
273 port_range_length: 5
274 port_range_start_offset: 1
275 params: check inter 2000 rise 2 fall 3
276 - name: ntw02
277 host: 10.10.10.12
278 port: 9100
279 port_range_length: 5
280 port_range_start_offset: 0
281 params: check inter 2000 rise 2 fall 3
282 - name: ntw03
283 host: 10.10.10.13
284 port: 9100
285 port_range_length: 5
286 params: check inter 2000 rise 2 fall 3
287
288
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]289Custom more complex listener (for Artifactory and subdomains for docker
290registries)
291
292.. code-block:: yaml
293
294 haproxy:
295 proxy:
296 listen:
297 artifactory:
298 mode: http
299 options:
300 - forwardfor
301 - forwardfor header X-Real-IP
302 - httpchk
303 - httpclose
304 - httplog
Jakub Pavlikc9f84c42016-12-10 16:16:08 +0100[diff] [blame]305 sticks:
306 - stick on src
307 - stick-table type ip size 200k expire 2m
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]308 acl:
309 is_docker: "path_reg ^/v[12][/.]*"
310 http_request:
311 - action: "set-path /artifactory/api/docker/%[req.hdr(host),lower,field(1,'.')]%[path]"
312 condition: "if is_docker"
313 balance: source
314 binds:
315 - address: ${_param:cluster_vip_address}
316 port: 8082
Filip Pytloun4201b382016-09-09 12:21:18 +0200[diff] [blame]317 ssl:
318 enabled: true
319 # This PEM file needs to contain key, cert, CA and possibly
320 # intermediate certificates
321 pem_file: /etc/haproxy/ssl/server.pem
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]322 servers:
323 - name: ${_param:cluster_node01_name}
324 host: ${_param:cluster_node01_address}
325 port: 8082
326 params: check
327 - name: ${_param:cluster_node02_name}
328 host: ${_param:cluster_node02_address}
329 port: 8082
330 params: backup check
331
Filip Pytlound95069e2017-03-10 16:12:03 +0100[diff] [blame]332It's also possible to use multiple certificates for one listener (eg. when
333it's bind on multiple interfaces):
334
335.. code-block:: yaml
336
337 haproxy:
338 proxy:
339 listen:
340 dummy_site:
341 mode: http
342 binds:
343 - address: 127.0.0.1
344 port: 8080
345 ssl:
346 enabled: true
347 key: |
348 my super secret key follows
349 cert: |
350 certificate
351 chain: |
352 CA chain (if any)
353 - address: 127.0.1.1
354 port: 8081
355 ssl:
356 enabled: true
357 key: |
358 my super secret key follows
359 cert: |
360 certificate
361 chain: |
362 CA chain (if any)
363
364Definition above will result in creation of ``/etc/haproxy/ssl/dummy_site``
365directory with files ``1-all.pem`` and ``2-all.pem`` (per binds).
366
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]367Custom listener with tcp-check options specified (for Redis cluster with Sentinel)
368
369.. code-block:: yaml
370
371 haproxy:
372 proxy:
373 listen:
374 redis_cluster:
375 service_name: redis
Guillaume Thouvenin3adff8c2017-02-21 14:29:07 +0100[diff] [blame]376 health-check:
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]377 tcp:
378 enabled: True
379 options:
380 - send PING\r\n
381 - expect string +PONG
382 - send info\ replication\r\n
383 - expect string role:master
384 - send QUIT\r\n
385 - expect string +OK
386 binds:
387 - address: ${_param:cluster_address}
388 port: 6379
389 servers:
390 - name: ${_param:cluster_node01_name}
391 host: ${_param:cluster_node01_address}
392 port: 6379
393 params: check inter 1s
394 - name: ${_param:cluster_node02_name}
395 host: ${_param:cluster_node02_address}
396 port: 6379
397 params: check inter 1s
398 - name: ${_param:cluster_node03_name}
399 host: ${_param:cluster_node03_address}
400 port: 6379
401 params: check inter 1s
402
Sergey Otpuschennikov3e831332017-08-01 13:31:03 +0400[diff] [blame]403Frontend for routing between exists listeners via URL with SSL an redirects.
404You can use one backend for several URLs.
405
406.. code-block:: yaml
407
408 haproxy:
409 proxy:
410 listen:
411 service_proxy:
412 mode: http
413 balance: source
414 format: end
415 binds:
416 - address: ${_param:haproxy_bind_address}
417 port: 80
418 ssl: ${_param:haproxy_frontend_ssl}
419 ssl_port: 443
420 redirects:
421 - code: 301
422 location: domain.com/images
423 conditions:
424 - type: hdr_dom(host)
425 condition: images.domain.com
426 acls:
427 - name: gerrit
428 conditions:
429 - type: hdr_dom(host)
430 condition: gerrit.domain.com
431 - name: jenkins
432 conditions:
433 - type: hdr_dom(host)
434 condition: jenkins.domain.com
435 - name: docker
436 backend: artifactroy
437 conditions:
438 - type: hdr_dom(host)
439 condition: docker.domain.com
440
Ildar Svetlov77636142017-09-28 16:42:16 +0400[diff] [blame]441Enable customisable ``forwardfor`` option in ``defaults`` section.
442
443.. code-block:: yaml
444
445 haproxy:
446 proxy:
447 enabled: true
448 mode: tcp
449 logging: syslog
450 max_connections: 1024
451 forwardfor:
452 enabled: true
453 except:
454 header:
455 if-none: false
456
457.. code-block:: yaml
458
459 haproxy:
460 proxy:
461 enabled: true
462 mode: tcp
463 logging: syslog
464 max_connections: 1024
465 forwardfor:
466 enabled: true
467 except: 127.0.0.1
468 header: X-Real-IP
469 if-none: false
470
stelucz01752fe2018-01-26 12:39:23 +0100[diff] [blame]471Sample pillar with multiprocess multicore configuration
472
473.. code-block:: yaml
474
475 haproxy:
476 proxy:
477 enabled: True
478 nbproc: 4
479 cpu_map:
480 1: 0
481 2: 1
482 3: 2
483 4: 3
484 stats_bind_process: "1 2"
485 mode: http/tcp
486 logging: syslog
487 maxconn: 1024
488 timeout:
489 connect: 5000
490 client: 50000
491 server: 50000
492 listen:
493 https-in:
494 bind_process: "1 2 3 4"
495 binds:
496 - address: 0.0.0.0
497 port: 443
498 servers:
499 - name: server1
500 host: 10.0.0.1
501 port: 8443
502 - name: server2
503 host: 10.0.0.2
504 port: 8443
505 params: 'maxconn 256'
506
Michel Nederlof14da7092018-03-12 22:46:36 +0100[diff] [blame]507Implement rate limiting, to prevent excessive requests
508This feature only works if using 'format: end'
509
510.. code-block:: yaml
511 haproxy:
512 proxy:
513 ...
514 listen:
515 nova_metadata_api:
516 ...
517 format: end
518 options:
519 - httpchk
520 - httpclose
521 - httplog
522 rate_limit:
523 duration: 900s
524 enabled: true
525 requests: 125
526 track: content
527 servers:
528 ...
529 type: http
530
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]531Read more
532=========
533
534* https://github.com/jesusaurus/hpcs-salt-state/tree/master/haproxy
535* http://www.nineproductions.com/saltstack-ossec-state-using-reactor/ - example reactor usage.
536* https://gist.github.com/tomeduarte/6340205 - example on how to use peer from within a config file (using jinja)
537* http://youtu.be/jJJ8cfDjcTc?t=8m58s - from 9:00 on, a good overview of peer vs mine
538* https://github.com/russki/cluster-agents
Filip Pytloun5cde0482017-02-02 13:02:03 +0100[diff] [blame]539
540Documentation and Bugs
541======================
542
543To learn how to install and update salt-formulas, consult the documentation
544available online at:
545
546 http://salt-formulas.readthedocs.io/
547
548In the unfortunate event that bugs are discovered, they should be reported to
549the appropriate issue tracker. Use Github issue tracker for specific salt
550formula:
551
552 https://github.com/salt-formulas/salt-formula-haproxy/issues
553
554For feature requests, bug reports or blueprints affecting entire ecosystem,
555use Launchpad salt-formulas project:
556
557 https://launchpad.net/salt-formulas
558
559You can also join salt-formulas-users team and subscribe to mailing list:
560
561 https://launchpad.net/~salt-formulas-users
562
563Developers wishing to work on the salt-formulas projects should always base
564their work on master branch and submit pull request against specific formula.
565
566 https://github.com/salt-formulas/salt-formula-haproxy
567
568Any questions or feedback is always welcome so feel free to join our IRC
569channel:
570
571 #salt-formulas @ irc.freenode.net