Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / haproxy / ff29026efdb429b007823aa2dd149356f87a827d / . / README.rst
blob: 6fd2aa239928eba9d3db3db494fd1d530f64af14 [file] [log] [blame]
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame]1=====
2Usage
3=====
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]4
Ildar Svetlov77636142017-09-28 16:42:16 +0400[diff] [blame]5The Reliable, High Performance TCP/HTTP Load Balancer.
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]6
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]7Sample pillars
8==============
9
10Simple admin listener
11
12.. code-block:: yaml
13
14 haproxy:
15 proxy:
16 enabled: True
17 listen:
18 admin_page:
19 type: admin
20 binds:
21 - address: 0.0.0.0
22 port: 8801
23 user: fsdfdsfds
24 password: dsfdsf
25
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]26Simple stats listener
27
28.. code-block:: yaml
29
30 haproxy:
31 proxy:
32 enabled: True
33 listen:
34 admin_page:
35 type: stats
36 binds:
37 - address: 0.0.0.0
38 port: 8801
39
40
41
42Sample pillar with admin
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]43
44.. code-block:: yaml
45
46 haproxy:
47 proxy:
48 enabled: True
49 mode: http/tcp
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]50 logging: syslog
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]51 maxconn: 1024
52 timeout:
53 connect: 5000
54 client: 50000
55 server: 50000
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]56 listen:
57 https-in:
58 binds:
59 - address: 0.0.0.0
60 port: 443
61 servers:
62 - name: server1
63 host: 10.0.0.1
64 port: 8443
65 - name: server2
66 host: 10.0.0.2
67 port: 8443
68 params: 'maxconn 256'
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]69
Jiri Konecny371c6de2016-03-02 11:32:46 +0100[diff] [blame]70
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]71Sample pillar with custom logging
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]72
73.. code-block:: yaml
74
75 haproxy:
76 proxy:
77 enabled: True
78 mode: http/tcp
79 logging: syslog
Filip Pytloun98f7a4f2016-09-19 14:07:24 +0200[diff] [blame]80 maxconn: 1024
81 timeout:
82 connect: 5000
83 client: 50000
84 server: 50000
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]85 listen:
86 https-in:
87 binds:
88 address: 0.0.0.0
89 port: 443
90 servers:
91 - name: server1
92 host: 10.0.0.1
93 port: 8443
94 - name: server2
95 host: 10.0.0.2
96 port: 8443
97 params: 'maxconn 256'
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]98
99.. code-block:: yaml
100
101 haproxy:
102 proxy:
103 enabled: true
104 mode: tcp
105 logging: syslog
106 max_connections: 1024
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]107 listen:
108 mysql:
109 type: mysql
110 binds:
111 - address: 10.0.88.70
112 port: 3306
113 servers:
114 - name: node1
115 host: 10.0.88.13
116 port: 3306
117 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
118 - name: node2
119 host: 10.0.88.14
120 port: 3306
121 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
122 - name: node3
123 host: 10.0.88.15
124 port: 3306
125 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
126 rabbitmq:
127 type: rabbitmq
128 binds:
129 - address: 10.0.88.70
130 port: 5672
131 servers:
132 - name: node1
133 host: 10.0.88.13
134 port: 5673
135 params: check inter 5000 rise 2 fall 3
136 - name: node2
137 host: 10.0.88.14
138 port: 5673
139 params: check inter 5000 rise 2 fall 3 backup
140 - name: node3
141 host: 10.0.88.15
142 port: 5673
143 params: check inter 5000 rise 2 fall 3 backup
144 keystone-1:
145 type: general-service
146 binds:
147 - address: 10.0.106.170
148 port: 5000
149 servers:
150 - name: node1
151 host: 10.0.88.13
152 port: 5000
153 params: check
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]154
155.. code-block:: yaml
156
157 haproxy:
158 proxy:
159 enabled: true
160 mode: tcp
161 logging: syslog
162 max_connections: 1024
Brian McQueen306a5ca2017-12-09 17:30:32 -0800[diff] [blame]163 listen:
164 mysql:
165 type: mysql
166 binds:
167 - address: 10.0.88.70
168 port: 3306
169 servers:
170 - name: node1
171 host: 10.0.88.13
172 port: 3306
173 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
174 - name: node2
175 host: 10.0.88.14
176 port: 3306
177 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
178 - name: node3
179 host: 10.0.88.15
180 port: 3306
181 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
182 rabbitmq:
183 type: rabbitmq
184 binds:
185 - address: 10.0.88.70
186 port: 5672
187 servers:
188 - name: node1
189 host: 10.0.88.13
190 port: 5673
191 params: check inter 5000 rise 2 fall 3
192 - name: node2
193 host: 10.0.88.14
194 port: 5673
195 params: check inter 5000 rise 2 fall 3 backup
196 - name: node3
197 host: 10.0.88.15
198 port: 5673
199 params: check inter 5000 rise 2 fall 3 backup
200 keystone-1:
201 type: general-service
202 binds:
203 - address: 10.0.106.170
204 port: 5000
205 servers:
206 - name: node1
207 host: 10.0.88.13
208 port: 5000
209 params: check
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]210
Petr Jedinýc1461642018-04-17 17:21:28 +0200[diff] [blame]211Sample pillar with port range and port offset
212
213This is usefull in listen blocks for definition of multiple servers
214that differs only by port number in port range block. This situation
215can be result of multiple single-thread servers deployed in multi-core
216environment to better utilize the available cores.
217
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame]218For example, five contrail-api workers occupy ports ``9100-9104``.
Petr Jedinýc1461642018-04-17 17:21:28 +0200[diff] [blame]219This can be achieved by using ``port_range_length`` in the pillar,
220``port_range_length: 5`` in this case.
221For skipping first worker (``worker_id 0``), because it has other
222responsibilities and to avoid overloading it by http requests
223use the ``port_range_start_offset`` in the pillar,
224``port_range_start_offset: 1`` in this case, it will only use ports
2259101-9104 (skipping 9100).
226
227- ``port_range_length`` parameter is used to calculate port range end
228- ``port_range_start_offset`` will skip first n ports in port range
229
230For backward compatibility, the name of the first server in port range
231has no ``pN`` suffix.
232
233The following sample will result in
234
235.. code-block:: text
236
237 listen contrail_api
238 bind 172.16.10.252:8082
Petr Jedinýc1461642018-04-17 17:21:28 +0200[diff] [blame]239 balance leastconn
240 server ntw01p1 172.16.10.95:9101 check inter 2000 rise 2 fall 3
241 server ntw01p2 172.16.10.95:9102 check inter 2000 rise 2 fall 3
242 server ntw01p3 172.16.10.95:9103 check inter 2000 rise 2 fall 3
243 server ntw01p4 172.16.10.95:9104 check inter 2000 rise 2 fall 3
244 server ntw02 172.16.10.96:9100 check inter 2000 rise 2 fall 3
245 server ntw02p1 172.16.10.96:9101 check inter 2000 rise 2 fall 3
246 server ntw02p2 172.16.10.96:9102 check inter 2000 rise 2 fall 3
247 server ntw02p3 172.16.10.96:9103 check inter 2000 rise 2 fall 3
248 server ntw02p4 172.16.10.96:9104 check inter 2000 rise 2 fall 3
249 server ntw03 172.16.10.94:9100 check inter 2000 rise 2 fall 3
250 server ntw03p1 172.16.10.94:9101 check inter 2000 rise 2 fall 3
251 server ntw03p2 172.16.10.94:9102 check inter 2000 rise 2 fall 3
252 server ntw03p3 172.16.10.94:9103 check inter 2000 rise 2 fall 3
253 server ntw03p4 172.16.10.94:9104 check inter 2000 rise 2 fall 3
254
255.. code-block:: yaml
256
257 haproxy:
258 proxy:
259 listen:
260 contrail_api:
261 type: contrail-api
262 service_name: contrail
263 balance: leastconn
264 binds:
265 - address: 10.10.10.10
266 port: 8082
267 servers:
268 - name: ntw01
269 host: 10.10.10.11
270 port: 9100
271 port_range_length: 5
272 port_range_start_offset: 1
273 params: check inter 2000 rise 2 fall 3
274 - name: ntw02
275 host: 10.10.10.12
276 port: 9100
277 port_range_length: 5
278 port_range_start_offset: 0
279 params: check inter 2000 rise 2 fall 3
280 - name: ntw03
281 host: 10.10.10.13
282 port: 9100
283 port_range_length: 5
284 params: check inter 2000 rise 2 fall 3
285
286
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]287Custom more complex listener (for Artifactory and subdomains for docker
288registries)
289
290.. code-block:: yaml
291
292 haproxy:
293 proxy:
294 listen:
295 artifactory:
296 mode: http
297 options:
298 - forwardfor
299 - forwardfor header X-Real-IP
300 - httpchk
301 - httpclose
302 - httplog
Jakub Pavlikc9f84c42016-12-10 16:16:08 +0100[diff] [blame]303 sticks:
304 - stick on src
305 - stick-table type ip size 200k expire 2m
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]306 acl:
307 is_docker: "path_reg ^/v[12][/.]*"
308 http_request:
309 - action: "set-path /artifactory/api/docker/%[req.hdr(host),lower,field(1,'.')]%[path]"
310 condition: "if is_docker"
311 balance: source
312 binds:
313 - address: ${_param:cluster_vip_address}
314 port: 8082
Filip Pytloun4201b382016-09-09 12:21:18 +0200[diff] [blame]315 ssl:
316 enabled: true
317 # This PEM file needs to contain key, cert, CA and possibly
318 # intermediate certificates
319 pem_file: /etc/haproxy/ssl/server.pem
Filip Pytloune1a6f062016-08-26 15:13:38 +0200[diff] [blame]320 servers:
321 - name: ${_param:cluster_node01_name}
322 host: ${_param:cluster_node01_address}
323 port: 8082
324 params: check
325 - name: ${_param:cluster_node02_name}
326 host: ${_param:cluster_node02_address}
327 port: 8082
328 params: backup check
329
Filip Pytlound95069e2017-03-10 16:12:03 +0100[diff] [blame]330It's also possible to use multiple certificates for one listener (eg. when
331it's bind on multiple interfaces):
332
333.. code-block:: yaml
334
335 haproxy:
336 proxy:
337 listen:
338 dummy_site:
339 mode: http
340 binds:
341 - address: 127.0.0.1
342 port: 8080
343 ssl:
344 enabled: true
345 key: |
346 my super secret key follows
347 cert: |
348 certificate
349 chain: |
350 CA chain (if any)
351 - address: 127.0.1.1
352 port: 8081
353 ssl:
354 enabled: true
355 key: |
356 my super secret key follows
357 cert: |
358 certificate
359 chain: |
360 CA chain (if any)
361
362Definition above will result in creation of ``/etc/haproxy/ssl/dummy_site``
363directory with files ``1-all.pem`` and ``2-all.pem`` (per binds).
364
Dzmitry Stremkouski9510dcf2018-10-25 17:48:20 +0200[diff] [blame]365Custom listener with http-check options specified
366
367.. code-block:: yaml
368
369 haproxy:
370 proxy:
371 enabled: true
372 forwardfor:
373 enabled: true
374 except: 127.0.0.1
375 header: X-Forwarded-For
376 if-none: false
377 listen:
378 glance_api:
379 binds:
380 - address: 192.168.2.11
381 port: 9292
382 ssl:
383 enabled: true
384 pem_file: /etc/haproxy/ssl/all.pem
385 http_request:
386 - action: set-header X-Forwarded-Proto https
387 mode: http
388 options:
389 - httpchk GET /
390 - httplog
391 - httpclose
392 servers:
393 - host: 127.0.0.1
394 name: ctl01
395 params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
396 port: 9292
397
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]398Custom listener with tcp-check options specified (for Redis cluster with Sentinel)
399
400.. code-block:: yaml
401
402 haproxy:
403 proxy:
404 listen:
405 redis_cluster:
406 service_name: redis
Guillaume Thouvenin3adff8c2017-02-21 14:29:07 +0100[diff] [blame]407 health-check:
Adam Tengler4cf961b2017-01-26 16:05:21 +0000[diff] [blame]408 tcp:
409 enabled: True
410 options:
411 - send PING\r\n
412 - expect string +PONG
413 - send info\ replication\r\n
414 - expect string role:master
415 - send QUIT\r\n
416 - expect string +OK
417 binds:
418 - address: ${_param:cluster_address}
419 port: 6379
420 servers:
421 - name: ${_param:cluster_node01_name}
422 host: ${_param:cluster_node01_address}
423 port: 6379
424 params: check inter 1s
425 - name: ${_param:cluster_node02_name}
426 host: ${_param:cluster_node02_address}
427 port: 6379
428 params: check inter 1s
429 - name: ${_param:cluster_node03_name}
430 host: ${_param:cluster_node03_address}
431 port: 6379
432 params: check inter 1s
433
Sergey Otpuschennikov3e831332017-08-01 13:31:03 +0400[diff] [blame]434Frontend for routing between exists listeners via URL with SSL an redirects.
435You can use one backend for several URLs.
436
437.. code-block:: yaml
438
439 haproxy:
440 proxy:
441 listen:
442 service_proxy:
443 mode: http
444 balance: source
445 format: end
446 binds:
447 - address: ${_param:haproxy_bind_address}
448 port: 80
449 ssl: ${_param:haproxy_frontend_ssl}
450 ssl_port: 443
451 redirects:
452 - code: 301
453 location: domain.com/images
454 conditions:
455 - type: hdr_dom(host)
456 condition: images.domain.com
457 acls:
458 - name: gerrit
459 conditions:
460 - type: hdr_dom(host)
461 condition: gerrit.domain.com
462 - name: jenkins
463 conditions:
464 - type: hdr_dom(host)
465 condition: jenkins.domain.com
466 - name: docker
467 backend: artifactroy
468 conditions:
469 - type: hdr_dom(host)
470 condition: docker.domain.com
471
Ildar Svetlov77636142017-09-28 16:42:16 +0400[diff] [blame]472Enable customisable ``forwardfor`` option in ``defaults`` section.
473
474.. code-block:: yaml
475
476 haproxy:
477 proxy:
478 enabled: true
479 mode: tcp
480 logging: syslog
481 max_connections: 1024
482 forwardfor:
483 enabled: true
484 except:
485 header:
486 if-none: false
487
488.. code-block:: yaml
489
490 haproxy:
491 proxy:
492 enabled: true
493 mode: tcp
494 logging: syslog
495 max_connections: 1024
496 forwardfor:
497 enabled: true
498 except: 127.0.0.1
499 header: X-Real-IP
500 if-none: false
501
stelucz01752fe2018-01-26 12:39:23 +0100[diff] [blame]502Sample pillar with multiprocess multicore configuration
503
504.. code-block:: yaml
505
506 haproxy:
507 proxy:
508 enabled: True
509 nbproc: 4
510 cpu_map:
511 1: 0
512 2: 1
513 3: 2
514 4: 3
515 stats_bind_process: "1 2"
516 mode: http/tcp
517 logging: syslog
518 maxconn: 1024
519 timeout:
520 connect: 5000
521 client: 50000
522 server: 50000
523 listen:
524 https-in:
525 bind_process: "1 2 3 4"
526 binds:
527 - address: 0.0.0.0
528 port: 443
529 servers:
530 - name: server1
531 host: 10.0.0.1
532 port: 8443
533 - name: server2
534 host: 10.0.0.2
535 port: 8443
536 params: 'maxconn 256'
537
Michel Nederlof14da7092018-03-12 22:46:36 +0100[diff] [blame]538Implement rate limiting, to prevent excessive requests
539This feature only works if using 'format: end'
540
541.. code-block:: yaml
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame]542
Michel Nederlof14da7092018-03-12 22:46:36 +0100[diff] [blame]543 haproxy:
544 proxy:
545 ...
546 listen:
547 nova_metadata_api:
548 ...
549 format: end
550 options:
551 - httpchk
552 - httpclose
553 - httplog
554 rate_limit:
555 duration: 900s
556 enabled: true
557 requests: 125
558 track: content
559 servers:
560 ...
561 type: http
562
Oleksii Grudevb53828d2018-11-07 12:14:40 +0200[diff] [blame]563Implement haproxy configuration without specifying certain type or with type='None'.
564This approach allows to set all major haproxy parameters manually.
565Sample pillar:
566
567.. code-block:: yaml
568
569 haproxy:
570 proxy:
571 listen:
572 manila_api:
573 type: None
574 mode: tcp
575 balance: roundrobin
576 timeout:
577 check: 10
578 client: 20
579 http_request:
580 - action: "add-header X-Forwarded-Proto https"
581 condition: "if { ssl_fc }"
582 options: ${_param:haproxy_https_check_options}
583 capture:
584 - cookie ASPSESSION len 32
585 - request header Host len 15
586 compression:
587 - algo gzip
588 - type text/html text/plain
589 declare_capture: request len 50
590 email_alert:
591 - myhostname myserver
592 - from server@localhost
593 - level warning
594 errorfile:
595 file_500:
596 code: 500
597 file: /tmp/error_500.log
598 file_404:
599 code: 400
600 file: /tmp/error_400.log
601 max_keep_alive_queue: 100
602 maxconn: 10000
603 reqadd:
604 - X-Proto:\ SSL if is-ssl
605 reqirep:
606 - ^Host:\ www.mydomain.com Host:\ www
607 modify_headers:
608 - reqallow ^Host:\ www\.
609 - reqdel ^Host:\ .*\.local
610 - reqdeny ^Host:\ .*\.local
611 - reqiallow ^Host:\ www\.
612 - reqidel ^Host:\ .*\.local
613 - reqideny ^Host:\ .*\.local
614 - reqipass ^Host:\ .*\.local
615 - reqpass ^Host:\ .*\.local
616 - reqitarpit ^Host:\ .*\.local
617 - reqtarpit ^Host:\ .*\.local
618 retries: 10
619 stats:
620 - enable
621 - auth admin1:AdMiN123
622 rate_limit_sessions: 1000
623
Oleksandr Bryndzii57aa7b42018-12-11 11:48:23 +0000[diff] [blame]624Implement rate limiting, to prevent excessive requests
625using 'format: listen'
626
627.. code-block:: yaml
628
629 haproxy:
630 proxy:
631 ...
632 listen:
633 nova_metadata_api:
634 ...
635 rate_limit:
636 duration: 3s
637 enabled: true
638 requests: 60
639 track: connection
640 servers:
641 ...
Oleksandr Bryndziiff290262019-01-18 13:06:35 +0000[diff] [blame^]642Implement rate limiting, to prevent excessive requests
643using 'format: listen' and acls/request/backend stick list
644
645.. code-block:: yaml
646
647 haproxy:
648 proxy:
649 listen:
650 nova_metadata_api:
651 options:
652 - httplog
653 rate_limit:
654 enabled: true
655 type: string
656 len: 36
657 size: 10m
658 duration: 60s
659 acls:
660 101:
661 enabled: true
662 value: acl too_many_requests_3 sc0_gpc0_rate() gt 3
663 102:
664 enabled: true
665 value: acl mark_seen sc0_inc_gpc0 gt 0
666 110:
667 enabled: true
668 value: acl x_instance_id hdr(x-instance-id) -i 4777e8e0-16e8-46ce-a3fe-0a1ad9b3ebdc
669 111:
670 enabled: true
671 value: acl x_instance_id hdr(x-instance-id) -i ca2395dd-f73f-4d43-8fe7-f7078a0920af
672 201:
673 enabled: true
674 value: acl too_many_requests_6 sc0_gpc0_rate() gt 6
675 202:
676 enabled: true
677 value: acl mark_seen sc0_inc_gpc0 gt 0
678 210:
679 enabled: true
680 value: acl x_tenant_id hdr(x-tenant-id) -i 2b76cc56a437404bb8cb6cb20dbb0ea4
681 tcp_request:
682 001:
683 enabled: true
684 value: tcp-request inspect-delay 5s
685 101:
686 enabled: true
687 value: tcp-request content track-sc0 hdr(x-instance-id) if ! too_many_requests_3
688 201:
689 enabled: true
690 value: tcp-request content track-sc0 hdr(x-tenant-id) if ! too_many_requests_6
691 use_backend:
692 101:
693 enabled: true
694 value: use_backend nova_metadata_api-rate_limit if mark_seen too_many_requests_3 x_instance_id
695 201:
696 enabled: true
697 value: use_backend nova_metadata_api-rate_limit if mark_seen too_many_requests_6 x_tenant_id
Oleksandr Bryndzii57aa7b42018-12-11 11:48:23 +0000[diff] [blame]698
699
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]700Read more
701=========
702
703* https://github.com/jesusaurus/hpcs-salt-state/tree/master/haproxy
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300[diff] [blame]704* http://www.nineproductions.com/saltstack-ossec-state-using-reactor/
705* https://gist.github.com/tomeduarte/6340205 - example on how to use peer
706 from within a config file (using jinja)
707* http://youtu.be/jJJ8cfDjcTc?t=8m58s - from 9:00 on, a good overview
708 of peer vs mine
Filip Pytloun48d38302015-10-06 16:28:31 +0200[diff] [blame]709* https://github.com/russki/cluster-agents