From 294ed8fee5e670ce176b657fe8fb57f18ec1afbc Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Wed, 20 May 2015 14:26:47 +0200 Subject: [PATCH 01/28] Initial skeleton --- .gitignore | 29 +++++++++++++++++++++++++ .travis.yml | 40 ++++++++++++++++++++++++++++++++++ README.md | 38 ++++++++++++++++++++++++++++++++ Vagrantfile | 55 +++++++++++++++++++++++++++++++++++++++++++++++ defaults/main.yml | 3 +++ files/empty | 0 handlers/main.yml | 2 ++ meta/main.yml | 18 ++++++++++++++++ tasks/main.yml | 23 ++++++++++++++++++++ templates/empty | 0 tests/inventory | 1 + tests/test.yml | 6 ++++++ tests/vagrant.yml | 7 ++++++ vars/main.yml | 4 ++++ 14 files changed, 226 insertions(+) create mode 100644 .gitignore create mode 100644 .travis.yml create mode 100644 README.md create mode 100644 Vagrantfile create mode 100644 defaults/main.yml create mode 100644 files/empty create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/empty create mode 100644 tests/inventory create mode 100644 tests/test.yml create mode 100644 tests/vagrant.yml create mode 100644 vars/main.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..95cb42bf --- /dev/null +++ b/.gitignore @@ -0,0 +1,29 @@ +# OS generated files # +###################### +.DS_Store +.DS_Store? +._* +.Spotlight-V100 +.Trashes +Icon? +ehthumbs.db +Thumbs.db + +# IDE files # +################# +/.settings +/.buildpath +/.project +/nbproject +*.komodoproject +*.kpf +/.idea + +# Vagrant files # +.vagrant/ +vagrant_ansible_inventory_* +ansible.cfg + +# Other files # +############### +!empty diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 00000000..43d65e28 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,40 @@ +--- +language: python +python: "2.7" + +env: + - ANSIBLE_VERSION=1.4 + - ANSIBLE_VERSION=1.5 + - ANSIBLE_VERSION=1.6 + - ANSIBLE_VERSION=1.7 + - ANSIBLE_VERSION=1.8 + +before_install: + - sudo apt-get update -qq + + # Remove haproxy + - sudo apt-get remove --purge haproxy + +install: + # Install Ansible. + - pip install ansible==$ANSIBLE_VERSION + + # Add ansible.cfg to pick up roles path. + - printf "[defaults]\nroles_path = ../" > ansible.cfg + +script: + # Check the role/playbook's syntax. + - ansible-playbook -i tests/inventory tests/test.yml --syntax-check + + # Run the role/playbook with ansible-playbook. + - ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -vvvv + + # Run the role/playbook again, checking to make sure it's idempotent. + - > + ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + +notifications: + email: false diff --git a/README.md b/README.md new file mode 100644 index 00000000..be36ea3f --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +## haproxy + +[![Build Status](https://travis-ci.org/Oefenweb/ansible-haproxy.svg?branch=master)](https://travis-ci.org/Oefenweb/ansible-haproxy) [![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-haproxy-blue.svg)](https://galaxy.ansible.com/list#/roles/3856) + +Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu systems. + +#### Requirements + +* `python-apt` + +#### Variables + +* `haproxy_install`: [default: `[]`]: Additional packages to install + +## Dependencies + +None + +#### Example + +```yaml +--- +- hosts: all + roles: + - haproxy +``` + +#### License + +MIT + +#### Author Information + +Mischa ter Smitten + +#### Feedback, bug-reports, requests, ... + +Are [welcome](https://github.com/Oefenweb/ansible-haproxy/issues)! diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 00000000..ac62ad4d --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,55 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby ts=2 sw=2 tw=0 et : + +role = File.basename(File.expand_path(File.dirname(__FILE__))) + +File.open(File.dirname(__FILE__) + '/ansible.cfg', 'w') { |f| f.write("[defaults]\nroles_path = ../") } + +boxes = [ + { + :name => "ubuntu-1004", + :box => "opscode-ubuntu-10.04", + :url => "http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-10.04_chef-provisionerless.box", + :ip => '10.0.0.10', + :cpu => "50", + :ram => "256" + }, + { + :name => "ubuntu-1204", + :box => "opscode-ubuntu-12.04", + :url => "http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box", + :ip => '10.0.0.11', + :cpu => "50", + :ram => "256" + }, + { + :name => "ubuntu-1404", + :box => "opscode-ubuntu-14.04", + :url => "http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box", + :ip => '10.0.0.12', + :cpu => "50", + :ram => "256" + }, +] + +Vagrant.configure("2") do |config| + boxes.each do |box| + config.vm.define box[:name] do |vms| + vms.vm.box = box[:box] + vms.vm.box_url = box[:url] + vms.vm.hostname = "ansible-#{role}-#{box[:name]}" + + vms.vm.provider "virtualbox" do |v| + v.customize ["modifyvm", :id, "--cpuexecutioncap", box[:cpu]] + v.customize ["modifyvm", :id, "--memory", box[:ram]] + end + + vms.vm.network :private_network, ip: box[:ip] + + vms.vm.provision :ansible do |ansible| + ansible.playbook = "tests/vagrant.yml" + ansible.verbose = "vv" + end + end + end +end diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 00000000..d7561b2a --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,3 @@ +# defaults file for haproxy +--- +haproxy_install: [] diff --git a/files/empty b/files/empty new file mode 100644 index 00000000..e69de29b diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 00000000..5b9fd285 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,2 @@ +# handlers file for haproxy +--- diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 00000000..0f19df71 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,18 @@ +# meta file for haproxy +--- +galaxy_info: + author: Mischa ter Smitten + company: Oefenweb.nl B.V. + description: Set up the latest version of HAProxy in Ubuntu systems + license: MIT + min_ansible_version: 1.4 + platforms: + - name: Ubuntu + versions: + - lucid + - precise + - trusty + categories: + - system + - web +dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 00000000..6c9d5e73 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,23 @@ +# tasks file for haproxy +--- +- name: add repository from PPA and install its signing key + apt_repository: + repo: 'ppa:haproxy-team/ppa' + update_cache: yes + tags: [configuration, haproxy, haproxy-add-repository] + +- name: install dependencies + apt: + name: "{{ item }}" + state: latest + with_items: haproxy_dependencies + when: haproxy_dependencies + tags: [configuration, haproxy, haproxy-dependencies] + +- name: install + apt: + name: "{{ item }}" + state: latest + with_items: haproxy_install + when: haproxy_install + tags: [configuration, haproxy, haproxy-install] diff --git a/templates/empty b/templates/empty new file mode 100644 index 00000000..e69de29b diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 00000000..2fbb50c4 --- /dev/null +++ b/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 00000000..ab403573 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,6 @@ +# test file for haproxy +--- +- hosts: localhost + remote_user: root + roles: + - ansible-haproxy diff --git a/tests/vagrant.yml b/tests/vagrant.yml new file mode 100644 index 00000000..294ba9bf --- /dev/null +++ b/tests/vagrant.yml @@ -0,0 +1,7 @@ +# test file for haproxy +--- +- hosts: all + remote_user: vagrant + sudo: true + roles: + - haproxy diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 00000000..387ba03d --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,4 @@ +# vars file for haproxy +--- +haproxy_dependencies: + - haproxy From ad77522e98ab1b69fd228ea88345af3fe1a7da93 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Wed, 20 May 2015 14:28:06 +0200 Subject: [PATCH 02/28] Added hipchat notifications --- .travis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.travis.yml b/.travis.yml index 43d65e28..d89d9f10 100644 --- a/.travis.yml +++ b/.travis.yml @@ -38,3 +38,6 @@ script: notifications: email: false + hipchat: + rooms: + secure: 5E26TUa3gV2/vSsuMtkAOtx7VsJf2XWEkfkhE8F1O2QvKrtRanVZZN9MJOba970GmZFQQne1so9HvXAeaPnD3LEcqy+SGAn6JvyH0mYy8i6a/gd9kxiOMHF3gTqCdDsu/SKPAB8N4J1eDvDo/6dfnVzifsZwvw92D9uOkEKi5cEiV8KhKAzK7tLQqAKESNt1BbnCAuTAz38WxJJVrMNPYlZ1gOqK9fIXfhRi0u+oo+21UqzOh6L65gAcD2PYvnt6Ak0KMgIo+iqui6xF7SG4IaMHk9G4FjY77cxxYy39HIAwNUArO0F1OO59b2oofdKX8w2X8TL+4t9zluKorgmvBGHtDcwxy9x2pjJqiTNpYSZyIRZMzM5ocA8y6JeGcl9VDTsO4hJWHqaB+WSulPYtGwZ1UMHPt0GmxdL3kf/ksmq6FJA4PGpV8YMHS65rMs9PibLeWnP7Ja4LQHlJ/eWUSQoCRECBrKxq4zgvTwEr9pxXeQXm85j29KO0c4UmJQhw1ISGuL6Z3VHOewCcdOvNzQmQn9y/rxVpmOWYlJpwPVAf3ht3D3C6t5aoViIwS508pnVzAycnpbxVPRpisQW/j/IC6PeChi3xv24n2pGJctoXtn/vWzt3VXEKKj9Y/Mr9hAEyNlNJfcaLhuicCcMa0d4j3ue8VRpjIjAnRJYBm28= From 53651d6fe957ed4da09720683978e1dddbc82968 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Wed, 20 May 2015 14:34:29 +0200 Subject: [PATCH 03/28] Bugfix for ppa url --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6c9d5e73..2a8bfe96 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,7 +2,7 @@ --- - name: add repository from PPA and install its signing key apt_repository: - repo: 'ppa:haproxy-team/ppa' + repo: 'ppa:vbernat/haproxy-1.5' update_cache: yes tags: [configuration, haproxy, haproxy-add-repository] From 6b40e0b59334709f2c97e54c4d1be8a4a9fd9371 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Wed, 20 May 2015 15:14:24 +0200 Subject: [PATCH 04/28] Added original configuration file --- handlers/main.yml | 4 ++++ tasks/main.yml | 21 +++++++++++++++-- templates/empty | 0 templates/etc/haproxy/haproxy.cfg.j2 | 35 ++++++++++++++++++++++++++++ vars/main.yml | 1 + 5 files changed, 59 insertions(+), 2 deletions(-) delete mode 100644 templates/empty create mode 100644 templates/etc/haproxy/haproxy.cfg.j2 diff --git a/handlers/main.yml b/handlers/main.yml index 5b9fd285..888e352d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,6 @@ # handlers file for haproxy --- +- name: restart haproxy + service: + name: haproxy + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml index 2a8bfe96..07557534 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,8 +1,8 @@ -# tasks file for haproxy --- +# tasks file for haproxy - name: add repository from PPA and install its signing key apt_repository: - repo: 'ppa:vbernat/haproxy-1.5' + repo: "{{ haproxy_ppa }}" update_cache: yes tags: [configuration, haproxy, haproxy-add-repository] @@ -21,3 +21,20 @@ with_items: haproxy_install when: haproxy_install tags: [configuration, haproxy, haproxy-install] + +- name: update configuration file + template: + src: etc/haproxy/haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + owner: root + group: root + mode: 0640 + notify: restart haproxy + tags: [configuration, haproxy, haproxy-configuration] + +- name: start and enable service + service: + name: haproxy + state: started + enabled: yes + tags: [configuration, haproxy, haproxy-start-enable-service] diff --git a/templates/empty b/templates/empty deleted file mode 100644 index e69de29b..00000000 diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2 new file mode 100644 index 00000000..f04b599f --- /dev/null +++ b/templates/etc/haproxy/haproxy.cfg.j2 @@ -0,0 +1,35 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http diff --git a/vars/main.yml b/vars/main.yml index 387ba03d..8ea8ba79 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,5 @@ # vars file for haproxy --- +haproxy_ppa: 'ppa:vbernat/haproxy-1.5' haproxy_dependencies: - haproxy From 6f6fa507633aeaadc5f78852ba56eb71cc538346 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Wed, 20 May 2015 15:26:01 +0200 Subject: [PATCH 05/28] Fix for non-existing socket on Ubuntu 10.04 [ALERT] 139/131218 (1482) : Starting frontend GLOBAL: cannot bind UNIX socket [/run/haproxy/admin.sock] --- templates/etc/haproxy/haproxy.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2 index f04b599f..68c2eb64 100644 --- a/templates/etc/haproxy/haproxy.cfg.j2 +++ b/templates/etc/haproxy/haproxy.cfg.j2 @@ -2,7 +2,7 @@ global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin + stats socket {{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }} mode 660 level admin stats timeout 30s user haproxy group haproxy From 07209d59198ee761b960da291b1693dcaee1b2a0 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 21 May 2015 09:14:37 +0200 Subject: [PATCH 06/28] Updated minimal ansible version Fixes failing build --- .travis.yml | 2 -- meta/main.yml | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index d89d9f10..7f3756fa 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,8 +3,6 @@ language: python python: "2.7" env: - - ANSIBLE_VERSION=1.4 - - ANSIBLE_VERSION=1.5 - ANSIBLE_VERSION=1.6 - ANSIBLE_VERSION=1.7 - ANSIBLE_VERSION=1.8 diff --git a/meta/main.yml b/meta/main.yml index 0f19df71..f085ad11 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,7 +5,7 @@ galaxy_info: company: Oefenweb.nl B.V. description: Set up the latest version of HAProxy in Ubuntu systems license: MIT - min_ansible_version: 1.4 + min_ansible_version: 1.6 platforms: - name: Ubuntu versions: From a44ac7cb256be9284998ab79f37d9b2729580c22 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 21 May 2015 14:30:15 +0200 Subject: [PATCH 07/28] Added validate to template task --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index 07557534..fec6124b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,6 +29,7 @@ owner: root group: root mode: 0640 + validate: 'haproxy -f %s -c' notify: restart haproxy tags: [configuration, haproxy, haproxy-configuration] From b90c6bd44473e1049a7c9b36ea527a2eb9c544e4 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 21 May 2015 21:28:14 +0200 Subject: [PATCH 08/28] Added socat package as a dependency --- vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/main.yml b/vars/main.yml index 8ea8ba79..0b41dd5d 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,3 +3,4 @@ haproxy_ppa: 'ppa:vbernat/haproxy-1.5' haproxy_dependencies: - haproxy + - socat From 37d077e1f6e0a2e79409205d83a78514d08dff9c Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 21 May 2015 21:28:57 +0200 Subject: [PATCH 09/28] Made template configurable --- README.md | 2 +- defaults/main.yml | 38 ++++++++++++ templates/etc/haproxy/haproxy.cfg.j2 | 88 ++++++++++++++++++++-------- 3 files changed, 102 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index be36ea3f..10283194 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ MIT #### Author Information -Mischa ter Smitten +Mischa ter Smitten (based on work of [FloeDesignTechnologies](https://github.com/FloeDesignTechnologies)) #### Feedback, bug-reports, requests, ... diff --git a/defaults/main.yml b/defaults/main.yml index d7561b2a..10ab2b35 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,3 +1,41 @@ # defaults file for haproxy --- haproxy_install: [] + +haproxy_global: + log: + - address: /dev/log + facility: local0 + - address: /dev/log + facility: local1 + level: notice + chroot: /var/lib/haproxy + stats: + socket: "{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}" + timeout: 30s + user: haproxy + group: haproxy + daemon: true + ca_base: /etc/ssl/certs + crt_base: /etc/ssl/private + ssl_default_bind_ciphers: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' + ssl_default_bind_options: 'no-sslv3' + +haproxy_defaults: + log: global + mode: http + option: + - httplog + - dontlognull + timeout: + connect: 5000 + client: 50000 + server: 50000 + errorfile: + 400: /etc/haproxy/errors/400.http + 403: /etc/haproxy/errors/403.http + 408: /etc/haproxy/errors/408.http + 500: /etc/haproxy/errors/500.http + 502: /etc/haproxy/errors/502.http + 503: /etc/haproxy/errors/503.http + 504: /etc/haproxy/errors/504.http diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2 index 68c2eb64..676334fe 100644 --- a/templates/etc/haproxy/haproxy.cfg.j2 +++ b/templates/etc/haproxy/haproxy.cfg.j2 @@ -1,35 +1,73 @@ +# {{ ansible_managed }} + global - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats socket {{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }} mode 660 level admin - stats timeout 30s - user haproxy - group haproxy +{% if haproxy_global.log is defined %} +{% for log in haproxy_global.log %} + log {{ log.address }} {{ log.facility }}{% if log.level is defined %} {{log.level }}{% endif %}{% if log.minlevel is defined %} {{ log.minlevel }}{% endif %} + +{% if log.format is defined %} + log-format {{ log.format }} +{% endif %} +{% endfor %} +{% endif %} +{% if haproxy_global.chroot is defined and haproxy_global.chroot != false %} + chroot {{ haproxy_global.chroot }} +{% endif %} +{% if haproxy_global.stats is defined %} +{% if haproxy_global.stats.socket is defined %} + stats socket {{ haproxy_global.stats.socket }} +{% endif -%} +{% if haproxy_global.stats.timeout is defined %} + stats timeout {{ haproxy_global.stats.timeout }} +{% endif -%} +{% endif %} +{% if haproxy_global.user is defined %} + user {{ haproxy_global.user }} +{% endif %} +{% if haproxy_global.group is defined %} + group {{ haproxy_global.group }} +{% endif %} +{% if haproxy_global.daemon is defined and haproxy_global.daemon == true %} daemon +{% endif %} # Default SSL material locations - ca-base /etc/ssl/certs - crt-base /etc/ssl/private +{% if haproxy_global.ca_base is defined %} + ca-base {{ haproxy_global.ca_base }} +{% endif %} +{% if haproxy_global.crt_base is defined %} + crt-base {{ haproxy_global.crt_base }} +{% endif %} # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS - ssl-default-bind-options no-sslv3 +{% if haproxy_global.ssl_default_bind_ciphers is defined %} + ssl-default-bind-ciphers {{ haproxy_global.ssl_default_bind_ciphers }} +{% endif %} +{% if haproxy_global.ssl_default_bind_options is defined %} + ssl-default-bind-options {{ haproxy_global.ssl_default_bind_options }} +{% endif %} defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 - errorfile 400 /etc/haproxy/errors/400.http - errorfile 403 /etc/haproxy/errors/403.http - errorfile 408 /etc/haproxy/errors/408.http - errorfile 500 /etc/haproxy/errors/500.http - errorfile 502 /etc/haproxy/errors/502.http - errorfile 503 /etc/haproxy/errors/503.http - errorfile 504 /etc/haproxy/errors/504.http +{% if haproxy_defaults.log is defined %} + log {{ haproxy_defaults.log }} +{% endif %} +{% if haproxy_defaults.mode is defined %} + mode {{ haproxy_defaults.mode }} +{% endif %} +{% if haproxy_defaults.option is defined %} +{% for option in haproxy_defaults.option %} + option {{ option }} +{% endfor %} +{% endif %} +{% if haproxy_defaults.timeout is defined %} +{% for key, value in haproxy_defaults.timeout.iteritems() %} + timeout {{ key }} {{ value }} +{% endfor %} +{% endif %} +{% if haproxy_defaults.errorfile is defined %} +{% for key, value in haproxy_defaults.errorfile.iteritems() %} + errorfile {{ key }} {{ value }} +{% endfor %} +{% endif %} From e0715df4ee05b659a804f6a871783b5b5f9c2e73 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Tue, 9 Jun 2015 09:55:54 +0200 Subject: [PATCH 10/28] Made template configurable --- defaults/main.yml | 82 ++++++++++++++++------------ templates/etc/haproxy/haproxy.cfg.j2 | 68 +++++++++++------------ 2 files changed, 80 insertions(+), 70 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 10ab2b35..59d3cc84 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,40 +2,50 @@ --- haproxy_install: [] -haproxy_global: - log: - - address: /dev/log - facility: local0 - - address: /dev/log - facility: local1 - level: notice - chroot: /var/lib/haproxy - stats: - socket: "{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}" - timeout: 30s - user: haproxy - group: haproxy - daemon: true - ca_base: /etc/ssl/certs - crt_base: /etc/ssl/private - ssl_default_bind_ciphers: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' - ssl_default_bind_options: 'no-sslv3' +# global section +haproxy_global_log: + - address: /dev/log + facility: local0 + - address: /dev/log + facility: local1 + level: notice +haproxy_global_chroot: /var/lib/haproxy +haproxy_global_stats: + socket: "{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}" + timeout: 30s +haproxy_global_user: haproxy +haproxy_global_group: haproxy +haproxy_global_daemon: true +haproxy_global_ca_base: /etc/ssl/certs +haproxy_global_crt_base: /etc/ssl/private +haproxy_global_ssl_default_bind_ciphers: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' +haproxy_global_ssl_default_bind_options: 'no-sslv3' -haproxy_defaults: - log: global - mode: http - option: - - httplog - - dontlognull - timeout: - connect: 5000 - client: 50000 - server: 50000 - errorfile: - 400: /etc/haproxy/errors/400.http - 403: /etc/haproxy/errors/403.http - 408: /etc/haproxy/errors/408.http - 500: /etc/haproxy/errors/500.http - 502: /etc/haproxy/errors/502.http - 503: /etc/haproxy/errors/503.http - 504: /etc/haproxy/errors/504.http +# defaults section +haproxy_defaults_log: global +haproxy_defaults_mode: http +haproxy_defaults_option: + - httplog + - dontlognull +haproxy_defaults_timeout: + - type: connect + timeout: 5000 + - type: client + timeout: 50000 + - type: server + timeout: 50000 +haproxy_defaults_errorfile: + - code: 400 + file: /etc/haproxy/errors/400.http + - code: 403 + file: /etc/haproxy/errors/403.http + - code: 408 + file: /etc/haproxy/errors/408.http + - code: 500 + file: /etc/haproxy/errors/500.http + - code: 502 + file: /etc/haproxy/errors/502.http + - code: 503 + file: /etc/haproxy/errors/503.http + - code: 504 + file: /etc/haproxy/errors/504.http diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2 index 676334fe..4b78ebf9 100644 --- a/templates/etc/haproxy/haproxy.cfg.j2 +++ b/templates/etc/haproxy/haproxy.cfg.j2 @@ -1,8 +1,8 @@ # {{ ansible_managed }} global -{% if haproxy_global.log is defined %} -{% for log in haproxy_global.log %} +{% if haproxy_global_log is defined %} +{% for log in haproxy_global_log %} log {{ log.address }} {{ log.facility }}{% if log.level is defined %} {{log.level }}{% endif %}{% if log.minlevel is defined %} {{ log.minlevel }}{% endif %} {% if log.format is defined %} @@ -10,64 +10,64 @@ global {% endif %} {% endfor %} {% endif %} -{% if haproxy_global.chroot is defined and haproxy_global.chroot != false %} - chroot {{ haproxy_global.chroot }} +{% if haproxy_global_chroot is defined and haproxy_global_chroot != false %} + chroot {{ haproxy_global_chroot }} {% endif %} -{% if haproxy_global.stats is defined %} -{% if haproxy_global.stats.socket is defined %} - stats socket {{ haproxy_global.stats.socket }} +{% if haproxy_global_stats is defined %} +{% if haproxy_global_stats.socket is defined %} + stats socket {{ haproxy_global_stats.socket }} {% endif -%} -{% if haproxy_global.stats.timeout is defined %} - stats timeout {{ haproxy_global.stats.timeout }} +{% if haproxy_global_stats.timeout is defined %} + stats timeout {{ haproxy_global_stats.timeout }} {% endif -%} {% endif %} -{% if haproxy_global.user is defined %} - user {{ haproxy_global.user }} +{% if haproxy_global_user is defined %} + user {{ haproxy_global_user }} {% endif %} -{% if haproxy_global.group is defined %} - group {{ haproxy_global.group }} +{% if haproxy_global_group is defined %} + group {{ haproxy_global_group }} {% endif %} -{% if haproxy_global.daemon is defined and haproxy_global.daemon == true %} +{% if haproxy_global_daemon is defined and haproxy_global_daemon == true %} daemon {% endif %} # Default SSL material locations -{% if haproxy_global.ca_base is defined %} - ca-base {{ haproxy_global.ca_base }} +{% if haproxy_global_ca_base is defined %} + ca-base {{ haproxy_global_ca_base }} {% endif %} -{% if haproxy_global.crt_base is defined %} - crt-base {{ haproxy_global.crt_base }} +{% if haproxy_global_crt_base is defined %} + crt-base {{ haproxy_global_crt_base }} {% endif %} # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ -{% if haproxy_global.ssl_default_bind_ciphers is defined %} - ssl-default-bind-ciphers {{ haproxy_global.ssl_default_bind_ciphers }} +{% if haproxy_global_ssl_default_bind_ciphers is defined %} + ssl-default-bind-ciphers {{ haproxy_global_ssl_default_bind_ciphers }} {% endif %} -{% if haproxy_global.ssl_default_bind_options is defined %} - ssl-default-bind-options {{ haproxy_global.ssl_default_bind_options }} +{% if haproxy_global_ssl_default_bind_options is defined %} + ssl-default-bind-options {{ haproxy_global_ssl_default_bind_options }} {% endif %} defaults -{% if haproxy_defaults.log is defined %} - log {{ haproxy_defaults.log }} +{% if haproxy_defaults_log is defined %} + log {{ haproxy_defaults_log }} {% endif %} -{% if haproxy_defaults.mode is defined %} - mode {{ haproxy_defaults.mode }} +{% if haproxy_defaults_mode is defined %} + mode {{ haproxy_defaults_mode }} {% endif %} -{% if haproxy_defaults.option is defined %} -{% for option in haproxy_defaults.option %} +{% if haproxy_defaults_option is defined %} +{% for option in haproxy_defaults_option %} option {{ option }} {% endfor %} {% endif %} -{% if haproxy_defaults.timeout is defined %} -{% for key, value in haproxy_defaults.timeout.iteritems() %} - timeout {{ key }} {{ value }} +{% if haproxy_defaults_timeout is defined %} +{% for timeout in haproxy_defaults_timeout %} + timeout {{ timeout.type }} {{ timeout.timeout }} {% endfor %} {% endif %} -{% if haproxy_defaults.errorfile is defined %} -{% for key, value in haproxy_defaults.errorfile.iteritems() %} - errorfile {{ key }} {{ value }} +{% if haproxy_defaults_errorfile is defined %} +{% for errorfile in haproxy_defaults_errorfile %} + errorfile {{ errorfile.code }} {{ errorfile.file }} {% endfor %} {% endif %} From 2433ffcdd28dbb2ad7923b8fa2e839ec6266af7f Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Tue, 9 Jun 2015 10:58:18 +0200 Subject: [PATCH 11/28] Splitted template --- templates/etc/haproxy/_defaults.cfg.j2 | 21 ++++++++ templates/etc/haproxy/_global.cfg.j2 | 47 +++++++++++++++++ templates/etc/haproxy/haproxy.cfg.j2 | 70 +------------------------- 3 files changed, 70 insertions(+), 68 deletions(-) create mode 100644 templates/etc/haproxy/_defaults.cfg.j2 create mode 100644 templates/etc/haproxy/_global.cfg.j2 diff --git a/templates/etc/haproxy/_defaults.cfg.j2 b/templates/etc/haproxy/_defaults.cfg.j2 new file mode 100644 index 00000000..d904756f --- /dev/null +++ b/templates/etc/haproxy/_defaults.cfg.j2 @@ -0,0 +1,21 @@ +{% if haproxy_defaults_log is defined %} + log {{ haproxy_defaults_log }} +{% endif %} +{% if haproxy_defaults_mode is defined %} + mode {{ haproxy_defaults_mode }} +{% endif %} +{% if haproxy_defaults_option is defined %} +{% for option in haproxy_defaults_option %} + option {{ option }} +{% endfor %} +{% endif %} +{% if haproxy_defaults_timeout is defined %} +{% for timeout in haproxy_defaults_timeout %} + timeout {{ timeout.type }} {{ timeout.timeout }} +{% endfor %} +{% endif %} +{% if haproxy_defaults_errorfile is defined %} +{% for errorfile in haproxy_defaults_errorfile %} + errorfile {{ errorfile.code }} {{ errorfile.file }} +{% endfor %} +{% endif %} diff --git a/templates/etc/haproxy/_global.cfg.j2 b/templates/etc/haproxy/_global.cfg.j2 new file mode 100644 index 00000000..3b69ffa2 --- /dev/null +++ b/templates/etc/haproxy/_global.cfg.j2 @@ -0,0 +1,47 @@ +{% if haproxy_global_log is defined %} +{% for log in haproxy_global_log %} + log {{ log.address }} {{ log.facility }}{% if log.level is defined %} {{log.level }}{% endif %}{% if log.minlevel is defined %} {{ log.minlevel }}{% endif %} + +{% if log.format is defined %} + log-format {{ log.format }} +{% endif %} +{% endfor %} +{% endif %} +{% if haproxy_global_chroot is defined and haproxy_global_chroot != false %} + chroot {{ haproxy_global_chroot }} +{% endif %} +{% if haproxy_global_stats is defined %} +{% if haproxy_global_stats.socket is defined %} + stats socket {{ haproxy_global_stats.socket }} +{% endif -%} +{% if haproxy_global_stats.timeout is defined %} + stats timeout {{ haproxy_global_stats.timeout }} +{% endif -%} +{% endif %} +{% if haproxy_global_user is defined %} + user {{ haproxy_global_user }} +{% endif %} +{% if haproxy_global_group is defined %} + group {{ haproxy_global_group }} +{% endif %} +{% if haproxy_global_daemon is defined and haproxy_global_daemon == true %} + daemon +{% endif %} + + # Default SSL material locations +{% if haproxy_global_ca_base is defined %} + ca-base {{ haproxy_global_ca_base }} +{% endif %} +{% if haproxy_global_crt_base is defined %} + crt-base {{ haproxy_global_crt_base }} +{% endif %} + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ +{% if haproxy_global_ssl_default_bind_ciphers is defined %} + ssl-default-bind-ciphers {{ haproxy_global_ssl_default_bind_ciphers }} +{% endif %} +{% if haproxy_global_ssl_default_bind_options is defined %} + ssl-default-bind-options {{ haproxy_global_ssl_default_bind_options }} +{% endif %} diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2 index 4b78ebf9..226e510a 100644 --- a/templates/etc/haproxy/haproxy.cfg.j2 +++ b/templates/etc/haproxy/haproxy.cfg.j2 @@ -1,73 +1,7 @@ # {{ ansible_managed }} global -{% if haproxy_global_log is defined %} -{% for log in haproxy_global_log %} - log {{ log.address }} {{ log.facility }}{% if log.level is defined %} {{log.level }}{% endif %}{% if log.minlevel is defined %} {{ log.minlevel }}{% endif %} - -{% if log.format is defined %} - log-format {{ log.format }} -{% endif %} -{% endfor %} -{% endif %} -{% if haproxy_global_chroot is defined and haproxy_global_chroot != false %} - chroot {{ haproxy_global_chroot }} -{% endif %} -{% if haproxy_global_stats is defined %} -{% if haproxy_global_stats.socket is defined %} - stats socket {{ haproxy_global_stats.socket }} -{% endif -%} -{% if haproxy_global_stats.timeout is defined %} - stats timeout {{ haproxy_global_stats.timeout }} -{% endif -%} -{% endif %} -{% if haproxy_global_user is defined %} - user {{ haproxy_global_user }} -{% endif %} -{% if haproxy_global_group is defined %} - group {{ haproxy_global_group }} -{% endif %} -{% if haproxy_global_daemon is defined and haproxy_global_daemon == true %} - daemon -{% endif %} - - # Default SSL material locations -{% if haproxy_global_ca_base is defined %} - ca-base {{ haproxy_global_ca_base }} -{% endif %} -{% if haproxy_global_crt_base is defined %} - crt-base {{ haproxy_global_crt_base }} -{% endif %} - - # Default ciphers to use on SSL-enabled listening sockets. - # For more information, see ciphers(1SSL). This list is from: - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ -{% if haproxy_global_ssl_default_bind_ciphers is defined %} - ssl-default-bind-ciphers {{ haproxy_global_ssl_default_bind_ciphers }} -{% endif %} -{% if haproxy_global_ssl_default_bind_options is defined %} - ssl-default-bind-options {{ haproxy_global_ssl_default_bind_options }} -{% endif %} +{% include '_global.cfg.j2' %} defaults -{% if haproxy_defaults_log is defined %} - log {{ haproxy_defaults_log }} -{% endif %} -{% if haproxy_defaults_mode is defined %} - mode {{ haproxy_defaults_mode }} -{% endif %} -{% if haproxy_defaults_option is defined %} -{% for option in haproxy_defaults_option %} - option {{ option }} -{% endfor %} -{% endif %} -{% if haproxy_defaults_timeout is defined %} -{% for timeout in haproxy_defaults_timeout %} - timeout {{ timeout.type }} {{ timeout.timeout }} -{% endfor %} -{% endif %} -{% if haproxy_defaults_errorfile is defined %} -{% for errorfile in haproxy_defaults_errorfile %} - errorfile {{ errorfile.code }} {{ errorfile.file }} -{% endfor %} -{% endif %} +{% include '_defaults.cfg.j2' %} From afcba70cbc6db93f8f8fd9ded9df017f79fbe29d Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Wed, 10 Jun 2015 17:10:04 +0200 Subject: [PATCH 12/28] Improved templates --- templates/etc/haproxy/_backend.cfg.j2 | 22 ++++++++++++++++++++++ templates/etc/haproxy/_defaults.cfg.j2 | 4 ++++ templates/etc/haproxy/_frontend.cfg.j2 | 15 +++++++++++++++ templates/etc/haproxy/_global.cfg.j2 | 7 +++++++ templates/etc/haproxy/_listen.cfg.j2 | 3 +++ templates/etc/haproxy/haproxy.cfg.j2 | 6 ++++++ 6 files changed, 57 insertions(+) create mode 100644 templates/etc/haproxy/_backend.cfg.j2 create mode 100644 templates/etc/haproxy/_frontend.cfg.j2 create mode 100644 templates/etc/haproxy/_listen.cfg.j2 diff --git a/templates/etc/haproxy/_backend.cfg.j2 b/templates/etc/haproxy/_backend.cfg.j2 new file mode 100644 index 00000000..8ebdeaae --- /dev/null +++ b/templates/etc/haproxy/_backend.cfg.j2 @@ -0,0 +1,22 @@ +{% for backend in haproxy_backend %} +backend {{ backend.name }} + mode {{ backend.mode }} + + balance {{ backend.balance }} + +{% for option in backend.option %} + option {{ option }} +{% endfor %} + +{% for http_request in backend.http_request %} + http-request {{ http_request }} +{% endfor %} + +{% if backend.server is defined %} +{% for server in backend.server %} + server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% if server.params is defined %}{% for param in server.params %}{{ param }} {% endfor %}{% endif %} + +{% endfor %} +{% endif %} + +{% endfor %} diff --git a/templates/etc/haproxy/_defaults.cfg.j2 b/templates/etc/haproxy/_defaults.cfg.j2 index d904756f..84b28bf7 100644 --- a/templates/etc/haproxy/_defaults.cfg.j2 +++ b/templates/etc/haproxy/_defaults.cfg.j2 @@ -1,19 +1,23 @@ {% if haproxy_defaults_log is defined %} log {{ haproxy_defaults_log }} {% endif %} + {% if haproxy_defaults_mode is defined %} mode {{ haproxy_defaults_mode }} {% endif %} + {% if haproxy_defaults_option is defined %} {% for option in haproxy_defaults_option %} option {{ option }} {% endfor %} {% endif %} + {% if haproxy_defaults_timeout is defined %} {% for timeout in haproxy_defaults_timeout %} timeout {{ timeout.type }} {{ timeout.timeout }} {% endfor %} {% endif %} + {% if haproxy_defaults_errorfile is defined %} {% for errorfile in haproxy_defaults_errorfile %} errorfile {{ errorfile.code }} {{ errorfile.file }} diff --git a/templates/etc/haproxy/_frontend.cfg.j2 b/templates/etc/haproxy/_frontend.cfg.j2 new file mode 100644 index 00000000..75972157 --- /dev/null +++ b/templates/etc/haproxy/_frontend.cfg.j2 @@ -0,0 +1,15 @@ +{% for frontend in haproxy_frontend %} +frontend {{ frontend.name }} + bind {{ frontend.bind }}{% if frontend.ssl is defined %} ssl{% for ssl in frontend.ssl %}{% if ssl.crt is defined %} crt {{ ssl.crt }}{% endif %}{% endfor %}{% endif %} + + mode {{ frontend.mode }} + + default_backend {{ frontend.default_backend }} + +{% if frontend.rspadd is defined %} +{% for rspadd in frontend.rspadd %} + rspadd {{ rspadd }} +{% endfor %} +{% endif %} + +{% endfor %} diff --git a/templates/etc/haproxy/_global.cfg.j2 b/templates/etc/haproxy/_global.cfg.j2 index 3b69ffa2..032a6d3b 100644 --- a/templates/etc/haproxy/_global.cfg.j2 +++ b/templates/etc/haproxy/_global.cfg.j2 @@ -7,9 +7,11 @@ {% endif %} {% endfor %} {% endif %} + {% if haproxy_global_chroot is defined and haproxy_global_chroot != false %} chroot {{ haproxy_global_chroot }} {% endif %} + {% if haproxy_global_stats is defined %} {% if haproxy_global_stats.socket is defined %} stats socket {{ haproxy_global_stats.socket }} @@ -18,12 +20,15 @@ stats timeout {{ haproxy_global_stats.timeout }} {% endif -%} {% endif %} + {% if haproxy_global_user is defined %} user {{ haproxy_global_user }} {% endif %} + {% if haproxy_global_group is defined %} group {{ haproxy_global_group }} {% endif %} + {% if haproxy_global_daemon is defined and haproxy_global_daemon == true %} daemon {% endif %} @@ -32,6 +37,7 @@ {% if haproxy_global_ca_base is defined %} ca-base {{ haproxy_global_ca_base }} {% endif %} + {% if haproxy_global_crt_base is defined %} crt-base {{ haproxy_global_crt_base }} {% endif %} @@ -42,6 +48,7 @@ {% if haproxy_global_ssl_default_bind_ciphers is defined %} ssl-default-bind-ciphers {{ haproxy_global_ssl_default_bind_ciphers }} {% endif %} + {% if haproxy_global_ssl_default_bind_options is defined %} ssl-default-bind-options {{ haproxy_global_ssl_default_bind_options }} {% endif %} diff --git a/templates/etc/haproxy/_listen.cfg.j2 b/templates/etc/haproxy/_listen.cfg.j2 new file mode 100644 index 00000000..b3afa96e --- /dev/null +++ b/templates/etc/haproxy/_listen.cfg.j2 @@ -0,0 +1,3 @@ +{% for listen in haproxy_listen %} + +{% endfor %} diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2 index 226e510a..52634659 100644 --- a/templates/etc/haproxy/haproxy.cfg.j2 +++ b/templates/etc/haproxy/haproxy.cfg.j2 @@ -5,3 +5,9 @@ global defaults {% include '_defaults.cfg.j2' %} + +{% include '_listen.cfg.j2' -%} + +{% include '_frontend.cfg.j2' -%} + +{% include '_backend.cfg.j2' -%} From f16e5b84194da1bf71235df65173d9988e1f3a12 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 11 Jun 2015 09:34:42 +0200 Subject: [PATCH 13/28] Tabs to spaces --- templates/etc/haproxy/_backend.cfg.j2 | 10 ++++----- templates/etc/haproxy/_defaults.cfg.j2 | 10 ++++----- templates/etc/haproxy/_frontend.cfg.j2 | 8 +++---- templates/etc/haproxy/_global.cfg.j2 | 30 +++++++++++++------------- 4 files changed, 29 insertions(+), 29 deletions(-) diff --git a/templates/etc/haproxy/_backend.cfg.j2 b/templates/etc/haproxy/_backend.cfg.j2 index 8ebdeaae..30967f8e 100644 --- a/templates/etc/haproxy/_backend.cfg.j2 +++ b/templates/etc/haproxy/_backend.cfg.j2 @@ -1,20 +1,20 @@ {% for backend in haproxy_backend %} backend {{ backend.name }} - mode {{ backend.mode }} + mode {{ backend.mode }} - balance {{ backend.balance }} + balance {{ backend.balance }} {% for option in backend.option %} - option {{ option }} + option {{ option }} {% endfor %} {% for http_request in backend.http_request %} - http-request {{ http_request }} + http-request {{ http_request }} {% endfor %} {% if backend.server is defined %} {% for server in backend.server %} - server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% if server.params is defined %}{% for param in server.params %}{{ param }} {% endfor %}{% endif %} + server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% if server.params is defined %}{% for param in server.params %}{{ param }} {% endfor %}{% endif %} {% endfor %} {% endif %} diff --git a/templates/etc/haproxy/_defaults.cfg.j2 b/templates/etc/haproxy/_defaults.cfg.j2 index 84b28bf7..d1a3e9b1 100644 --- a/templates/etc/haproxy/_defaults.cfg.j2 +++ b/templates/etc/haproxy/_defaults.cfg.j2 @@ -1,25 +1,25 @@ {% if haproxy_defaults_log is defined %} - log {{ haproxy_defaults_log }} + log {{ haproxy_defaults_log }} {% endif %} {% if haproxy_defaults_mode is defined %} - mode {{ haproxy_defaults_mode }} + mode {{ haproxy_defaults_mode }} {% endif %} {% if haproxy_defaults_option is defined %} {% for option in haproxy_defaults_option %} - option {{ option }} + option {{ option }} {% endfor %} {% endif %} {% if haproxy_defaults_timeout is defined %} {% for timeout in haproxy_defaults_timeout %} - timeout {{ timeout.type }} {{ timeout.timeout }} + timeout {{ timeout.type }} {{ timeout.timeout }} {% endfor %} {% endif %} {% if haproxy_defaults_errorfile is defined %} {% for errorfile in haproxy_defaults_errorfile %} - errorfile {{ errorfile.code }} {{ errorfile.file }} + errorfile {{ errorfile.code }} {{ errorfile.file }} {% endfor %} {% endif %} diff --git a/templates/etc/haproxy/_frontend.cfg.j2 b/templates/etc/haproxy/_frontend.cfg.j2 index 75972157..c3108f88 100644 --- a/templates/etc/haproxy/_frontend.cfg.j2 +++ b/templates/etc/haproxy/_frontend.cfg.j2 @@ -1,14 +1,14 @@ {% for frontend in haproxy_frontend %} frontend {{ frontend.name }} - bind {{ frontend.bind }}{% if frontend.ssl is defined %} ssl{% for ssl in frontend.ssl %}{% if ssl.crt is defined %} crt {{ ssl.crt }}{% endif %}{% endfor %}{% endif %} + bind {{ frontend.bind }}{% if frontend.ssl is defined %} ssl{% for ssl in frontend.ssl %}{% if ssl.crt is defined %} crt {{ ssl.crt }}{% endif %}{% endfor %}{% endif %} - mode {{ frontend.mode }} + mode {{ frontend.mode }} - default_backend {{ frontend.default_backend }} + default_backend {{ frontend.default_backend }} {% if frontend.rspadd is defined %} {% for rspadd in frontend.rspadd %} - rspadd {{ rspadd }} + rspadd {{ rspadd }} {% endfor %} {% endif %} diff --git a/templates/etc/haproxy/_global.cfg.j2 b/templates/etc/haproxy/_global.cfg.j2 index 032a6d3b..6437d73e 100644 --- a/templates/etc/haproxy/_global.cfg.j2 +++ b/templates/etc/haproxy/_global.cfg.j2 @@ -1,6 +1,6 @@ {% if haproxy_global_log is defined %} {% for log in haproxy_global_log %} - log {{ log.address }} {{ log.facility }}{% if log.level is defined %} {{log.level }}{% endif %}{% if log.minlevel is defined %} {{ log.minlevel }}{% endif %} + log {{ log.address }} {{ log.facility }}{% if log.level is defined %} {{log.level }}{% endif %}{% if log.minlevel is defined %} {{ log.minlevel }}{% endif %} {% if log.format is defined %} log-format {{ log.format }} @@ -9,46 +9,46 @@ {% endif %} {% if haproxy_global_chroot is defined and haproxy_global_chroot != false %} - chroot {{ haproxy_global_chroot }} + chroot {{ haproxy_global_chroot }} {% endif %} {% if haproxy_global_stats is defined %} {% if haproxy_global_stats.socket is defined %} - stats socket {{ haproxy_global_stats.socket }} + stats socket {{ haproxy_global_stats.socket }} {% endif -%} {% if haproxy_global_stats.timeout is defined %} - stats timeout {{ haproxy_global_stats.timeout }} + stats timeout {{ haproxy_global_stats.timeout }} {% endif -%} {% endif %} {% if haproxy_global_user is defined %} - user {{ haproxy_global_user }} + user {{ haproxy_global_user }} {% endif %} {% if haproxy_global_group is defined %} - group {{ haproxy_global_group }} + group {{ haproxy_global_group }} {% endif %} {% if haproxy_global_daemon is defined and haproxy_global_daemon == true %} - daemon + daemon {% endif %} - # Default SSL material locations + # Default SSL material locations {% if haproxy_global_ca_base is defined %} - ca-base {{ haproxy_global_ca_base }} + ca-base {{ haproxy_global_ca_base }} {% endif %} {% if haproxy_global_crt_base is defined %} - crt-base {{ haproxy_global_crt_base }} + crt-base {{ haproxy_global_crt_base }} {% endif %} - # Default ciphers to use on SSL-enabled listening sockets. - # For more information, see ciphers(1SSL). This list is from: - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ {% if haproxy_global_ssl_default_bind_ciphers is defined %} - ssl-default-bind-ciphers {{ haproxy_global_ssl_default_bind_ciphers }} + ssl-default-bind-ciphers {{ haproxy_global_ssl_default_bind_ciphers }} {% endif %} {% if haproxy_global_ssl_default_bind_options is defined %} - ssl-default-bind-options {{ haproxy_global_ssl_default_bind_options }} + ssl-default-bind-options {{ haproxy_global_ssl_default_bind_options }} {% endif %} From 293a2a4f847c4c3ee2f2fc299f543a8d2f0b835b Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 11 Jun 2015 13:17:27 +0200 Subject: [PATCH 14/28] Updated templates --- defaults/main.yml | 11 ++- templates/etc/haproxy/_listen.cfg.j2 | 3 - .../{_backend.cfg.j2 => backend.cfg.j2} | 9 ++- .../{_defaults.cfg.j2 => defaults.cfg.j2} | 0 .../{_frontend.cfg.j2 => frontend.cfg.j2} | 7 +- .../haproxy/{_global.cfg.j2 => global.cfg.j2} | 4 +- templates/etc/haproxy/haproxy.cfg.j2 | 10 +-- templates/etc/haproxy/listen.cfg.j2 | 30 +++++++ tests/vagrant.yml | 78 +++++++++++++++++++ 9 files changed, 139 insertions(+), 13 deletions(-) delete mode 100644 templates/etc/haproxy/_listen.cfg.j2 rename templates/etc/haproxy/{_backend.cfg.j2 => backend.cfg.j2} (65%) rename templates/etc/haproxy/{_defaults.cfg.j2 => defaults.cfg.j2} (100%) rename templates/etc/haproxy/{_frontend.cfg.j2 => frontend.cfg.j2} (69%) rename templates/etc/haproxy/{_global.cfg.j2 => global.cfg.j2} (97%) create mode 100644 templates/etc/haproxy/listen.cfg.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 59d3cc84..e3a6f3cd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,7 +18,7 @@ haproxy_global_group: haproxy haproxy_global_daemon: true haproxy_global_ca_base: /etc/ssl/certs haproxy_global_crt_base: /etc/ssl/private -haproxy_global_ssl_default_bind_ciphers: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' +haproxy_global_ssl_default_bind_ciphers: 'kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL' haproxy_global_ssl_default_bind_options: 'no-sslv3' # defaults section @@ -49,3 +49,12 @@ haproxy_defaults_errorfile: file: /etc/haproxy/errors/503.http - code: 504 file: /etc/haproxy/errors/504.http + +# listen section +haproxy_listen: [] + +# front-end section +haproxy_frontend: [] + +# back-end section +haproxy_backend: [] diff --git a/templates/etc/haproxy/_listen.cfg.j2 b/templates/etc/haproxy/_listen.cfg.j2 deleted file mode 100644 index b3afa96e..00000000 --- a/templates/etc/haproxy/_listen.cfg.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for listen in haproxy_listen %} - -{% endfor %} diff --git a/templates/etc/haproxy/_backend.cfg.j2 b/templates/etc/haproxy/backend.cfg.j2 similarity index 65% rename from templates/etc/haproxy/_backend.cfg.j2 rename to templates/etc/haproxy/backend.cfg.j2 index 30967f8e..6a783e7e 100644 --- a/templates/etc/haproxy/_backend.cfg.j2 +++ b/templates/etc/haproxy/backend.cfg.j2 @@ -1,5 +1,9 @@ {% for backend in haproxy_backend %} backend {{ backend.name }} +{% if backend.description is defined %} + description {{ backend.description }} +{% endif %} + mode {{ backend.mode }} balance {{ backend.balance }} @@ -8,9 +12,12 @@ backend {{ backend.name }} option {{ option }} {% endfor %} +{% if backend.http_request is defined %} {% for http_request in backend.http_request %} - http-request {{ http_request }} + http-request {{ http_request.action }}{% if http_request.param is defined %} {{ http_request.param }}{% endif %}{% if http_request.cond is defined %} {{ http_request.cond }}{% endif %} + {% endfor %} +{% endif %} {% if backend.server is defined %} {% for server in backend.server %} diff --git a/templates/etc/haproxy/_defaults.cfg.j2 b/templates/etc/haproxy/defaults.cfg.j2 similarity index 100% rename from templates/etc/haproxy/_defaults.cfg.j2 rename to templates/etc/haproxy/defaults.cfg.j2 diff --git a/templates/etc/haproxy/_frontend.cfg.j2 b/templates/etc/haproxy/frontend.cfg.j2 similarity index 69% rename from templates/etc/haproxy/_frontend.cfg.j2 rename to templates/etc/haproxy/frontend.cfg.j2 index c3108f88..c4a5a735 100644 --- a/templates/etc/haproxy/_frontend.cfg.j2 +++ b/templates/etc/haproxy/frontend.cfg.j2 @@ -1,5 +1,9 @@ {% for frontend in haproxy_frontend %} frontend {{ frontend.name }} +{% if frontend.description is defined %} + description {{ frontend.description }} +{% endif %} + bind {{ frontend.bind }}{% if frontend.ssl is defined %} ssl{% for ssl in frontend.ssl %}{% if ssl.crt is defined %} crt {{ ssl.crt }}{% endif %}{% endfor %}{% endif %} mode {{ frontend.mode }} @@ -8,7 +12,8 @@ frontend {{ frontend.name }} {% if frontend.rspadd is defined %} {% for rspadd in frontend.rspadd %} - rspadd {{ rspadd }} + rspadd {{ rspadd.string }}{% if rspadd.cond is defined %} {{ rspadd.cond }}{% endif %} + {% endfor %} {% endif %} diff --git a/templates/etc/haproxy/_global.cfg.j2 b/templates/etc/haproxy/global.cfg.j2 similarity index 97% rename from templates/etc/haproxy/_global.cfg.j2 rename to templates/etc/haproxy/global.cfg.j2 index 6437d73e..fb085fa7 100644 --- a/templates/etc/haproxy/_global.cfg.j2 +++ b/templates/etc/haproxy/global.cfg.j2 @@ -8,7 +8,7 @@ {% endfor %} {% endif %} -{% if haproxy_global_chroot is defined and haproxy_global_chroot != false %} +{% if haproxy_global_chroot is defined and haproxy_global_chroot | bool != false %} chroot {{ haproxy_global_chroot }} {% endif %} @@ -29,7 +29,7 @@ group {{ haproxy_global_group }} {% endif %} -{% if haproxy_global_daemon is defined and haproxy_global_daemon == true %} +{% if haproxy_global_daemon is defined and haproxy_global_daemon | bool == true %} daemon {% endif %} diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2 index 52634659..eca0a8c4 100644 --- a/templates/etc/haproxy/haproxy.cfg.j2 +++ b/templates/etc/haproxy/haproxy.cfg.j2 @@ -1,13 +1,13 @@ # {{ ansible_managed }} global -{% include '_global.cfg.j2' %} +{% include 'global.cfg.j2' %} defaults -{% include '_defaults.cfg.j2' %} +{% include 'defaults.cfg.j2' %} -{% include '_listen.cfg.j2' -%} +{% include 'listen.cfg.j2' %} -{% include '_frontend.cfg.j2' -%} +{% include 'frontend.cfg.j2' %} -{% include '_backend.cfg.j2' -%} +{% include 'backend.cfg.j2' %} diff --git a/templates/etc/haproxy/listen.cfg.j2 b/templates/etc/haproxy/listen.cfg.j2 new file mode 100644 index 00000000..7892418a --- /dev/null +++ b/templates/etc/haproxy/listen.cfg.j2 @@ -0,0 +1,30 @@ +{% for listen in haproxy_listen %} +listen {{ listen.name }} +{% if listen.description is defined %} + description {{ listen.description }} +{% endif %} + + bind {{ listen.bind }}{% if listen.ssl is defined %} ssl{% for ssl in listen.ssl %}{% if ssl.crt is defined %} crt {{ ssl.crt }}{% endif %}{% endfor %}{% endif %} + + mode {{ listen.mode }} + +{% if listen.stats is defined %} +{% if listen.stats.enable is defined and listen.stats.enable | bool == true %} + stats enable + stats uri / +{% if listen.stats.hide_version is defined and listen.stats.hide_version | bool == true %} + stats hide-version +{% endif %} +{% if listen.stats.refresh is defined %} + stats refresh {{ listen.stats.refresh }} +{% endif %} +{% if listen.stats.auth is defined %} +{% for auth in listen.stats.auth %} + stats auth {{ auth.user }}:{{ auth.passwd }} + +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +{% endfor %} diff --git a/tests/vagrant.yml b/tests/vagrant.yml index 294ba9bf..ef1a76e5 100644 --- a/tests/vagrant.yml +++ b/tests/vagrant.yml @@ -5,3 +5,81 @@ sudo: true roles: - haproxy + vars: + # listen section + haproxy_listen: + - name: stats + description: Global statistics + bind: '*:1936' + mode: http + stats: + enable: true + uri: / + hide_version: true + refresh: 5s + auth: + - user: admin + passwd: '*rAp*uWRUt!a' + ssl: + - crt: star-taalzee-nl.pem + + # front-end section + haproxy_frontend: + - name: http + description: Front-end for all HTTP traffic + bind: '*:80' + mode: http + default_backend: webservers + - name: https + description: Front-end for all HTTPS traffic + bind: '*:443' + ssl: + - crt: star-rekentuin-nl.pem + - crt: star-taalzee-nl.pem + - crt: star-wordsandbirds-nl.pem + mode: http + default_backend: webservers + rspadd: + - string: 'Strict-Transport-Security:\ max-age=15768000' + # cond: + + # back-end section + haproxy_backend: + - name: webservers + description: Back-end with all (Apache) webservers + mode: http + balance: roundrobin + option: + - forwardfor + - 'httpchk HEAD / HTTP/1.1\r\nHost:localhost' + http_request: + - action: 'set-header' + param: 'X-Forwarded-Port %[dst_port]' + - action: 'add-header' + param: 'X-Forwarded-Proto https' + cond: 'if { ssl_fc }' + server: + - name: web01 + ip: 127.0.0.1 + port: 8001 + # maxconn: 400 + params: + - check + - name: web02 + ip: 127.0.0.1 + port: 8002 + # maxconn: 600 + params: + - check + - name: web03 + ip: 127.0.0.1 + port: 8003 + # maxconn: 600 + params: + - check + - name: web04 + ip: 127.0.0.1 + port: 8004 + # maxconn: 600 + params: + - check From 380b28be5f49de73672e21077f752e55449b3823 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 11 Jun 2015 14:49:42 +0200 Subject: [PATCH 15/28] Made it possible to omit certain options --- templates/etc/haproxy/defaults.cfg.j2 | 10 +++++----- templates/etc/haproxy/global.cfg.j2 | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/templates/etc/haproxy/defaults.cfg.j2 b/templates/etc/haproxy/defaults.cfg.j2 index d1a3e9b1..919d53b6 100644 --- a/templates/etc/haproxy/defaults.cfg.j2 +++ b/templates/etc/haproxy/defaults.cfg.j2 @@ -1,24 +1,24 @@ -{% if haproxy_defaults_log is defined %} +{% if haproxy_defaults_log != false %} log {{ haproxy_defaults_log }} {% endif %} -{% if haproxy_defaults_mode is defined %} +{% if haproxy_defaults_mode != false %} mode {{ haproxy_defaults_mode }} {% endif %} -{% if haproxy_defaults_option is defined %} +{% if haproxy_defaults_option != false %} {% for option in haproxy_defaults_option %} option {{ option }} {% endfor %} {% endif %} -{% if haproxy_defaults_timeout is defined %} +{% if haproxy_defaults_timeout != false %} {% for timeout in haproxy_defaults_timeout %} timeout {{ timeout.type }} {{ timeout.timeout }} {% endfor %} {% endif %} -{% if haproxy_defaults_errorfile is defined %} +{% if haproxy_defaults_errorfile != false %} {% for errorfile in haproxy_defaults_errorfile %} errorfile {{ errorfile.code }} {{ errorfile.file }} {% endfor %} diff --git a/templates/etc/haproxy/global.cfg.j2 b/templates/etc/haproxy/global.cfg.j2 index fb085fa7..3a1a8361 100644 --- a/templates/etc/haproxy/global.cfg.j2 +++ b/templates/etc/haproxy/global.cfg.j2 @@ -1,4 +1,4 @@ -{% if haproxy_global_log is defined %} +{% if haproxy_global_log != false %} {% for log in haproxy_global_log %} log {{ log.address }} {{ log.facility }}{% if log.level is defined %} {{log.level }}{% endif %}{% if log.minlevel is defined %} {{ log.minlevel }}{% endif %} @@ -8,11 +8,11 @@ {% endfor %} {% endif %} -{% if haproxy_global_chroot is defined and haproxy_global_chroot | bool != false %} +{% if haproxy_global_chroot | bool != false %} chroot {{ haproxy_global_chroot }} {% endif %} -{% if haproxy_global_stats is defined %} +{% if haproxy_global_stats != false %} {% if haproxy_global_stats.socket is defined %} stats socket {{ haproxy_global_stats.socket }} {% endif -%} @@ -21,34 +21,34 @@ {% endif -%} {% endif %} -{% if haproxy_global_user is defined %} +{% if haproxy_global_user != false %} user {{ haproxy_global_user }} {% endif %} -{% if haproxy_global_group is defined %} +{% if haproxy_global_group != false %} group {{ haproxy_global_group }} {% endif %} -{% if haproxy_global_daemon is defined and haproxy_global_daemon | bool == true %} +{% if haproxy_global_daemon | bool == true %} daemon {% endif %} +{% if haproxy_global_ca_base != false %} # Default SSL material locations -{% if haproxy_global_ca_base is defined %} ca-base {{ haproxy_global_ca_base }} {% endif %} -{% if haproxy_global_crt_base is defined %} +{% if haproxy_global_crt_base != false %} crt-base {{ haproxy_global_crt_base }} {% endif %} +{% if haproxy_global_ssl_default_bind_ciphers != false %} # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ -{% if haproxy_global_ssl_default_bind_ciphers is defined %} ssl-default-bind-ciphers {{ haproxy_global_ssl_default_bind_ciphers }} {% endif %} -{% if haproxy_global_ssl_default_bind_options is defined %} +{% if haproxy_global_ssl_default_bind_options != false %} ssl-default-bind-options {{ haproxy_global_ssl_default_bind_options }} {% endif %} From ef9ad9c5b30468ce529261c7a8605fa12da83be0 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 11 Jun 2015 16:27:47 +0200 Subject: [PATCH 16/28] Updated SSL configuration --- defaults/main.yml | 3 +++ tasks/main.yml | 21 +++++++++++++++++++++ tests/vagrant.yml | 23 ++++++++++++++++------- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e3a6f3cd..03c1bf3a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -50,6 +50,9 @@ haproxy_defaults_errorfile: - code: 504 file: /etc/haproxy/errors/504.http +# ssl (file) map +haproxy_ssl_map: [] + # listen section haproxy_listen: [] diff --git a/tasks/main.yml b/tasks/main.yml index fec6124b..13e10b68 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,6 +22,27 @@ when: haproxy_install tags: [configuration, haproxy, haproxy-install] +- name: create certificate files directories + file: + path: "{{ item.dest | dirname }}" + state: directory + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: 0750 + with_items: haproxy_ssl_map + tags: [configuration, haproxy, haproxy-configuration, haproxy-configuration-ssl] + +- name: copy certificate files + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0640') }}" + with_items: haproxy_ssl_map + notify: restart haproxy + tags: [configuration, haproxy, haproxy-configuration, haproxy-configuration-ssl] + - name: update configuration file template: src: etc/haproxy/haproxy.cfg.j2 diff --git a/tests/vagrant.yml b/tests/vagrant.yml index ef1a76e5..937fa9a7 100644 --- a/tests/vagrant.yml +++ b/tests/vagrant.yml @@ -6,11 +6,20 @@ roles: - haproxy vars: + # ssl (file) map + haproxy_ssl_map: + - src: ../../../files/haproxy/etc/haproxy/ssl/star-taalzee-nl.pem + dest: /etc/ssl/private/star-rekentuin-nl.pem + - src: ../../../files/haproxy/etc/haproxy/ssl/star-taalzee-nl.pem + dest: /etc/ssl/private/star-taalzee-nl.pem + - src: ../../../files/haproxy/etc/haproxy/ssl/star-wordsandbirds-nl.pem + dest: /etc/ssl/private/star-wordsandbirds-nl.pem + # listen section haproxy_listen: - name: stats description: Global statistics - bind: '*:1936' + bind: '127.0.0.1:1936' mode: http stats: enable: true @@ -27,12 +36,12 @@ haproxy_frontend: - name: http description: Front-end for all HTTP traffic - bind: '*:80' + bind: '0.0.0.0:80' mode: http default_backend: webservers - name: https description: Front-end for all HTTPS traffic - bind: '*:443' + bind: '0.0.0.0:443' ssl: - crt: star-rekentuin-nl.pem - crt: star-taalzee-nl.pem @@ -62,24 +71,24 @@ - name: web01 ip: 127.0.0.1 port: 8001 - # maxconn: 400 + # maxconn: 501 params: - check - name: web02 ip: 127.0.0.1 port: 8002 - # maxconn: 600 + # maxconn: 502 params: - check - name: web03 ip: 127.0.0.1 port: 8003 - # maxconn: 600 + # maxconn: 503 params: - check - name: web04 ip: 127.0.0.1 port: 8004 - # maxconn: 600 + # maxconn: 504 params: - check From d8a4bc324d642ca43544c50d802e7769b7abe23f Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 11 Jun 2015 16:30:32 +0200 Subject: [PATCH 17/28] Removal of vagrant test data --- tests/vagrant.yml | 87 ----------------------------------------------- 1 file changed, 87 deletions(-) diff --git a/tests/vagrant.yml b/tests/vagrant.yml index 937fa9a7..294ba9bf 100644 --- a/tests/vagrant.yml +++ b/tests/vagrant.yml @@ -5,90 +5,3 @@ sudo: true roles: - haproxy - vars: - # ssl (file) map - haproxy_ssl_map: - - src: ../../../files/haproxy/etc/haproxy/ssl/star-taalzee-nl.pem - dest: /etc/ssl/private/star-rekentuin-nl.pem - - src: ../../../files/haproxy/etc/haproxy/ssl/star-taalzee-nl.pem - dest: /etc/ssl/private/star-taalzee-nl.pem - - src: ../../../files/haproxy/etc/haproxy/ssl/star-wordsandbirds-nl.pem - dest: /etc/ssl/private/star-wordsandbirds-nl.pem - - # listen section - haproxy_listen: - - name: stats - description: Global statistics - bind: '127.0.0.1:1936' - mode: http - stats: - enable: true - uri: / - hide_version: true - refresh: 5s - auth: - - user: admin - passwd: '*rAp*uWRUt!a' - ssl: - - crt: star-taalzee-nl.pem - - # front-end section - haproxy_frontend: - - name: http - description: Front-end for all HTTP traffic - bind: '0.0.0.0:80' - mode: http - default_backend: webservers - - name: https - description: Front-end for all HTTPS traffic - bind: '0.0.0.0:443' - ssl: - - crt: star-rekentuin-nl.pem - - crt: star-taalzee-nl.pem - - crt: star-wordsandbirds-nl.pem - mode: http - default_backend: webservers - rspadd: - - string: 'Strict-Transport-Security:\ max-age=15768000' - # cond: - - # back-end section - haproxy_backend: - - name: webservers - description: Back-end with all (Apache) webservers - mode: http - balance: roundrobin - option: - - forwardfor - - 'httpchk HEAD / HTTP/1.1\r\nHost:localhost' - http_request: - - action: 'set-header' - param: 'X-Forwarded-Port %[dst_port]' - - action: 'add-header' - param: 'X-Forwarded-Proto https' - cond: 'if { ssl_fc }' - server: - - name: web01 - ip: 127.0.0.1 - port: 8001 - # maxconn: 501 - params: - - check - - name: web02 - ip: 127.0.0.1 - port: 8002 - # maxconn: 502 - params: - - check - - name: web03 - ip: 127.0.0.1 - port: 8003 - # maxconn: 503 - params: - - check - - name: web04 - ip: 127.0.0.1 - port: 8004 - # maxconn: 504 - params: - - check From b2e8ee0a18f3ee3c12495e87b6e9f6cd0e5796e6 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 11 Jun 2015 17:12:02 +0200 Subject: [PATCH 18/28] Improved tests --- .travis.yml | 7 +++++++ tests/test.yml | 23 +++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/.travis.yml b/.travis.yml index 7f3756fa..884f8832 100644 --- a/.travis.yml +++ b/.travis.yml @@ -34,6 +34,13 @@ script: && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1) + # Test front-end + - > + wget http://localhost -O /dev/null -S --quiet 2>&1 + | grep -q '503 Service Unavailable' + && (echo 'Availability test: pass' && exit 0) + || (echo 'Availability test: fail' && exit 1) + notifications: email: false hipchat: diff --git a/tests/test.yml b/tests/test.yml index ab403573..e61e20cc 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -4,3 +4,26 @@ remote_user: root roles: - ansible-haproxy + vars: + # front-end section + haproxy_frontend: + - name: http + bind: '0.0.0.0:80' + mode: http + default_backend: webservers + + # back-end section + haproxy_backend: + - name: webservers + mode: http + balance: roundrobin + option: + - forwardfor + - 'httpchk HEAD / HTTP/1.1\r\nHost:localhost' + http_request: + - action: 'set-header' + param: 'X-Forwarded-Port %[dst_port]' + - action: 'add-header' + param: 'X-Forwarded-Proto https' + cond: 'if { ssl_fc }' + server: [] From c9c168145dfc1edd153d1fc55789e441e590518a Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 11 Jun 2015 17:15:51 +0200 Subject: [PATCH 19/28] Simplification of test (config) --- tests/test.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/test.yml b/tests/test.yml index e61e20cc..38f4cce8 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -20,10 +20,4 @@ option: - forwardfor - 'httpchk HEAD / HTTP/1.1\r\nHost:localhost' - http_request: - - action: 'set-header' - param: 'X-Forwarded-Port %[dst_port]' - - action: 'add-header' - param: 'X-Forwarded-Proto https' - cond: 'if { ssl_fc }' server: [] From 860c1afb604be1298654928bdf6df7ff973aae86 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 12 Jun 2015 09:10:47 +0200 Subject: [PATCH 20/28] Simplification of test --- tests/test.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/test.yml b/tests/test.yml index e61e20cc..38f4cce8 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -20,10 +20,4 @@ option: - forwardfor - 'httpchk HEAD / HTTP/1.1\r\nHost:localhost' - http_request: - - action: 'set-header' - param: 'X-Forwarded-Port %[dst_port]' - - action: 'add-header' - param: 'X-Forwarded-Proto https' - cond: 'if { ssl_fc }' server: [] From 44d5b5c2c4c3e090241871203d4c601a60838b28 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 12 Jun 2015 21:44:21 +0200 Subject: [PATCH 21/28] Improved documentation --- README.md | 43 ++++++++++++++++++++++++++++++++++++++++++- vars/main.yml | 1 - 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 10283194..34a70f22 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,48 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system #### Variables -* `haproxy_install`: [default: `[]`]: Additional packages to install +* `haproxy_install`: [default: `[]`]: Additional packages to install (e.g. `socat`) + +* `haproxy_global_log`: [default: See `defaults/main.yml`]: Log declarations +* `haproxy_global_log.{n}.address`: [required]: Indicates where to send the logs (e.g. `/dev/log`) +* `haproxy_global_log.{n}.facility`: [required]: Must be one of the 24 standard syslog facilities (e.g. `local0`, `local1`) +* `haproxy_global_log.{n}.level`: [optional]: Can be specified to filter outgoing messages (e.g. `notice`) +* `haproxy_global_log.{n}.minlevel`: [optional]: Can be specified to filter outgoing messages (e.g. `notice`) +* `haproxy_global_log.{n}.format`: [optional]: Specifies the log format string to use for traffic logs (e.g. `%{+Q}o\ %t\ %s\ %{-Q}r`) +* `haproxy_global_chroot`: [default: `/var/lib/haproxy`]: Changes current directory to `` and performs a `chroot()` there before dropping privileges +* `haproxy_global_stats`: [default: See `defaults/main.yml`]: Stats declarations +* `haproxy_global_stats.socket`: [default: `"{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}"`]: Binds a UNIX socket to `` or a TCPv4/v6 address to ``. Connections to this socket will return various statistics outputs and even allow some commands to be issued to change some runtime settings +* `haproxy_global_stats.timeout`: [default: `30s`]: The default timeout on the stats socket +* `haproxy_global_user`: [default: `haproxy`]: Similar to `"uid"` but uses the UID of user name `` from `/etc/passwd` +* `haproxy_global_group`: [default: `haproxy`]: Similar to `"gid"` but uses the GID of group name `` from `/etc/group`. +* `haproxy_global_daemon`: [default: `true`]: Makes the process fork into background. This is the recommended mode of operation +* `haproxy_global_ca_base`: [default: `/etc/ssl/certs`]: Assigns a default directory to fetch SSL CA certificates and CRLs from when a relative path is used with `"ca-file"` or `"crl-file"` directives +* `haproxy_global_crt_base`: [default: `/etc/ssl/private`]: Assigns a default directory to fetch SSL certificates from when a relative path is used with `"crtfile"` directives +* `haproxy_global_ssl_default_bind_ciphers`: [default: `kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL`]: This setting is only available when support for OpenSSL was built in. It sets the default string describing the list of cipher algorithms (`"cipher suite"`) that are negotiated during the SSL/TLS handshake for all `"bind"` lines which do not explicitly define theirs +* `haproxy_global_ssl_default_bind_options`: [default: `no-sslv3`]: This setting is only available when support for OpenSSL was built in. It sets default ssl-options to force on all `"bind"` lines + +* `haproxy_defaults_log`: [default: `global`]: Enable per-instance logging of events and traffic. `global` should be used when the instance's logging parameters are the same as the global ones. This is the most common usage +* `haproxy_defaults_mode`: [default: `http`]: Set the running mode or protocol of the instance +* `haproxy_defaults_option: [default: `[httplog, dontlognull]`]: +* `haproxy_defaults_timeout`: [default: See `defaults/main.yml`]: Timeout declarations +* `haproxy_defaults_timeout.type`: [required]: The type (e.g. `connect`, `client`, `server`) +* `haproxy_defaults_timeout.timeout`: [required]: The timeout (in in milliseconds by default, but can be in any other unit if the number is suffixed by the unit) (e.g. `5000`, `50000`) +* `haproxy_defaults_errorfile`: [default: See `defaults/main.yml`]: Errorfile declarations +* `haproxy_defaults_errorfile.code`: [required]: The HTTP status code. Currently, HAProxy is capable of generating codes 200, 400, 403, 408, 500, 502, 503, and 504 (e.g. `400`) +* `haproxy_defaults_errorfile.file`: [required]: A file containing the full HTTP response (e.g `/etc/haproxy/errors/400.http`) + +* `haproxy_ssl_map`: [default: `[]`]: SSL declarations +* `haproxy_ssl_map.{n}.src`: The local path of the file to copy, can be absolute or relative (e.g. `../../../files/haproxy/etc/haproxy/ssl/star-example-com.pem`) +* `haproxy_ssl_map.{n}.dest`: The remote path of the file to copy (e.g. `/etc/haproxy/ssl/star-example-com.pem`) +* `haproxy_ssl_map.{n}.owner`: The name of the user that should own the file (optional, default `root`) +* `haproxy_ssl_map.{n}.group`: The name of the group that should own the file (optional, default `root`) +* `haproxy_ssl_map.{n}.mode`: The mode of the file, such as 0644 (optional, default `0640`) + +* `haproxy_listen`: [default: `[]`]: Listen declarations + +* `haproxy_frontend`: [default: `[]`]: Front-end declarations + +* `haproxy_backend`: [default: `[]`]: Back-end declarations ## Dependencies diff --git a/vars/main.yml b/vars/main.yml index 0b41dd5d..8ea8ba79 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,4 +3,3 @@ haproxy_ppa: 'ppa:vbernat/haproxy-1.5' haproxy_dependencies: - haproxy - - socat From eaa2a56d493ad43d5dd1a1c613ab087575604930 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 12 Jun 2015 22:01:06 +0200 Subject: [PATCH 22/28] Removal of unnecessary when --- tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 13e10b68..8f615312 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -11,7 +11,6 @@ name: "{{ item }}" state: latest with_items: haproxy_dependencies - when: haproxy_dependencies tags: [configuration, haproxy, haproxy-dependencies] - name: install @@ -19,7 +18,6 @@ name: "{{ item }}" state: latest with_items: haproxy_install - when: haproxy_install tags: [configuration, haproxy, haproxy-install] - name: create certificate files directories From 675615b6d263c9b1c20854deed24dfbafc5e2acd Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 12 Jun 2015 22:02:50 +0200 Subject: [PATCH 23/28] Improved README --- README.md | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 34a70f22..98b06af5 100644 --- a/README.md +++ b/README.md @@ -57,13 +57,86 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system None -#### Example +#### SSL Termination (Multiple certificates, global monitoring, multiple web servers) ```yaml --- - hosts: all roles: - haproxy + vars: + haproxy_ssl_map: + - src: ../../../files/haproxy/etc/haproxy/ssl/star-example0-com.pem + dest: /etc/ssl/private/star-example0-com.pem + - src: ../../../files/haproxy/etc/haproxy/ssl/star-example1-com.pem + dest: /etc/ssl/private/star-example1-com.pem + - src: ../../../files/haproxy/etc/haproxy/ssl/star-example2-com.pem + dest: /etc/ssl/private/star-example2-com.pem + + haproxy_listen: + - name: stats + description: Global statistics + bind: '0.0.0.0:1936' + mode: http + stats: + enable: true + uri: / + hide_version: true + refresh: 5s + auth: + - user: admin + passwd: 'NqXgKWQ9f9Et' + ssl: + - crt: star-example0-com.pem + + haproxy_frontend: + - name: http + description: Front-end for all HTTP traffic + bind: '0.0.0.0:80' + mode: http + default_backend: webservers + - name: https + description: Front-end for all HTTPS traffic + bind: '0.0.0.0:443' + ssl: + - crt: star-example1-com.pem + - crt: star-example2-com.pem + mode: http + default_backend: webservers + rspadd: + - string: 'Strict-Transport-Security:\ max-age=15768000' + + haproxy_backend: + - name: webservers + description: Back-end with all (Apache) webservers + mode: http + balance: roundrobin + option: + - forwardfor + - 'httpchk HEAD / HTTP/1.1\r\nHost:localhost' + http_request: + - action: 'set-header' + param: 'X-Forwarded-Port %[dst_port]' + - action: 'add-header' + param: 'X-Forwarded-Proto https' + cond: 'if { ssl_fc }' + server: + - name: web01 + ip: 127.0.0.1 + port: 8001 + maxconn: 501 + params: + - check + - name: web02 + ip: 127.0.0.1 + port: 8002 + maxconn: 502 + params: + - check + - name: web03 + ip: 127.0.0.1 + port: 8003 + maxconn: 503 ``` #### License From 57e941c7617f5b14ebb72d12889083ff13d5b791 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Mon, 15 Jun 2015 21:07:53 +0200 Subject: [PATCH 24/28] Improved documentation --- README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 98b06af5..1f06e4f3 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,20 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_ssl_map.{n}.mode`: The mode of the file, such as 0644 (optional, default `0640`) * `haproxy_listen`: [default: `[]`]: Listen declarations +* `haproxy_listen.{n}.name`: [required]: The name of the section (e.g. `stats`) +* `haproxy_listen.{n}.description`: [optional]: A description of the section (e.g. `Global statistics`) +* `haproxy_listen.{n}.bind`: [required]: Defines a listening address and/or port (e.g. `0.0.0.0:1936`) +* `haproxy_listen.{n}.mode`: [required]: Set the running mode or protocol of the section (e.g. `http`) +* `haproxy_listen.{n}.stats`: [optional]: Stats declarations +* `haproxy_listen.{n}.stats.enable`: [required]: Enables statistics reporting with default settings +* `haproxy_listen.{n}.stats.uri`: [optional, default `/`]: Define the URI prefix to access statistics +* `haproxy_listen.{n}.stats.hide_version`: [optional]: Hide version reporting +* `haproxy_listen.{n}.stats.refresh`: [optional]: Defined the refresh delay, specified in seconds (e.g. `5s`) +* `haproxy_listen.{n}.stats.auth`: [optional]: Auth declarations +* `haproxy_listen.{n}.stats.auth.{n}.user`: [required]: A user name to grant access to +* `haproxy_listen.{n}.stats.auth.{n}.passwd`: [required]: The cleartext password associated to this user +* `haproxy_listen.{n}.ssl`: [optional]: SSL declarations +* `haproxy_listen.{n}.ssl.{n}.crt`: [required]: Designates a PEM file containing both the required certificates and any associated private keys (e.g. `star-example0-com.pem`) * `haproxy_frontend`: [default: `[]`]: Front-end declarations @@ -57,7 +71,7 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system None -#### SSL Termination (Multiple certificates, global monitoring, multiple web servers) +#### SSL Termination (Multiple certificates (SNI), global monitoring, multiple web servers) ```yaml --- From c0e4489704edad381033e153db9918d9933309cb Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Mon, 15 Jun 2015 21:08:28 +0200 Subject: [PATCH 25/28] Bugfixes for templates --- templates/etc/haproxy/frontend.cfg.j2 | 2 +- templates/etc/haproxy/listen.cfg.j2 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/etc/haproxy/frontend.cfg.j2 b/templates/etc/haproxy/frontend.cfg.j2 index c4a5a735..bd6cb8d5 100644 --- a/templates/etc/haproxy/frontend.cfg.j2 +++ b/templates/etc/haproxy/frontend.cfg.j2 @@ -4,7 +4,7 @@ frontend {{ frontend.name }} description {{ frontend.description }} {% endif %} - bind {{ frontend.bind }}{% if frontend.ssl is defined %} ssl{% for ssl in frontend.ssl %}{% if ssl.crt is defined %} crt {{ ssl.crt }}{% endif %}{% endfor %}{% endif %} + bind {{ frontend.bind }}{% if frontend.ssl is defined %} ssl{% for ssl in frontend.ssl %} crt {% endfor %}{% endif %} mode {{ frontend.mode }} diff --git a/templates/etc/haproxy/listen.cfg.j2 b/templates/etc/haproxy/listen.cfg.j2 index 7892418a..71548ddf 100644 --- a/templates/etc/haproxy/listen.cfg.j2 +++ b/templates/etc/haproxy/listen.cfg.j2 @@ -4,14 +4,14 @@ listen {{ listen.name }} description {{ listen.description }} {% endif %} - bind {{ listen.bind }}{% if listen.ssl is defined %} ssl{% for ssl in listen.ssl %}{% if ssl.crt is defined %} crt {{ ssl.crt }}{% endif %}{% endfor %}{% endif %} + bind {{ listen.bind }}{% if listen.ssl is defined %} ssl{% for ssl in listen.ssl %} crt {{ ssl.crt }}{% endfor %}{% endif %} mode {{ listen.mode }} {% if listen.stats is defined %} {% if listen.stats.enable is defined and listen.stats.enable | bool == true %} stats enable - stats uri / + stats uri {{ listen.stats.uri | default('/') }} {% if listen.stats.hide_version is defined and listen.stats.hide_version | bool == true %} stats hide-version {% endif %} From 4a7d8c11ca7b7f0188cd447b1b78fc4671f2d314 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Mon, 15 Jun 2015 21:31:57 +0200 Subject: [PATCH 26/28] Updated meta information --- meta/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index f085ad11..ca25fe12 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -14,5 +14,7 @@ galaxy_info: - trusty categories: - system + - clustering + - networking - web dependencies: [] From 2bb2a10f320d1f89845dc2c1d810b832e898db67 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Mon, 15 Jun 2015 22:15:53 +0200 Subject: [PATCH 27/28] Improved documentation --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index 1f06e4f3..5e2df739 100644 --- a/README.md +++ b/README.md @@ -64,8 +64,31 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_listen.{n}.ssl.{n}.crt`: [required]: Designates a PEM file containing both the required certificates and any associated private keys (e.g. `star-example0-com.pem`) * `haproxy_frontend`: [default: `[]`]: Front-end declarations +* `haproxy_frontend.{n}.name`: [required]: The name of the section (e.g. `https`) +* `haproxy_frontend.{n}.description`: [optional]: A description of the section (e.g. `Front-end for all HTTPS traffic`) +* `haproxy_frontend.{n}.bind`: [required]: Defines a listening address and/or port (e.g. `0.0.0.0:443`) +* `haproxy_frontend.{n}.mode`: [required]: Set the running mode or protocol of the section (e.g. `http`) +* `haproxy_frontend.{n}.default_backend`: [required]: The backend to use when no `"use_backend"` rule has been matched (e.g. `webservers`) +* `haproxy_frontend.{n}.rspadd`: [optional]: Adds headers at the end of the HTTP response +* `haproxy_frontend.{n}.rspadd.{n}.string`: [required]: The complete line to be added. Any space or known delimiter must be escaped using a backslash (`'\'`) +* `haproxy_frontend.{n}.rspadd.{n}.cond`: [optional]: A matching condition built from ACLs * `haproxy_backend`: [default: `[]`]: Back-end declarations +* `haproxy_backend.{n}.name`: [required]: The name of the section (e.g. `webservers`) +* `haproxy_backend.{n}.description`: [optional]: A description of the section (e.g. `Back-end with all (Apache) webservers`) +* `haproxy_backend.{n}.mode`: [required]: Set the running mode or protocol of the section (e.g. `http`) +* `haproxy_backend.{n}.balance`: [required]: The load balancing algorithm to be used (e.g. `roundrobin`) +* `haproxy_backend.{n}.option`: [optional]: Options to set (e.g. `[forwardfor]`) +* `haproxy_backend.{n}.http_request`: [optional]: Access control for Layer 7 requests +* `haproxy_backend.{n}.http_request.{n}.action`: [required]: The rules action (e.g. `add-header`) +* `haproxy_backend.{n}.http_request.{n}.param`: [optional]: The complete line to be added (e.g. `X-Forwarded-Proto https`) +* `haproxy_backend.{n}.http_request.{n}.cond`: [optional]: A matching condition built from ACLs (e.g. `if { ssl_fc }`) +* `haproxy_backend.{n}.server`: [optional]: Server declarations +* `haproxy_backend.{n}.server.{n}.name`: [required]: The internal name assigned to this server +* `haproxy_backend.{n}.server.{n}.ip`: [required]: The IPv4 or IPv6 address of the server +* `haproxy_backend.{n}.server.{n}.port`: [optional]: A port specification +* `haproxy_backend.{n}.server.{n}.maxconn`: [optional]: The `"maxconn"` parameter specifies the maximal number of concurrent connections that will be sent to this server +* `haproxy_backend.{n}.server.{n}.param`: [optional]: A list of parameters for this server ## Dependencies From cd782d23833f59b251831df93f80f0a16f15fe4d Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Mon, 15 Jun 2015 22:16:36 +0200 Subject: [PATCH 28/28] Template fixes * Renamed params to param * Made option optional --- README.md | 6 ++++-- templates/etc/haproxy/backend.cfg.j2 | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5e2df739..0694de13 100644 --- a/README.md +++ b/README.md @@ -162,18 +162,20 @@ None ip: 127.0.0.1 port: 8001 maxconn: 501 - params: + param: - check - name: web02 ip: 127.0.0.1 port: 8002 maxconn: 502 - params: + param: - check - name: web03 ip: 127.0.0.1 port: 8003 maxconn: 503 + param: + - check ``` #### License diff --git a/templates/etc/haproxy/backend.cfg.j2 b/templates/etc/haproxy/backend.cfg.j2 index 6a783e7e..0eca928b 100644 --- a/templates/etc/haproxy/backend.cfg.j2 +++ b/templates/etc/haproxy/backend.cfg.j2 @@ -8,9 +8,11 @@ backend {{ backend.name }} balance {{ backend.balance }} +{% if backend.option is defined %} {% for option in backend.option %} option {{ option }} {% endfor %} +{% endif %} {% if backend.http_request is defined %} {% for http_request in backend.http_request %} @@ -21,7 +23,7 @@ backend {{ backend.name }} {% if backend.server is defined %} {% for server in backend.server %} - server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% if server.params is defined %}{% for param in server.params %}{{ param }} {% endfor %}{% endif %} + server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% if server.param is defined %}{% for param in server.param %}{{ param }} {% endfor %}{% endif %} {% endfor %} {% endif %}