-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy-config.template
252 lines (218 loc) · 11.9 KB
/
haproxy-config.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
{{/*
haproxy-config.cfg: contains the main config with helper backends that are used to terminate
encryption before finally sending to a host_be which is the backend that is the final
backend for a route and contains all the endpoints for the service
*/}}
{{ define "/var/lib/haproxy/conf/haproxy.config" }}
{{ $workingDir := .WorkingDir }}
global
# maxconn 4096
daemon
ca-base /etc/ssl
crt-base /etc/ssl
stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin
stats timeout 2m
# Prevent vulnerability to POODLE attacks
# TODO: use when 1.5.14 is available
# ssl-default-bind-options no-sslv3
# Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS
# tune.ssl.default-dh-param 2048
# ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
# Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
# Old cipher suite (maximum compatibility but insecure) from https://wiki.mozilla.org/Security/Server_Side_TLS
# tune.ssl.default-dh-param 1024
# ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
# maxconn 4096
# Add x-forwarded-for header.
{{ if ne (env "ROUTER_SYSLOG_ADDRESS" "") ""}}
option httplog
log global
{{ end }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_DEFAULT_CONNECT_TIMEOUT" "")) }}
timeout connect {{env "ROUTER_DEFAULT_CONNECT_TIMEOUT" "5s"}}
{{ else }}
timeout connect 5s
{{ end }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_DEFAULT_CLIENT_TIMEOUT" "")) }}
timeout client {{env "ROUTER_DEFAULT_CLIENT_TIMEOUT" "30s"}}
{{ else }}
timeout client 30s
{{ end }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_DEFAULT_SERVER_TIMEOUT" "")) }}
timeout server {{env "ROUTER_DEFAULT_SERVER_TIMEOUT" "30s"}}
{{ else }}
timeout server 30s
{{ end }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_TIMEOUT" "")) }}
timeout http-request {{env "ROUTER_SLOWLORIS_TIMEOUT" "10s" }}
{{ else }}
timeout http-request 10s
{{ end }}
# Long timeout for WebSocket connections.
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_DEFAULT_TUNNEL_TIMEOUT" "")) }}
timeout tunnel {{env "ROUTER_DEFAULT_TUNNEL_TIMEOUT" "1h" }}
{{ else }}
timeout tunnel 1h
{{ end }}
{{ if (gt .StatsPort 0) }}
listen stats :{{.StatsPort}}
{{ else }}
listen stats :1936
{{ end }}
mode http
# Health check monitoring uri.
monitor-uri /healthz
{{ if and (and (ne .StatsUser "") (ne .StatsPassword "")) (gt .StatsPort 0) }}
# Add your custom health check monitoring failure condition here.
# monitor fail if <condition>
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth {{.StatsUser}}:{{.StatsPassword}}
{{ end }}
frontend public
bind :{{env "ROUTER_SERVICE_HTTP_PORT" "80"}}
mode http
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
# Remove port from Host header
http-request replace-header Host (.*):.* \1
use_backend be_edge_http_%[path,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)]
default_backend openshift_default
# public ssl accepts all connections and isn't checking certificates yet certificates to use will be
# determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend
# that terminates encryption in this router (edge)
frontend public_ssl
bind :{{env "ROUTER_SERVICE_HTTPS_PORT" "443"}}
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend be_edge_http_%[path,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)]
default_backend openshift_default
backend openshift_default
mode http
option forwardfor
#option http-keep-alive
option http-pretend-keepalive
# To configure custom default errors, you can either uncomment the
# line below (server ... 127.0.0.1:8080) and point it to your custom
# backend service or alternatively, you can send a custom 503 error.
#server openshift_backend 127.0.0.1:8080
errorfile 503 /var/lib/haproxy/conf/error-page-503.http
{{ range $cfgIdx, $cfg := .State }}
{{ if or (eq $cfg.TLSTermination "") (eq $cfg.TLSTermination "edge") }}
# Plain http backend but request is TLS, terminated at edge
backend be_edge_http_{{$cfgIdx}}
mode http
option redispatch
option forwardfor
balance leastconn
timeout check 5000ms
http-request set-header X-Forwarded-Host %[req.hdr(host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
{{ if and (eq $cfg.TLSTermination "edge") (eq $cfg.InsecureEdgeTerminationPolicy "None") }}
cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
{{ else }}
cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly
{{ end }}
http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
{{ with $value := index $cfg.Annotations "subdomain"}}
reqirep ^([^\ :]*)\ /{{$value}}/(.*) \1\ /\2
reqirep ^([^\ :]*)\ /{{$value}}(.*) \1\ /\2
reqadd X-Script-Name:\ /{{$value}}
{{ end }}
{{ range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
{{ if ne $weight 0 }}
{{ with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
{{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
{{ if $endpoint.NoHealthCheck }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} cookie {{$endpoint.IdHash}} weight {{$weight}}
{{ else }}
{{ with $healthIntv := index $cfg.Annotations "router.openshift.io/haproxy.health.check.interval" }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $healthIntv) }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter {{$healthIntv}} cookie {{$endpoint.IdHash}} weight {{$weight}}
{{ else }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IdHash}} weight {{$weight}}
{{ end }}
{{ else }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_BACKEND_CHECK_INTERVAL" "")) }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter {{env "ROUTER_BACKEND_CHECK_INTERVAL" "5000ms"}} cookie {{$endpoint.IdHash}} weight {{$weight}}
{{ else }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IdHash}} weight {{$weight}}
{{ end }}
{{ end }}
{{ end }}
{{ end }}
{{ end }}
{{ end }}{{/* end if weight != 0 */}}
{{ end }}{{/* end iterate over services */}}
{{ end }}{{/* end if tls==edge/none */}}
# Secure backend, pass through
{{ if eq $cfg.TLSTermination "passthrough" }}
backend be_tcp_{{$cfgIdx}}
{{ if ne (env "ROUTER_SYSLOG_ADDRESS" "") ""}}
option tcplog
{{ end }}
{{ with $balanceAlgo := index $cfg.Annotations "haproxy.router.openshift.io/balance" }}
{{ with $matchValue := (matchValues $balanceAlgo "roundrobin" "leastconn" "source" ) }}
balance {{ $balanceAlgo }}
{{ end }}
{{ else }}
balance {{ env "ROUTER_TCP_BALANCE_SCHEME" "source" }}
{{ end }}
{{ with $value := index $cfg.Annotations "haproxy.router.openshift.io/timeout"}}
{{if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $value) }}
timeout tunnel {{$value}}
{{ end }}
{{ end }}
hash-type consistent
timeout check 5000ms
{{ range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
{{ if ne $weight 0 }}
{{ with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
{{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
reqirep ^([^\ :]*)\ {{$cfgIdx}}/(.*) \1\ /\2
reqirep ^([^\ :]*)\ {{$cfgIdx}}(.*) \1\ /\2
{{ if $endpoint.NoHealthCheck }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} weight {{$weight}}
{{ else }}
{{ with $healthIntv := index $cfg.Annotations "router.openshift.io/haproxy.health.check.interval" }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $healthIntv) }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter {{$healthIntv}} weight {{$weight}}
{{ else }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms weight {{$weight}}
{{ end }}
{{ else }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_BACKEND_CHECK_INTERVAL" "")) }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter {{env "ROUTER_BACKEND_CHECK_INTERVAL" "5000ms"}} weight {{$weight}}
{{ else }}
server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms weight {{$weight}}
{{ end }}
{{ end }}
{{ end }}
{{ end }}{{/* end range endpointsForAlias */}}
{{ end }}{{/* end get ServiceUnit from serviceUnitName */}}
{{ end }}{{/* end if weight != 0 */}}
{{ end }}{{/* end iterate over services*/}}
{{ end }}{{/*end tls==passthrough*/}}
{{ end }}{{/* end loop over routes */}}
{{ end }}{{/* end haproxy config template */}}
{{/*--------------------------------- END OF HAPROXY CONFIG, BELOW ARE MAPPING FILES ------------------------*/}}
{{/*
os_edge_http_be.map: same as os_http_be.map but allows us to separate tls from non-tls routes to ensure we don't expose
a tls only route on the unsecure port
*/}}
{{ define "/var/lib/haproxy/conf/os_edge_http_be.map" }}
{{ range $idx, $cfg := .State }}
{{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "edge")}}
{{ with $value := index $cfg.Annotations "subdomain"}}
/{{$value}} {{$idx}}
{{ end }}
{{ end }}
{{ end }}
{{ end }}{{/* end edge http host map template */}}