feat: add haproxy profile
- add haproxy server class - add haproxy profile to role - add hiera data for region specific haproxy - add selinux configuration - add certlist management - add default http and https frontends - add default stats listener
This commit is contained in:
@@ -21,6 +21,15 @@ lookup_options:
|
||||
profiles::yum::global::managed_repos:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::haproxy::server::defaults:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::haproxy::server::globals:
|
||||
merge:
|
||||
strategy: deep
|
||||
haproxy::backend:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
|
||||
@@ -0,0 +1,49 @@
|
||||
---
|
||||
haproxy::backend:
|
||||
be_letsencrypt:
|
||||
description: Backend for LetsEncrypt Verifications
|
||||
collect_exported: true
|
||||
options:
|
||||
balance: roundrobin
|
||||
be_default:
|
||||
description: Backend for unmatched HTTP traffic
|
||||
collect_exported: true
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk
|
||||
- forwardfor
|
||||
http-check: send meth GET uri /
|
||||
cookie: SRVNAME insert
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
|
||||
# fe_http
|
||||
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
|
||||
profiles::haproxy::fe_http::bind_port: 80
|
||||
profiles::haproxy::fe_http::bind_opts:
|
||||
- transparent
|
||||
profiles::haproxy::fe_http::acls:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
profiles::haproxy::fe_http::http_request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
|
||||
# fe_https
|
||||
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
|
||||
profiles::haproxy::fe_https::bind_port: 443
|
||||
profiles::haproxy::fe_https::bind_opts:
|
||||
- ssl
|
||||
- crt-list /etc/haproxy/certificate.list
|
||||
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
- force-tlsv12
|
||||
profiles::haproxy::fe_https::acls:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
profiles::haproxy::fe_https::http_request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
|
||||
profiles::haproxy::certlist::enabled: true
|
||||
profiles::haproxy::certlist::certificates:
|
||||
- /etc/pki/tls/vault/certificate.pem
|
||||
@@ -0,0 +1,40 @@
|
||||
---
|
||||
profiles::haproxy::ls_stats::port: 9090
|
||||
profiles::haproxy::ls_stats::user: 'admin'
|
||||
profiles::selinux::setenforce::mode: permissive
|
||||
|
||||
profiles::haproxy::selinux::ports:
|
||||
- 9090
|
||||
profiles::haproxy::selinux::sebooleans:
|
||||
- haproxy_connect_any
|
||||
|
||||
profiles::haproxy::server::globals:
|
||||
stats:
|
||||
- timeout 30s
|
||||
- socket /var/lib/haproxy/stats
|
||||
ca-base: /etc/ssl/certs
|
||||
crt-base: /etc/ssl/private
|
||||
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
ssl-default-bind-options: 'ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3'
|
||||
ssl-default-server-ciphers: kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
|
||||
ssl-default-server-options: no-sslv3
|
||||
tune.ssl.default-dh-param: 2048
|
||||
|
||||
profiles::haproxy::server::defaults:
|
||||
mode: http
|
||||
option:
|
||||
- httplog
|
||||
- dontlognull
|
||||
- http-server-close
|
||||
- forwardfor except 127.0.0.0/8
|
||||
- redispatch
|
||||
timeout:
|
||||
- http-request 10s
|
||||
- queue 1m
|
||||
- connect 10s
|
||||
- client 5m
|
||||
- server 5m
|
||||
- http-keep-alive 10s
|
||||
- check 10s
|
||||
retries: 3
|
||||
maxconn: 5000
|
||||
Reference in New Issue
Block a user