feat: sydney haproxy cluster
- add au-syd1 halb cluster - add http-response to frontends - manage haproxy after enc_role is correct
This commit is contained in:
@@ -1,6 +1,11 @@
|
||||
---
|
||||
# mappings
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
ensure: present
|
||||
mappings:
|
||||
- 'puppetboard.main.unkin.net be_puppetboard'
|
||||
- 'puppetdbapi.main.unkin.net be_puppetdbapi'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
|
||||
@@ -0,0 +1,93 @@
|
||||
---
|
||||
# mappings
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
ensure: present
|
||||
mappings:
|
||||
- 'au-syd1-pve.main.unkin.net be_ausyd1pve'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
- 'au-syd1-pve.main.unkin.net be_ausyd1pve'
|
||||
|
||||
# profiles::haproxy::listeners:
|
||||
# ls_puppetdbapi_direct:
|
||||
# collect_exported: false # handled in custom function
|
||||
# ipaddress: "%{facts.networking.ip}"
|
||||
# ports:
|
||||
# - 8081
|
||||
# mode: tcp
|
||||
# options:
|
||||
# option:
|
||||
# - tcplog
|
||||
# - ssl-hello-chk
|
||||
# balance: roundrobin
|
||||
|
||||
profiles::haproxy::backends:
|
||||
be_ausyd1pve:
|
||||
description: Backend for au-syd1 pve cluster
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
cookie: SRVNAME insert
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_letsencrypt:
|
||||
description: Backend for LetsEncrypt Verifications
|
||||
collect_exported: true
|
||||
options:
|
||||
balance: roundrobin
|
||||
be_default:
|
||||
description: Backend for unmatched HTTP traffic
|
||||
collect_exported: true
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
cookie: SRVNAME insert
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
|
||||
# fe_http
|
||||
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
|
||||
profiles::haproxy::fe_http::bind_port: 80
|
||||
profiles::haproxy::fe_http::bind_opts:
|
||||
- transparent
|
||||
profiles::haproxy::fe_http::acls:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
profiles::haproxy::fe_http::http_request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
|
||||
# fe_https
|
||||
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
|
||||
profiles::haproxy::fe_https::bind_port: 443
|
||||
profiles::haproxy::fe_https::bind_opts:
|
||||
- ssl
|
||||
- crt-list /etc/haproxy/certificate.list
|
||||
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
- force-tlsv12
|
||||
profiles::haproxy::fe_https::acls:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
profiles::haproxy::fe_https::http_request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
|
||||
profiles::haproxy::certlist::enabled: true
|
||||
profiles::haproxy::certlist::certificates:
|
||||
- /etc/pki/tls/vault/certificate.pem
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
|
||||
# additional cnames
|
||||
profiles::haproxy::dns::cnames:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
Reference in New Issue
Block a user