feat: haproxy refactor

- configure deep merging in hiera
- move fe_http and fe_https to hiera
- configure pve backends for standard and api traffic
This commit is contained in:
2024-04-28 22:19:44 +10:00
parent 220ac182f4
commit 8697492611
9 changed files with 113 additions and 163 deletions
+12
View File
@@ -30,6 +30,18 @@ lookup_options:
profiles::haproxy::server::globals:
merge:
strategy: deep
profiles::haproxy::server::frontends:
merge:
strategy: deep
profiles::haproxy::server::backends:
merge:
strategy: deep
profiles::haproxy::server::mappings:
merge:
strategy: deep
profiles::haproxy::server::listeners:
merge:
strategy: deep
haproxy::backend:
merge:
strategy: deep
@@ -52,48 +52,6 @@ profiles::haproxy::backends:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_letsencrypt:
description: Backend for LetsEncrypt Verifications
collect_exported: true
options:
balance: roundrobin
be_default:
description: Backend for unmatched HTTP traffic
collect_exported: true
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
# fe_http
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
profiles::haproxy::fe_http::bind_port: 80
profiles::haproxy::fe_http::bind_opts:
- transparent
profiles::haproxy::fe_http::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_http::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
# fe_https
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
profiles::haproxy::fe_https::bind_port: 443
profiles::haproxy::fe_https::bind_opts:
- ssl
- crt-list /etc/haproxy/certificate.list
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- force-tlsv12
profiles::haproxy::fe_https::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_https::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
@@ -4,81 +4,65 @@ profiles::haproxy::mappings:
fe_http:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve'
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve'
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
# profiles::haproxy::listeners:
# ls_puppetdbapi_direct:
# collect_exported: false # handled in custom function
# ipaddress: "%{facts.networking.ip}"
# ports:
# - 8081
# mode: tcp
# options:
# option:
# - tcplog
# - ssl-hello-chk
# balance: roundrobin
profiles::haproxy::frontends:
fe_http:
options:
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
http-request:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
profiles::haproxy::backends:
be_ausyd1pve:
description: Backend for au-syd1 pve cluster
be_ausyd1pve_web:
description: Backend for au-syd1 pve cluster (Web)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_letsencrypt:
description: Backend for LetsEncrypt Verifications
collect_exported: true
options:
balance: roundrobin
be_default:
description: Backend for unmatched HTTP traffic
collect_exported: true
be_ausyd1pve_api:
description: Backend for au-syd1 pve cluster (API only)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
- http-keep-alive
- prefer-last-server
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
# fe_http
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
profiles::haproxy::fe_http::bind_port: 80
profiles::haproxy::fe_http::bind_opts:
- transparent
profiles::haproxy::fe_http::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_http::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
# fe_https
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
profiles::haproxy::fe_https::bind_port: 443
profiles::haproxy::fe_https::bind_opts:
- ssl
- crt-list /etc/haproxy/certificate.list
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- force-tlsv12
profiles::haproxy::fe_https::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_https::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
redirect: 'scheme https if !{ ssl_fc }'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
@@ -87,7 +71,9 @@ profiles::haproxy::certlist::certificates:
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
+51
View File
@@ -9,6 +9,9 @@ profiles::haproxy::selinux::sebooleans:
- haproxy_connect_any
profiles::haproxy::server::globals:
log:
- /dev/log local0
- /dev/log local1 notice
stats:
- timeout 30s
- socket /var/lib/haproxy/stats
@@ -38,3 +41,51 @@ profiles::haproxy::server::defaults:
- check 10s
retries: 3
maxconn: 5000
profiles::haproxy::frontends:
fe_http:
description: 'Global HTTP Frontend'
bind:
0.0.0.0:80:
- transparent
mode: 'http'
options:
acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
http-request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
fe_https:
description: 'Global HTTPS Frontend'
bind:
0.0.0.0:443:
- ssl
- crt-list /etc/haproxy/certificate.list
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- force-tlsv12
mode: 'http'
options:
acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
http-request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
profiles::haproxy::backends:
be_letsencrypt:
description: Backend for LetsEncrypt Verifications
collect_exported: true
options:
balance: roundrobin
be_default:
description: Backend for unmatched HTTP traffic
collect_exported: true
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }