feat: haproxy refactor

- configure deep merging in hiera
- move fe_http and fe_https to hiera
- configure pve backends for standard and api traffic
This commit is contained in:
2024-04-28 22:19:44 +10:00
parent 220ac182f4
commit 8697492611
9 changed files with 113 additions and 163 deletions
@@ -52,48 +52,6 @@ profiles::haproxy::backends:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_letsencrypt:
description: Backend for LetsEncrypt Verifications
collect_exported: true
options:
balance: roundrobin
be_default:
description: Backend for unmatched HTTP traffic
collect_exported: true
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
# fe_http
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
profiles::haproxy::fe_http::bind_port: 80
profiles::haproxy::fe_http::bind_opts:
- transparent
profiles::haproxy::fe_http::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_http::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
# fe_https
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
profiles::haproxy::fe_https::bind_port: 443
profiles::haproxy::fe_https::bind_opts:
- ssl
- crt-list /etc/haproxy/certificate.list
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- force-tlsv12
profiles::haproxy::fe_https::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_https::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates: