feat: haproxy refactor
- configure deep merging in hiera - move fe_http and fe_https to hiera - configure pve backends for standard and api traffic
This commit is contained in:
@@ -9,6 +9,9 @@ profiles::haproxy::selinux::sebooleans:
|
||||
- haproxy_connect_any
|
||||
|
||||
profiles::haproxy::server::globals:
|
||||
log:
|
||||
- /dev/log local0
|
||||
- /dev/log local1 notice
|
||||
stats:
|
||||
- timeout 30s
|
||||
- socket /var/lib/haproxy/stats
|
||||
@@ -38,3 +41,51 @@ profiles::haproxy::server::defaults:
|
||||
- check 10s
|
||||
retries: 3
|
||||
maxconn: 5000
|
||||
|
||||
profiles::haproxy::frontends:
|
||||
fe_http:
|
||||
description: 'Global HTTP Frontend'
|
||||
bind:
|
||||
0.0.0.0:80:
|
||||
- transparent
|
||||
mode: 'http'
|
||||
options:
|
||||
acl:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
http-request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
fe_https:
|
||||
description: 'Global HTTPS Frontend'
|
||||
bind:
|
||||
0.0.0.0:443:
|
||||
- ssl
|
||||
- crt-list /etc/haproxy/certificate.list
|
||||
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
- force-tlsv12
|
||||
mode: 'http'
|
||||
options:
|
||||
acl:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
http-request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
|
||||
profiles::haproxy::backends:
|
||||
be_letsencrypt:
|
||||
description: Backend for LetsEncrypt Verifications
|
||||
collect_exported: true
|
||||
options:
|
||||
balance: roundrobin
|
||||
be_default:
|
||||
description: Backend for unmatched HTTP traffic
|
||||
collect_exported: true
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
cookie: SRVNAME insert
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
|
||||
Reference in New Issue
Block a user