unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: haproxy updates #95

Merged
unkinben merged 1 commits from neoloc/haproxy_backend_httpchk into develop 2024-07-07 16:56:25 +10:00
Conversation 0 Commits 1 Files Changed 2 +19 -7
2 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 991c8a3029 - Show all commits

20
hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
View File

@ -33,6 +33,11 @@ profiles::haproxy::frontends:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@ -40,6 +45,11 @@ profiles::haproxy::frontends:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
@ -81,7 +91,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
@ -97,7 +107,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
@ -113,7 +123,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
@ -129,7 +139,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
@ -145,7 +155,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server

6
hieradata/roles/apps/media.yaml
View File

@ -50,8 +50,8 @@ profiles::nginx::simpleproxy::locations:
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
location_cfg_append:
proxy_pass_request_body: 'off'
# health checks by consul
arrstack_web_consul:
# health checks by consul/haproxy
arrstack_web_healthcheck:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
@ -69,6 +69,8 @@ profiles::nginx::simpleproxy::locations:
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.13.25
- 198.18.13.26
location_deny:
- all
# authorised access from external