unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
cdbb689c91
puppet-prod/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
Ben Vincent c9a1d35af9 feat: add cnames to haproxy 
- manage A records for haproxy
- manage cnames for services using haproxy
2024-04-06 16:26:50 +11:00

90 lines
2.7 KiB
YAML
Raw Blame History

---
# mappings
profiles::haproxy::mappings::list:
- 'puppetboard.main.unkin.net be_puppetboard'
- 'puppetdbapi.main.unkin.net be_puppetdbapi'
profiles::haproxy::backends:
be_puppetboard:
description: Backend for Puppetboard
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_puppetdbapi:
description: Backend for the PuppetDB API
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_letsencrypt:
description: Backend for LetsEncrypt Verifications
collect_exported: true
options:
balance: roundrobin
be_default:
description: Backend for unmatched HTTP traffic
collect_exported: true
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
# fe_http
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
profiles::haproxy::fe_http::bind_port: 80
profiles::haproxy::fe_http::bind_opts:
- transparent
profiles::haproxy::fe_http::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_http::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
# fe_https
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
profiles::haproxy::fe_https::bind_port: 443
profiles::haproxy::fe_https::bind_opts:
- ssl
- crt-list /etc/haproxy/certificate.list
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- force-tlsv12
profiles::haproxy::fe_https::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_https::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- puppetboard.main.unkin.net
- puppetdbapi.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- puppetboard.main.unkin.net
- puppetdbapi.main.unkin.net
Reference in New Issue View Git Blame Copy Permalink