Ben Vincent
2091f1ada3
- add haproxy server class - add haproxy profile to role - add hiera data for region specific haproxy - add selinux configuration - add certlist management - add default http and https frontends - add default stats listener
50 lines
1.5 KiB
YAML
50 lines
1.5 KiB
YAML
---
|
|
haproxy::backend:
|
|
be_letsencrypt:
|
|
description: Backend for LetsEncrypt Verifications
|
|
collect_exported: true
|
|
options:
|
|
balance: roundrobin
|
|
be_default:
|
|
description: Backend for unmatched HTTP traffic
|
|
collect_exported: true
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk
|
|
- forwardfor
|
|
http-check: send meth GET uri /
|
|
cookie: SRVNAME insert
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
|
|
# fe_http
|
|
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
|
|
profiles::haproxy::fe_http::bind_port: 80
|
|
profiles::haproxy::fe_http::bind_opts:
|
|
- transparent
|
|
profiles::haproxy::fe_http::acls:
|
|
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
|
profiles::haproxy::fe_http::http_request:
|
|
- 'set-header X-Forwarded-Proto https'
|
|
- 'set-header X-Real-IP %[src]'
|
|
|
|
# fe_https
|
|
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
|
|
profiles::haproxy::fe_https::bind_port: 443
|
|
profiles::haproxy::fe_https::bind_opts:
|
|
- ssl
|
|
- crt-list /etc/haproxy/certificate.list
|
|
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
|
- force-tlsv12
|
|
profiles::haproxy::fe_https::acls:
|
|
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
|
profiles::haproxy::fe_https::http_request:
|
|
- 'set-header X-Forwarded-Proto https'
|
|
- 'set-header X-Real-IP %[src]'
|
|
|
|
profiles::haproxy::certlist::enabled: true
|
|
profiles::haproxy::certlist::certificates:
|
|
- /etc/pki/tls/vault/certificate.pem
|