templates/blacklist.agent

+{% if ansible_local is defined and ansible_local.blacklist is defined %}
+{% for line in ansible_local.blacklist.agent|default([]) %}
+{{line}}
+{% endfor %}
+{% endif %}
+{% for line in proxy_blacklist.agent|default([]) %}
+{{line}}
+{% endfor %}

templates/blacklist.ip

+{% if ansible_local is defined and ansible_local.blacklist is defined %}
+{% for line in ansible_local.blacklist.ip|default([]) %}
+{{line}}
+{% endfor %}
+{% endif %}
+{% for line in proxy_blacklist.ip|default([]) %}
+{{line}}
+{% endfor %}

templates/blacklist.referer

+{% if ansible_local is defined and ansible_local.blacklist is defined %}
+{% for line in ansible_local.blacklist.referer|default([]) %}
+{{line}}
+{% endfor %}
+{% endif %}
+{% for line in proxy_blacklist.referer|default([]) %}
+{{line}}
+{% endfor %}

templates/haproxy_cfg

-global
-  log 127.0.0.1:20514 local1
-  chroot /var/lib/haproxy
-  stats socket /run/haproxy/admin.sock mode 660 level admin
-  stats timeout 30s
-  user haproxy
-  group haproxy
-  daemon
-  ca-base /etc/haproxy/certs
-  crt-base /etc/haproxy/private
-  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
-  pidfile /run/haproxy.pid
-
-defaults
-  log global
-  log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
-  mode http
-  option dontlognull
-  timeout connect {{ proxy_timeout_connect }}
-  timeout client {{ proxy_timeout_client }}
-  timeout server {{ proxy_timeout_server }}
-  timeout check 1s
-  timeout http-keep-alive 3s
-  timeout http-request 10s  # slowloris protection
-  default-server inter 3s fall 2 rise 2 slowstart 60s
-  errorfile 400 /etc/haproxy/errors/400.http
-  errorfile 403 /etc/haproxy/errors/403.http
-  errorfile 408 /etc/haproxy/errors/408.http
-  errorfile 500 /etc/haproxy/errors/500.http
-  errorfile 502 /etc/haproxy/errors/502.http
-  errorfile 503 /etc/haproxy/errors/503.http
-  errorfile 504 /etc/haproxy/errors/504.http
-  option forwardfor
-  option http-server-close
-  retries 3
-  default_backend {{proxy_default_backend}}
-
-listen stats
-  bind 127.0.0.1:7000
-  mode http
-  stats enable
-  stats admin if TRUE
-  stats uri /haproxy_stats
-  stats realm LoadBalancerStats
-{% if kibana_users is defined %}
-
-userlist kibana
-{% for user in kibana_users %}
-  user {{ user.username }} insecure-password '{{ user.password }}'
-{% endfor %}
-{% endif %}
-
-frontend http_in
-  bind *:80
-  acl blockedip src  -i -f /etc/haproxy/blacklist
-  http-request deny if blockedip
-{% for host in groups['all'] %}
-{% for redirect in hostvars[host].proxy_redirect|default([]) %}
-  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{redirect.from}} }
-{% endfor %}
-{% if proxy_redirect_aliase %}
-{% for drupal in hostvars[host].drupal_settings|default([]) %}
-{% for domain in drupal.domains|default([]) %}
-{% for alias in domain.aliases|default([]) %}
-  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
-{% endfor %}
-{% endfor %}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% if kibana_users is defined %}
-  acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
-  use_backend backend_redirect_ssl if kibana_present
-{% endif %}
-{% if varnish_host|default(false) %}
-  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
-  use_backend backend_varnish if static_content
-{% endif %}
-{% for host in groups['all'] %}
-  acl domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
-  use_backend backend_{{host}} if domain_in_{{host}}
-{% if hostvars[host].proxy_crm_domains is defined %}
-  acl crm_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.crm.list
-  use_backend backend_{{host}} if crm_domain_in_{{host}}
-{% endif %}
-  acl redirect_ssl_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
-  use_backend backend_redirect_ssl if redirect_ssl_{{host}}
-{% endfor %}
-{% for cert in proxy_certificates %}
-
-frontend https_in_{{ cert.ip }}
-  bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
-  acl blockedip src  -i -f /etc/haproxy/blacklist
-  http-request deny if blockedip
-{% for host in groups['all'] %}
-{% for redirect in hostvars[host].proxy_redirect|default([]) %}
-  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{redirect.from}} }
-{% endfor %}
-{% if proxy_redirect_aliase %}
-{% for drupal in hostvars[host].drupal_settings|default([]) %}
-{% for domain in drupal.domains|default([]) %}
-{% for alias in domain.aliases|default([]) %}
-  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
-{% endfor %}
-{% endfor %}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% if kibana_users is defined %}
-  acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
-  use_backend backend_kibana if kibana_present
-{% endif %}
-{% for external in cert.external|default([]) %}
-  acl is_{{ external.key }} {{ external.acl }}
-  use_backend backend_{{ external.key }} if is_{{ external.key }}
-{% endfor %}
-{% if varnish_host|default(false) %}
-  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
-  use_backend backend_varnish if static_content
-{% endif %}
-{% for host in groups['all'] %}
-  acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
-  use_backend backend_{{host}}_https if ssl_domain_in_{{host}}
-  acl redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
-  use_backend backend_redirect if redirect_{{host}}
-{% if hostvars[host].proxy_crm_domains is defined %}
-  acl crm_redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
-  use_backend backend_redirect if crm_redirect_{{host}}
-{% endif %}
-{% endfor %}
-{% for external in cert.external|default([]) %}
-
-backend backend_{{ external.key }}
-  server server_{{ external.key }} {{ external.server }} maxconn 100
-{% endfor %}
-{% endfor %}
-{% for host in groups['all'] %}
-
-backend backend_{{host}}
-{% if host == inventory_hostname %}
-  http-response deny
-{% else %}
-  server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
-{% endif %}
-
-backend backend_{{host}}_https
-{% if host == inventory_hostname %}
-  http-response deny
-{% else %}
-  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
-  server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
-{% endif %}
-{% endfor %}
-{% if varnish_host|default(false) %}
-
-backend backend_varnish
-  option httpchk HEAD /varnishcheck
-  http-check expect status 200
-  option forwardfor
-  hash-type consistent
-{% if varnish_host == inventory_hostname %}
-  server varnish 127.0.0.1:6081 maxconn 1000
-{% else %}
-  server varnish {{ varnish_host_ip|default('') }}:6081 maxconn 1000
-{% endif %}
-{% endif %}
-
-backend backend_redirect_ssl
-  redirect scheme https if TRUE
-
-backend backend_redirect
-  redirect scheme http if TRUE
-{% if kibana_users is defined %}
-
-backend backend_kibana
-  server kibana 127.0.0.1:5601 maxconn 32
-  acl kibana_auth http_auth(kibana) if kibana_present
-  http-request auth realm Kibana if !kibana_auth
-{% endif %}

templates/haproxy_cfg.jinja2

+global
+  log 127.0.0.1:20514 local1
+  chroot /var/lib/haproxy
+  stats socket /run/haproxy/admin.sock mode 660 level admin
+  stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
+  ca-base /etc/haproxy/certs
+  crt-base /etc/haproxy/private
+  pidfile /run/haproxy.pid
+
+defaults
+  log global
+  log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %[ssl_fc_sni]\ %hr\ %{+Q}r
+  mode http
+  option dontlognull
+  timeout connect {{ proxy_timeout_connect }}
+  timeout client {{ proxy_timeout_client }}
+  timeout server {{ proxy_timeout_server }}
+  timeout check 1s
+  timeout http-keep-alive 3s
+  timeout http-request 10s  # slowloris protection
+  default-server inter 3s fall 2 rise 2 slowstart 60s
+  errorfile 400 /etc/haproxy/errors/400.http
+  errorfile 403 /etc/haproxy/errors/403.http
+  errorfile 408 /etc/haproxy/errors/408.http
+  errorfile 500 /etc/haproxy/errors/500.http
+  errorfile 502 /etc/haproxy/errors/502.http
+  errorfile 503 /etc/haproxy/errors/503.http
+  errorfile 504 /etc/haproxy/errors/504.http
+  option forwardfor
+  option http-server-close
+  retries 3
+  default_backend backend_{{proxy_default_backend}}
+
+listen stats
+  bind 127.0.0.1:7000
+  mode http
+  stats enable
+  stats admin if TRUE
+  stats uri /haproxy_stats
+  stats realm LoadBalancerStats
+{% if haproxy_private is defined %}
+
+userlist notprivate
+{% for user in haproxy_private.auth %}
+  user {{ user.username }} insecure-password '{{ user.password }}'
+{% endfor %}
+{% endif %}
+
+frontend http_in
+  bind *:80
+  http-request capture req.hdr(User-Agent) len 100
+  log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %[ssl_fc_sni]\ %hr\ %{+Q}r
+  http-request del-header Proxy
+  acl blockedip src -f /etc/haproxy/blacklist.ip
+  http-request deny if blockedip
+  acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
+  http-request deny if blockedreferer
+  acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
+  http-request deny if blockedagent
+{% for rule in proxy_blacklist.other|default([]) %}
+  http-request deny if { {{ rule }} }
+{% endfor %}
+  http-request set-header x-routing-host undefined
+{% for cert in proxy_certificates %}
+{% if cert.active|default(true) %}
+{% if cert.wildcard|default(false) and cert.wildcard_host is defined %}
+  http-request set-header x-routing-host {{ cert.wildcard_host }} if { hdr(host) -m end -i '.{{ cert.domain }}' }
+  use_backend backend_redirect_ssl if { hdr(host) -m end -i '.{{ cert.domain }}' }
+{% endif %}
+{% endif %}
+{% endfor %}
+  acl letsencrypt_challenge path_beg /.well-known/acme-challenge/
+  http-request set-header x-routing-host maintenance if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n -f /etc/haproxy/maintenance.list }
+  http-request redirect code 301 location %[base,lower,map(/etc/haproxy/redirect.domain-and-path.map)] if !letsencrypt_challenge { base,lower,map(/etc/haproxy/redirect.domain-and-path.map) -m found }
+  http-request redirect code 301 location %[capture.req.uri,lower,map(/etc/haproxy/redirect.path.map)] if !letsencrypt_challenge { capture.req.uri,lower,map(/etc/haproxy/redirect.path.map) -m found }
+  http-request redirect code 301 location %[hdr(host),lower,map(/etc/haproxy/redirect.domain.map)] if !letsencrypt_challenge { hdr(host),lower,map(/etc/haproxy/redirect.domain.map) -m found }
+  http-request redirect code 301 location %[hdr(host),lower,map(/etc/haproxy/redirect.domain-append-path.map)]%[capture.req.uri] if !letsencrypt_challenge { hdr(host),lower,map(/etc/haproxy/redirect.domain-append-path.map) -m found }
+{% if haproxy_private is defined %}
+{% if haproxy_private.domain is defined %}
+  acl privatedomain hdr(host) -i -n -f /etc/haproxy/privatelist.domain
+{% else %}
+  acl privatedomain hdr_cnt(X_Dummy) eq 0
+{% endif %}
+  acl privateip src -f /etc/haproxy/privatelist.ip
+  acl private_auth http_auth(notprivate) if !privateip
+  http-request auth realm notprivate if !letsencrypt_challenge privatedomain !privateip !private_auth
+{% endif %}
+{% for redirect in proxy_redirect_search_replace|default([]) %}
+{% if redirect.extra is defined %}
+  acl {{ redirect.extra.variable }} {{ redirect.extra.condition }}
+{% endif %}
+  http-request redirect code 301 location %[url,regsub(\"{{ redirect.search }}\",\"{{ redirect.replace }}\",i)] if !letsencrypt_challenge {% if redirect.extra is defined %}{% if redirect.extra.negate|default(false) %}!{% endif %}{{ redirect.extra.variable }} {% endif %}{ path_reg {{ redirect.match }} }
+{% endfor %}
+{% for line in proxy_extra_lines|default([]) %}
+  {{ line }}
+{% endfor %}
+{% for host in groups['all']|sort %}
+{% for redirect in hostvars[host].proxy_redirect|default([]) %}
+{% for from in redirect.from %}
+{% for path in redirect.paths|default([]) %}
+{% if path.deny|default(false) %}
+  http-request deny if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}}{% endif %} }
+{% else %}
+{% if path.regex is defined and path.from is defined %}
+  http-request redirect code 301 location {% if path.usedomain|default(false) %}{{ redirect.protocol|default('https') }}://{{redirect.to|default(from)}}{% endif %}{{ path.to|default('') }}%[capture.req.uri,regsub({{path.regex}},)] if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}} }
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endfor %}
+{% endfor %}
+{% for host in groups['all']|sort %}
+{% for redirect in hostvars[host].proxy_redirect|default([]) %}
+{% for from in redirect.from %}
+{% for path in redirect.paths|default([]) %}
+{% if not path.deny|default(false) %}
+{% if path.regex is not defined or path.from is not defined %}
+  http-request redirect code 301 location {{ redirect.protocol|default('https') }}://{{redirect.to|default(from)}}{% if path.to is defined %}/{{path.to}}{% endif %}{% if path.append_path|default(false) %}%[capture.req.uri]{% endif %}{% if path.append_query is defined %}?{{ path.append_query }}{% endif %} if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}}{% endif %}{% if path.condition is defined %} } { {{path.condition}}{% endif %} }
+{% endif %}
+{% endif %}
+{% endfor %}
+{% if (from != redirect.to|default(from) or redirect.protocol|default('https') == 'https') and redirect.paths is not defined %}
+  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to|default(from)}} code 301 if !letsencrypt_challenge { hdr(host) -i -n {{ from }} }
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% if proxy_redirect_aliase %}
+{% for drupal in hostvars[host].drupal_settings|default([]) %}
+{% for domain in drupal.domains|default([]) %}
+{% if not domain.multidomain|default(false) and domain.aliases_redirect|default(true) %}
+{% for alias in domain.aliases|default([]) %}
+  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if !letsencrypt_challenge { hdr(host) -i -n {{alias}} }
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% if 'webserver' in groups %}
+{% for host in groups['webserver']|sort %}
+{% if hostvars[host].routing is defined %}
+  http-request set-header x-routing-host {{ host }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path -m reg -i -n -f /etc/haproxy/{{ host }}.path.list }
+{% endif %}
+{% endfor %}
+{% for host in groups['webserver']|sort %}
+{% if hostvars[host].routing is defined %}
+{% for path in hostvars[host].routing.paths|default([]) %}
+  http-request set-header x-routing-host {{ host }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path_beg {{ path }} }
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if routing is defined and routing.default is defined %}
+  http-request set-header x-routing-host {{ routing.default }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ routing.domain }} }
+{% endif %}
+  use_backend backend_letsencrypt if letsencrypt_challenge
+  use_backend backend_maintenance if { hdr(x-routing-host) maintenance }
+{% if kibana_domain is defined %}
+  acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
+  use_backend backend_redirect_ssl if kibana_present
+{% endif %}
+{% for prometheus in prometheus_settings|default([]) %}
+  acl prometheus_{{ prometheus.id }}_present hdr(host) -i -n '{{ prometheus.domain|default(inventory_hostname) }}'
+  use_backend backend_redirect_ssl if prometheus_{{ prometheus.id }}_present
+{% endfor %}
+{% if 'webserver' in groups %}
+{% for host in groups['webserver']|sort %}
+  http-request set-header x-routing-host {{ host }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n -f /etc/haproxy/{{host}}.list }
+{% endfor %}
+{% for host in groups['webserver']|sort %}
+{% if hostvars[host].routing_special_host is defined %}
+  http-request set-header x-routing-host {{ hostvars[host].routing_special_host }} if !letsencrypt_challenge !{ hdr(x-routing-special-host) -m found } { hdr(x-routing-host) {{ host }} }
+  http-request set-header x-routing-host {{ host }} if !letsencrypt_challenge { hdr(x-routing-special-host) -m found } { hdr(x-routing-host) {{ hostvars[host].routing_special_host }} }
+{% endif %}
+{% endfor %}
+{% for host in groups['webserver']|sort %}
+  acl redirect_ssl_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
+  use_backend backend_redirect_ssl if redirect_ssl_{{host}}
+{% endfor %}
+{% endif %}
+  acl domain_uses_bigpipe hdr(host) -i -n -f /etc/haproxy/use_bigpipe.list
+{% if varnish_host|default(false) %}
+  acl request_ignores_varnish hdr(x-varnish-ignore) -m found
+  acl is_purge method PURGE
+  use_backend backend_varnish if is_purge
+  acl is_ban method BAN
+  use_backend backend_varnish if is_ban
+  acl is_uriban method URIBAN
+  use_backend backend_varnish if is_uriban
+  acl is_urimban method URIMBAN
+  use_backend backend_varnish if is_urimban
+  acl domain_ignores_varnish hdr(host) -i -n -f /etc/haproxy/ignore_varnish.list
+  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html .ttf .woff .woff2 .svg .eot .bmp .webp .tiff
+  acl static_content_private path_beg /system/
+  use_backend backend_varnish_bigpipe if static_content !static_content_private domain_uses_bigpipe !domain_ignores_varnish !request_ignores_varnish
+  use_backend backend_varnish if static_content !static_content_private !domain_ignores_varnish !request_ignores_varnish
+{% endif %}
+{% if 'webserver' in groups %}
+{% for host in groups['webserver']|sort %}
+  use_backend backend_{{ host }}_bigpipe if domain_uses_bigpipe { hdr(x-routing-host) {{ host }} }
+  use_backend backend_{{ host }} if { hdr(x-routing-host) {{ host }} }
+{% for rule in hostvars[host].proxy_special_rules|default([]) %}
+  acl proxy_special_rules_{{host}}_{{rule}} {{ hostvars[host].proxy_special_rules[rule] }}
+  use_backend backend_{{host}}_special_{{ rule }} if proxy_special_rules_{{host}}_{{rule}}
+{% endfor %}
+{% if hostvars[host].proxy_crm_domains is defined %}
+  acl crm_domain_in_{{host}} hdr_dom(host) -i -n -f /etc/haproxy/{{host}}.crm.list
+  use_backend backend_redirect_ssl if crm_domain_in_{{host}}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% for cert in proxy_certificates %}
+{% if cert.active|default(true) %}
+
+frontend https_in_{{ cert.ip }}
+  bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
+  http-request capture req.hdr(User-Agent) len 100
+  log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %[ssl_fc_sni]\ %hr\ %{+Q}r
+  http-request del-header Proxy
+  http-request redirect code 301 location %[base,lower,map(/etc/haproxy/redirect.domain-and-path.map)] if { base,lower,map(/etc/haproxy/redirect.domain-and-path.map) -m found }
+  http-request redirect code 301 location %[capture.req.uri,lower,map(/etc/haproxy/redirect.path.map)] if { capture.req.uri,lower,map(/etc/haproxy/redirect.path.map) -m found }
+  http-request redirect code 301 location %[hdr(host),lower,map(/etc/haproxy/redirect.domain.map)] if { hdr(host),lower,map(/etc/haproxy/redirect.domain.map) -m found }
+  http-request redirect code 301 location %[hdr(host),lower,map(/etc/haproxy/redirect.domain-append-path.map)]%[capture.req.uri] if { hdr(host),lower,map(/etc/haproxy/redirect.domain-append-path.map) -m found }
+{% if haproxy_private is defined %}
+{% if haproxy_private.domain is defined %}
+  acl privatedomain hdr(host) -i -n -f /etc/haproxy/privatelist.domain
+{% else %}
+  acl privatedomain hdr_cnt(X_Dummy) eq 0
+{% endif %}
+  acl privateip src -f /etc/haproxy/privatelist.ip
+  acl private_auth http_auth(notprivate) if !privateip
+  http-request auth realm notprivate if privatedomain !privateip !private_auth
+{% endif %}
+{% for redirect in proxy_redirect_search_replace|default([]) %}
+{% if redirect.extra is defined %}
+  acl {{ redirect.extra.variable }} {{ redirect.extra.condition }}
+{% endif %}
+  http-request redirect code 301 location %[url,regsub(\"{{ redirect.search }}\",\"{{ redirect.replace }}\",i)] if {% if redirect.extra is defined %}{% if redirect.extra.negate|default(false) %}!{% endif %}{{ redirect.extra.variable }} {% endif %}{ path_reg {{ redirect.match }} }
+{% endfor %}
+{% for line in proxy_extra_lines|default([]) %}
+  {{ line }}
+{% endfor %}
+  acl blockedip src -f /etc/haproxy/blacklist.ip
+  http-request deny if blockedip
+  acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
+  http-request deny if blockedreferer
+  acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
+  http-request deny if blockedagent
+{% for rule in proxy_blacklist.other|default([]) %}
+  http-request deny if { {{ rule }} }
+{% endfor %}
+  http-request set-header x-routing-host undefined
+{% if cert.wildcard|default(false) and cert.wildcard_host is defined %}
+  http-request set-header x-routing-host {{ cert.wildcard_host }} if { hdr(x-routing-host) undefined } { hdr(host) -m end -i '.{{ cert.domain }}' }
+{% endif %}
+  http-request set-header x-routing-host maintenance if { hdr(x-routing-host) undefined } { hdr(host) -i -n -f /etc/haproxy/maintenance.list }
+{% for host in groups['all']|sort %}
+{% for redirect in hostvars[host].proxy_redirect|default([]) %}
+{% for from in redirect.from %}
+{% for path in redirect.paths|default([]) %}
+{% if path.deny|default(false) %}
+  http-request deny if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}}{% endif %} }
+{% else %}
+{% if path.regex is defined and path.from is defined %}
+  http-request redirect code 301 location {% if path.usedomain|default(false) %}{{ redirect.protocol|default('https') }}://{{redirect.to|default(from)}}{% endif %}{{ path.to|default('') }}%[capture.req.uri,regsub({{path.regex}},)] if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}} }
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endfor %}
+{% endfor %}
+{% for host in groups['all']|sort %}
+{% for redirect in hostvars[host].proxy_redirect|default([]) %}
+{% for from in redirect.from %}
+{% for path in redirect.paths|default([]) %}
+{% if not path.deny|default(false) %}
+{% if path.regex is not defined or path.from is not defined %}
+  http-request redirect code 301 location {{ redirect.protocol|default('https') }}://{{redirect.to|default(from)}}{% if path.to is defined %}/{{path.to}}{% endif %}{% if path.append_path|default(false) %}%[capture.req.uri]{% endif %}{% if path.append_query is defined %}?{{ path.append_query }}{% endif %} if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}}{% endif %}{% if path.condition is defined %} } { {{path.condition}}{% endif %} }
+{% endif %}
+{% endif %}
+{% endfor %}
+{% if (from != redirect.to|default(from) or redirect.protocol|default('https') != 'https') and redirect.paths is not defined %}
+  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to|default(from)}} code 301 if { hdr(host) -i -n {{ from }} }
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% if proxy_redirect_aliase %}
+{% for drupal in hostvars[host].drupal_settings|default([]) %}
+{% for domain in drupal.domains|default([]) %}
+{% if not domain.multidomain|default(false) and domain.aliases_redirect|default(true) %}
+{% for alias in domain.aliases|default([]) %}
+  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% if 'webserver' in groups %}
+{% for host in groups['webserver']|sort %}
+{% if hostvars[host].routing is defined %}
+  http-request set-header x-routing-host {{ host }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path -m reg -i -n -f /etc/haproxy/{{ host }}.path.list }
+{% endif %}
+{% endfor %}
+{% for host in groups['webserver']|sort %}
+{% if hostvars[host].routing is defined %}
+{% for path in hostvars[host].routing.paths|default([]) %}
+  http-request set-header x-routing-host {{ host }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path_beg {{ path }} }
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if routing is defined and routing.default is defined %}
+  http-request set-header x-routing-host {{ routing.default }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ routing.domain }} }
+{% endif %}
+  use_backend backend_maintenance if { hdr(x-routing-host) maintenance }
+{% if kibana_domain is defined %}
+  acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
+  use_backend backend_kibana if kibana_present
+{% endif %}
+{% for prometheus in prometheus_settings|default([]) %}
+  acl prometheus_{{ prometheus.id }}_present hdr(host) -i -n '{{ prometheus.domain|default(inventory_hostname) }}'
+  use_backend backend_prometheus_{{ prometheus.id }} if prometheus_{{ prometheus.id }}_present
+{% endfor %}
+{% for external in cert.external|default([]) %}
+  acl is_{{ external.key }} {{ external.acl }}
+  use_backend backend_{{ external.key }} if is_{{ external.key }}
+{% endfor %}
+{% if 'webserver' in groups %}
+{% for host in groups['webserver']|sort %}
+  acl crm_redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
+  use_backend backend_redirect if crm_redirect_{{host}}
+{% endfor %}
+{% for host in groups['webserver']|sort %}
+  http-request set-header x-routing-host {{ host }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list }
+{% endfor %}
+{% for host in groups['webserver']|sort %}
+{% if hostvars[host].routing_special_host is defined %}
+  http-request set-header x-routing-host {{ hostvars[host].routing_special_host }} if !{ hdr(x-routing-special-host) -m found } { hdr(x-routing-host) {{ host }} }
+  http-request set-header x-routing-host {{ host }} if { hdr(x-routing-special-host) -m found } { hdr(x-routing-host) {{ hostvars[host].routing_special_host }} }
+{% endif %}
+{% endfor %}
+{% endif %}
+  acl domain_uses_bigpipe hdr(host) -i -n -f /etc/haproxy/use_bigpipe.list
+{% if varnish_host|default(false) %}
+  acl request_ignores_varnish hdr(x-varnish-ignore) -m found
+  acl domain_ignores_varnish hdr(host) -i -n -f /etc/haproxy/ignore_varnish.list
+  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html .ttf .woff .woff2 .svg .eot .bmp .webp .tiff
+  acl static_content_private path_beg /system/
+  use_backend backend_varnish_bigpipe if static_content !static_content_private domain_uses_bigpipe !domain_ignores_varnish !request_ignores_varnish
+  use_backend backend_varnish if static_content !static_content_private !domain_ignores_varnish !request_ignores_varnish
+{% endif %}
+{% if 'webserver' in groups %}
+{% for host in groups['webserver']|sort %}
+  use_backend backend_{{ host }}_https_bigpipe if domain_uses_bigpipe { hdr(x-routing-host) {{ host }} }
+  use_backend backend_{{ host }}_https if { hdr(x-routing-host) {{ host }} }
+{% endfor %}
+{% for host in groups['webserver']|sort %}
+  acl redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
+  use_backend backend_redirect if redirect_{{host}}
+{% for rule in hostvars[host].proxy_special_rules|default([]) %}
+  acl proxy_special_rules_{{host}}_{{rule}} {{ hostvars[host].proxy_special_rules[rule] }}
+  use_backend backend_{{host}}_special_{{ rule }}_https if proxy_special_rules_{{host}}_{{rule}}
+{% endfor %}
+{% if hostvars[host].proxy_crm_domains is defined %}
+  acl crm_domain_in_{{host}} hdr_dom(host) -i -n -f /etc/haproxy/{{host}}.crm.list
+  use_backend backend_{{host}}_https if crm_domain_in_{{host}}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% for external in cert.external|default([]) %}
+
+backend backend_{{ external.key }}
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "{{ external.key }}"
+{% endif %}
+{% for line in external.extra|default([]) %}
+  {{ line }}
+{% endfor %}
+  server server_{{ external.key }} {{ external.server }}{{ external.check|default(true)|ternary(' check ','') }} {{ external.options|default('') }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% if 'webserver' in groups %}
+{% if proxy_default_backend not in groups['webserver'] %}
+
+backend backend_{{ proxy_default_backend }}
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "deny"
+{% endif %}
+  http-response deny
+{% endif %}
+{% for host in groups['webserver']|sort %}
+
+backend backend_{{host}}
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "{{ host }}"
+{% endif %}
+{% if host == inventory_hostname or host == 'localhost' %}
+  http-response deny
+{% else %}
+{% for line in hostvars[host]['proxy_backend_extra_lines']|default([]) %}
+  {{ line }}
+{% endfor %}
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+{% endif %}
+
+backend backend_{{host}}_bigpipe
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "{{ host }}_bigpipe"
+{% endif %}
+{% if host == inventory_hostname or host == 'localhost' %}
+  http-response deny
+{% else %}
+{% for line in hostvars[host]['proxy_backend_extra_lines']|default([]) %}
+  {{ line }}
+{% endfor %}
+  no option http-buffer-request
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+{% endif %}
+
+backend backend_{{host}}_https
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "{{ host }}_https"
+{% endif %}
+{% if host == inventory_hostname or host == 'localhost' %}
+  http-response deny
+{% else %}
+{% for line in hostvars[host]['proxy_backend_extra_lines']|default([]) %}
+  {{ line }}
+{% endfor %}
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+{% endif %}
+
+backend backend_{{host}}_https_bigpipe
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "{{ host }}_https_bigpipe"
+{% endif %}
+{% if host == inventory_hostname or host == 'localhost' %}
+  http-response deny
+{% else %}
+{% for line in hostvars[host]['proxy_backend_extra_lines']|default([]) %}
+  {{ line }}
+{% endfor %}
+  no option http-buffer-request
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+{% endif %}
+{% for rule in hostvars[host].proxy_special_rules|default([]) %}
+
+backend backend_{{host}}_special_{{ rule }}
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "{{ host }}"
+{% endif %}
+{% if host == inventory_hostname or host == 'localhost' %}
+  http-response deny
+{% else %}
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+{% endif %}
+
+backend backend_{{host}}_special_{{ rule }}_https
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "{{ host }}_https"
+{% endif %}
+{% if host == inventory_hostname or host == 'localhost' %}
+  http-response deny
+{% else %}
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% if varnish_host|default(false) %}
+
+backend backend_varnish
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "varnish"
+{% endif %}
+  option httpchk HEAD /varnishcheck
+  http-request set-header x-real-ip %[src]
+  http-check expect status 200
+  option forwardfor
+  hash-type consistent
+{% if varnish_host == inventory_hostname %}
+  server varnish 127.0.0.1:6081 check maxconn {{proxy_varnish_maxconn}}
+{% else %}
+  server varnish {{ varnish_host_ip|default('') }}:6081 check maxconn {{proxy_varnish_maxconn}}
+{% endif %}
+
+backend backend_varnish_bigpipe
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "varnish_bigpipe"
+{% endif %}
+  no option http-buffer-request
+  option httpchk HEAD /varnishcheck
+  http-request set-header x-real-ip %[src]
+  http-check expect status 200
+  option forwardfor
+  hash-type consistent
+{% if varnish_host == inventory_hostname %}
+  server varnish 127.0.0.1:6081 check maxconn {{proxy_varnish_maxconn}}
+{% else %}
+  server varnish {{ varnish_host_ip|default('') }}:6081 check maxconn {{proxy_varnish_maxconn}}
+{% endif %}
+{% endif %}
+
+backend backend_redirect_ssl
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "redirect_ssl"
+{% endif %}
+  redirect scheme https code 301 if TRUE
+
+backend backend_redirect
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "redirect"
+{% endif %}
+  redirect scheme http code 301 if TRUE
+
+backend backend_letsencrypt
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "letsencrypt"
+{% endif %}
+  server letsencrypt 127.0.0.1:54321
+{% if kibana_domain is defined %}
+
+backend backend_kibana
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "kibana"
+{% endif %}
+  server kibana 127.0.0.1:5601 check maxconn 32
+{% endif %}
+{% for prometheus in prometheus_settings|default([]) %}
+
+backend backend_prometheus_{{ prometheus.id }}
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "prometheus_{{ prometheus.id }}"
+{% endif %}
+  server prometheus_{{ prometheus.id }} 127.0.0.1:{{ prometheus.port }} check maxconn 32
+{% endfor %}
+
+backend backend_maintenance
+{% if proxy_debug %}
+  http-response set-header X-Proxy-Backend "maintenance"
+{% endif %}
+  errorfile 503 /etc/haproxy/errors/maintenance.http

templates/hasocket

+#!/bin/sh
+
+echo "$1" | sudo socat unix-connect:/run/haproxy/admin.sock stdio

templates/host_list

@@ -4,10 +4,15 @@
 {% for drupal in hostvars[item].drupal_settings|default([]) %}
 {% for domain in drupal.domains|default([]) %}
 {% if domain.protocol|default('https') == 'http' %}
+{% if domain.route_by_domain|default(true) %}
 {{domain.domain}}
 {% for alias in domain.aliases|default([]) %}
 {{alias}}
 {% endfor %}
 {% endif %}
+{% for trusted_domain in domain.trusted_domains|default([]) %}
+{{trusted_domain}}
+{% endfor %}
+{% endif %}
 {% endfor %}
 {% endfor %}

templates/host_ssl_list

@@ -4,10 +4,15 @@
 {% for drupal in hostvars[item].drupal_settings|default([]) %}
 {% for domain in drupal.domains|default([]) %}
 {% if domain.protocol|default('https') == 'https' %}
+{% if domain.route_by_domain|default(true) %}
 {{domain.domain}}
 {% for alias in domain.aliases|default([]) %}
 {{alias}}
 {% endfor %}
 {% endif %}
+{% for trusted_domain in domain.trusted_domains|default([]) %}
+{{trusted_domain}}
+{% endfor %}
+{% endif %}
 {% endfor %}
 {% endfor %}

templates/ignore_varnish_list

+{% for item in groups.all %}
+{% for domain in hostvars[item].proxy_domains_ignore_varnish|default([]) %}
+{{domain}}
+{% endfor %}
+{% for drupal in hostvars[item].drupal_settings|default([]) %}
+{% for domain in drupal.domains|default([]) %}
+{% if domain.ignore_varnish|default(false) %}
+{{domain.domain}}
+{% if domain.multidomain|default(false) %}
+{% for alias in domain.aliases|default([]) %}
+{{alias}}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endfor %}

templates/letsencrypt.ini

+../../letsencrypt/templates/letsencrypt.ini
\ No newline at end of file

templates/maintenance_list

+{% for domain in proxy_maintenance_domains|default([]) %}
+{{domain}}
+{% endfor %}

templates/privatelist.domain.jinja2

+{% for domain in haproxy_private.domain %}
+{{ domain }}
+{% endfor %}

templates/privatelist.ip.jinja2

+{% for ip in haproxy_private.ip %}
+{{ ip }}
+{% endfor %}

templates/redirect.map.jinja2

+{% for key in (proxy_redirect_maps[item]|default([]))|sort %}
+{{ key }} {{ proxy_redirect_maps[item][key] }}
+{% endfor %}
+{% for host in groups.all|sort %}
+{% if hostvars[host].ansible_local is defined and hostvars[host].ansible_local.proxy_redirect_maps is defined %}
+{% for key in (hostvars[host].ansible_local.proxy_redirect_maps[item]|default([]))|sort %}
+{{ key }} {{ hostvars[host].ansible_local.proxy_redirect_maps[item][key] }}
+{% endfor %}
+{% endif %}
+{% endfor %}

templates/use_bigpipe_list

+{% for item in groups.all %}
+{% for drupal in hostvars[item].drupal_settings|default([]) %}
+{% for domain in drupal.domains|default([]) %}
+{% if domain.bigpipe|default(false) %}
+{{domain.domain}}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endfor %}