Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • ansible/roles/haproxy
  • ericzillmann/haproxy
2 results
Show changes
Commits on Source (142)
42 additional commits have been omitted to prevent performance issues.
Hide whitespace changes
Inline Side-by-side
Showing
with 609 additions and 485 deletions
README.md deleted 100644 → 0
View file @ 8ec38b2b
# Documentation
- http://cbonte.github.io/haproxy-dconv/index.html
- http://cbonte.github.io/haproxy-dconv/configuration-1.6.html
# Instruction to prepare a certificate file
For HaProxy to terminate SSL requests we require a single PEM file with all certificate components chained together.
The seqeuence of those compoenents is this:
- Private Key, e.g. example.com.key.pem
- Domain Certficate, e.g. example.com.crt.pem
- Intermediate Certificate, e.g. example.com.ca.crt.pem
# Watching statistics
Create an SSH tunnel to the haproxy host's port 7000 and then go to `http://127.0.0.1:7000/haproxy_stats` to get live stats.
# Talking to HaProxy Socket
HaProxy can communicate with the console through a socket and we provide a script called `hasocket` which can be used for that purpose. You either call that from the proxy's console or run it through Ansible with this command:
```
a -a "hasocket 'help'" --limit=proxyserver
```
Useful commands might be:
- "show info"
show informations like haproxy version, PID, current connections, session rates, tasks, etc..
- "show stat"
prints the stats about all frontents and backends (connection statistics etc) in a csv format
- "show errors"
indeed the following prints informations about errors if there are any
- "show sess"
show open sessions with the used backend/frontend, the source, etc..
defaults/main.yml
View file @ 725e43ef
---
default_proxy: ''
proxy_debug: no
proxy_default_backend: ''
proxy_certificates: []
proxy_timeout_connect: '5s'
proxy_timeout_client: '20s'
proxy_timeout_server: '45s'
proxy_redirect_aliase: false
proxy_timeout_connect: 5s
proxy_timeout_client: 20s
proxy_timeout_server: 45s
proxy_redirect_aliase: no
proxy_maxconn: 100
proxy_varnish_maxconn: 1000
proxy_redirect_maps:
domain: {}
domain-and-path: {}
domain-append-path: {}
path: {}
proxy_blacklist:
ip:
- '146.185.176.158'
- '162.243.9.72'
- '173.199.114.0/24'
- '173.199.115.0/24'
- '173.199.115.112/29'
- '173.199.116.0/24'
- '173.199.117.0/24'
- '173.199.118.0/24'
- '173.199.119.0/24'
- '173.199.120.0/24'
- '182.50.130.0/24'
- '188.92.74.0/24'
- '195.239.0/24'
- '198.186.190.0/23'
- '198.186.192.0/23'
- '198.186.194.0/24'
- '208.167.230.0/24'
- '209.222.12.0/24'
- '210.171.3.0/24'
- '212.100.254.105'
- '212.113.0.0/24'
- '212.113.32.0/21'
- '212.113.37.0/24'
- '213.186.0.0/24'
- '213.186.96.0/19'
- '46.137.98.159'
- '5.10.83.0/24'
- '5.10.83.0/25'
- '5.9.0.0/24'
- '5.9.104.0/24'
- '50.112.126.117'
- '54.232.100.158'
- '54.235.220.243'
- '54.249.240.15'
- '54.251.45.250'
- '54.252.97.95'
- '69.42.83.0/24'
- 146.185.176.158
- 162.243.9.72
- 173.199.114.0/24
- 173.199.115.0/24
- 173.199.115.112/29
- 173.199.116.0/24
- 173.199.117.0/24
- 173.199.118.0/24
- 173.199.119.0/24
- 173.199.120.0/24
- 182.50.130.0/24
- 188.92.74.0/24
- 195.239.0/24
- 198.186.190.0/23
- 198.186.192.0/23
- 198.186.194.0/24
- 208.167.230.0/24
- 209.222.12.0/24
- 210.171.3.0/24
- 212.100.254.105
- 212.113.0.0/24
- 212.113.32.0/21
- 212.113.37.0/24
- 213.186.0.0/24
- 213.186.96.0/19
- 46.137.98.159
- 5.10.83.0/24
- 5.10.83.0/25
- 5.9.0.0/24
- 5.9.104.0/24
- 50.112.126.117
- 54.232.100.158
- 54.235.220.243
- 54.249.240.15
- 54.251.45.250
- 54.252.97.95
- 69.42.83.0/24
referer:
- 'best-seo-solution.com'
- 'best-seo-offer.com'
- 'buttons-for-website.com'
- 'buttons-for-your-website.com'
- 'semalt.com'
- '7makemoneyonline.com'
- best-seo-solution.com
- best-seo-offer.com
- buttons-for-website.com
- buttons-for-your-website.com
- semalt.com
- 7makemoneyonline.com
agent:
- 'AhrefsBot'
- 'Ahrefs'
- 'rogerbot'
- 'MJ12bot'
- 'majestic12'
- 'MJ12'
- 'SiteBot'
- 'Semrush'
- 'CCBot'
- '80legs'
- 'Sogou'
- 'DigExt'
- 'spbot'
- 'ia_archiver'
- 'Rankivabot'
- 'DBLBot'
- 'libw'
- 'Java'
- 'Voil'
- 'Twice'
- 'Sogou'
- 'psbot'
- 'Exabot'
- 'boitho'
- 'ajSitemap'
- 'Rankivabot'
- 'SeznamBot'
- 'DBLBot'
- 'Ezooms'
- 'Ezooms/1.0'
- 'exabot'
- 'dotbot'
- 'gigabot'
- AhrefsBot
- Ahrefs
- rogerbot
- MJ12bot
- majestic12
- MJ12
- SiteBot
- Semrush
- CCBot
- 80legs
- Sogou
- DigExt
- spbot
- ia_archiver
- Rankivabot
- DBLBot
- libw
- Voil
- Twice
- Sogou
- psbot
- Exabot
- boitho
- ajSitemap
- Rankivabot
- DBLBot
- Ezooms
- Ezooms/1.0
- exabot
- dotbot
- gigabot
- thesis-research-bot
- my-tiny-bot
other:
- path_beg /wp-admin
- path_beg /wp-login
- path /autodiscover/autodiscover.xml
- path /autodiscover.xml
- path /CHANGELOG.txt
- path /COPYRIGHT.txt
- path /INSTALL.mysql.txt
- path /INSTALL.pgsql.txt
- path /INSTALL.sqlite.txt
- path /INSTALL.txt
- path /LICENSE.txt
- path /MAINTAINERS.txt
- path /README.txt
- path /UPGRADE.txt
files/500.http 0 → 100644
View file @ 725e43ef
HTTP/1.0 500 Internal Server Error
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<!doctype html>
<!-- 500 Internal Server Error -->
<html>
<title>Site Maintenance | Wartung</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<body>
<article>
<h1>We&rsquo;ll be back soon!</h1>
<div>
<p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
</div>
</article>
<article>
<h1>Wir sind bald zur&uuml;ck!</h1>
<div>
<p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
</div>
</article>
</body>
</html>
files/502.http 0 → 100644
View file @ 725e43ef
HTTP/1.0 502 Bad Gateway
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<!doctype html>
<!-- 502 Bad Gateway -->
<html>
<title>Site Maintenance | Wartung</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<body>
<article>
<h1>We&rsquo;ll be back soon!</h1>
<div>
<p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
</div>
</article>
<article>
<h1>Wir sind bald zur&uuml;ck!</h1>
<div>
<p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
</div>
</article>
</body>
</html>
files/503.http 0 → 100644
View file @ 725e43ef
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<!doctype html>
<!-- 503 Service Unavailable -->
<html>
<title>Site Maintenance | Wartung</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<body>
<article>
<h1>We&rsquo;ll be back soon!</h1>
<div>
<p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
</div>
</article>
<article>
<h1>Wir sind bald zur&uuml;ck!</h1>
<div>
<p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
</div>
</article>
</body>
</html>
files/504.http 0 → 100644
View file @ 725e43ef
HTTP/1.0 504 Gateway Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<!doctype html>
<!-- 504 Gateway Time-out -->
<html>
<title>Site Maintenance | Wartung</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<body>
<article>
<h1>We&rsquo;ll be back soon!</h1>
<div>
<p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
</div>
</article>
<article>
<h1>Wir sind bald zur&uuml;ck!</h1>
<div>
<p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
</div>
</article>
</body>
</html>
files/etc_logrotate_d_haproxy
View file @ 725e43ef
/var/log/haproxy {
daily
rotate 7
delaycompress
compress
notifempty
missingok
postrotate
service haproxy restart > /dev/null
endscript
daily
rotate 7
delaycompress
compress
notifempty
missingok
postrotate
service haproxy restart > /dev/null
endscript
}
files/maintenance.http 0 → 100644
View file @ 725e43ef
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<!doctype html>
<!-- 503 Service Unavailable -->
<html>
<title>Site Maintenance | Wartung</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<body>
<article>
<h1>We&rsquo;ll be back soon!</h1>
<div>
<p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
</div>
</article>
<article>
<h1>Wir sind bald zur&uuml;ck!</h1>
<div>
<p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
</div>
</article>
</body>
</html>
handlers/main.yml
View file @ 725e43ef
---
# file: roles/haproxy/handler/main.yml
- name: "Proxy | Restart HAProxy"
service: name={{item.name}} state={{item.state}}
- name: Check HAProxy Config
command: haproxy -c -f /etc/haproxy/haproxy.cfg
register: haproxy_config_check
changed_when: '"Configuration file is valid" in haproxy_config_check.stdout_lines'
failed_when: '"Configuration file is valid" not in haproxy_config_check.stdout_lines'
notify:
- Restart HAProxy
- name: Restart HAProxy
service:
name: '{{ item.name }}'
state: '{{ item.state }}'
with_items:
- name: haproxy
state: restarted
tasks/blacklists.yml 0 → 100644
View file @ 725e43ef
---
# file: roles/haproxy/tasks/blacklists.yml
- name: Update blacklists
template:
src: '{{ item }}'
dest: /etc/haproxy/{{ item }}
owner: root
group: root
mode: 0644
with_items:
- blacklist.ip
- blacklist.referer
- blacklist.agent
notify:
- Check HAProxy Config
tasks/buildcerts.yml
View file @ 725e43ef
---
# file: roles/haproxy/tasks/buildcerts.yml
- name: "Create PEM file for HaProxy"
- name: Create PEM file for HaProxy
assemble:
src='/etc/letsencrypt/live/{{ item.domain }}'
dest='/etc/haproxy/certs/{{ item.domain }}.pem'
regexp='(fullchain)|(privkey)\.pem'
with_items: '{{ proxy_certificates_letsencrypt|default([]) }}'
src: /etc/letsencrypt/live/{{ item.domain }}
dest: /etc/haproxy/certs/{{ item.file }}
regexp: '(fullchain)|(privkey)\.pem'
with_items: '{{ proxy_certificates|default([]) }}'
when: item.letsencrypt|default(false) and item.active|default(true)
ignore_errors: yes
notify:
- "Proxy | Restart HAProxy"
- Restart HAProxy
tasks/configure.yml
View file @ 725e43ef
---
# file: roles/haproxy/tasks/configure.yml
- name: "Proxy | Install SSL certificates"
- name: Backup current settings
archive:
path: /etc/haproxy
dest: /var/backups/haproxy-{{ lookup('pipe','date +%Y%m%d-%H%M%S') }}.tgz
when: no
- name: Install SSL certificates
copy:
src='{{inventory_dir}}/files/ssl/{{item.file}}'
dest='/etc/haproxy/certs'
src: '{{inventory_dir}}/files/ssl/{{item.file}}'
dest: /etc/haproxy/certs
with_items: '{{ proxy_certificates }}'
when: not item.letsencrypt|default(false)
notify: 'Proxy | Restart HAProxy'
notify:
- Check HAProxy Config
- name: Create maintenance lists
template:
src: maintenance_list
dest: /etc/haproxy/maintenance.list
owner: root
group: root
mode: 0644
notify:
- Check HAProxy Config
- name: "Proxy | Create host lists"
- name: Create host lists
template:
src='host_list'
dest='/etc/haproxy/{{item}}.list'
owner='root'
group='root'
mode='644'
with_items: '{{ groups.all }}'
notify: 'Proxy | Restart HAProxy'
src: host_list
dest: /etc/haproxy/{{item}}.list
owner: root
group: root
mode: 0644
with_items: '{{ groups.webserver|default([]) }}'
notify:
- Check HAProxy Config
- name: "Proxy | Create host ssl lists"
- name: Create host ssl lists
template:
src='host_ssl_list'
dest='/etc/haproxy/{{item}}.ssl.list'
owner='root'
group='root'
mode='644'
with_items: '{{ groups.all }}'
notify: 'Proxy | Restart HAProxy'
src: host_ssl_list
dest: /etc/haproxy/{{item}}.ssl.list
owner: root
group: root
mode: 0644
with_items: '{{ groups.webserver|default([]) }}'
notify:
- Check HAProxy Config
- name: Create host path lists
file:
dest: /etc/haproxy/{{item}}.path.list
owner: root
group: root
mode: 0644
state: touch
with_items: '{{ groups.webserver|default([]) }}'
changed_when: no
- name: "Proxy | Create use bigpipe host lists"
- name: Create use bigpipe host lists
template:
src='use_bigpipe_list'
dest='/etc/haproxy/use_bigpipe.list'
owner='root'
group='root'
mode='644'
notify: 'Proxy | Restart HAProxy'
src: use_bigpipe_list
dest: /etc/haproxy/use_bigpipe.list
owner: root
group: root
mode: 0644
notify:
- Check HAProxy Config
- name: "Proxy | Create ignore varnish host lists"
- name: Create ignore varnish host lists
template:
src='ignore_varnish_list'
dest='/etc/haproxy/ignore_varnish.list'
owner='root'
group='root'
mode='644'
notify: 'Proxy | Restart HAProxy'
src: ignore_varnish_list
dest: /etc/haproxy/ignore_varnish.list
owner: root
group: root
mode: 0644
notify:
- Check HAProxy Config
- name: "Proxy | Create empty crm lists files"
- name: Create empty crm lists files
file:
dest='/etc/haproxy/{{item}}.crm.list'
owner='root'
group='root'
mode='644'
state='touch'
with_items: '{{ groups.all }}'
changed_when: false
dest: /etc/haproxy/{{item}}.crm.list
owner: root
group: root
mode: 0644
state: touch
with_items: '{{ groups.webserver|default([]) }}'
changed_when: no
- name: "Proxy | Create config file"
- name: Update private ips
template:
src='haproxy_cfg'
dest='/etc/haproxy/haproxy.cfg'
owner='root'
group='root'
mode='644'
notify: 'Proxy | Restart HAProxy'
src: privatelist.ip.jinja2
dest: /etc/haproxy/privatelist.ip
owner: root
group: root
mode: 644
when: haproxy_private is defined
notify:
- Check HAProxy Config
- name: "Proxy | Update blacklists"
- name: Update private domains
template:
src='{{ item }}'
dest='/etc/haproxy/{{ item }}'
owner='root'
group='root'
mode='644'
src: privatelist.domain.jinja2
dest: /etc/haproxy/privatelist.domain
owner: root
group: root
mode: 0644
when: haproxy_private is defined and haproxy_private.domain is defined
notify:
- Check HAProxy Config
- name: Update redirect map files
template:
src: redirect.map.jinja2
dest: /etc/haproxy/redirect.{{ item }}.map
owner: root
group: root
mode: 0644
with_items:
- 'blacklist.ip'
- 'blacklist.referer'
- 'blacklist.agent'
notify: 'Proxy | Restart HAProxy'
- domain
- domain-and-path
- domain-append-path
- path
notify:
- Check HAProxy Config
- name: Create config file
template:
src: haproxy_cfg.jinja2
dest: /etc/haproxy/haproxy.cfg
owner: root
group: root
mode: 0644
notify:
- Check HAProxy Config
tasks/install.yml
View file @ 725e43ef
---
# file: roles/haproxy/tasks/install.yml
- name: "Proxy | Add Apt Repositories"
- name: Add Apt Repositories
apt_repository:
repo='{{ item }}'
state=present
mode=644
repo: '{{ item }}'
state: present
mode: 0644
with_items:
- "ppa:vbernat/haproxy-1.6"
- ppa:vbernat/haproxy-2.2
when: ansible_distribution_major_version != "16"
- name: "Proxy | Install some packages"
- name: Install some packages
apt:
pkg='{{ item }}'
state=installed
with_items:
- haproxy
- hatop
- socat
pkg: '{{ packages }}'
state: latest
vars:
packages:
- haproxy
#- hatop
- socat
- name: "Proxy | create directories"
- name: create directories
file:
dest='{{ item }}'
state=directory
mode='755'
dest: '{{ item }}'
state: directory
mode: 0755
with_items:
- /etc/haproxy/certs
- /etc/haproxy/update
- name: "Proxy | Install hatop shortcut"
- name: Install hatop shortcut
copy:
src='usr_local_bin_hatop'
dest='/usr/local/bin/hatop'
owner='root'
group='root'
mode='755'
src: usr_local_bin_hatop
dest: /usr/local/bin/hatop
owner: root
group: root
mode: 0755
- name: "Proxy | Install log rotator"
- name: Install log rotator
copy:
src='etc_logrotate_d_haproxy'
dest='/etc/logrotate.d/haproxy'
owner='root'
group='root'
mode='644'
src: etc_logrotate_d_haproxy
dest: /etc/logrotate.d/haproxy
owner: root
group: root
mode: 0644
tags:
- logrotate
- name: "Proxy | Install script to read socket"
- name: Install script to read socket
template:
src='hasocket'
dest='/usr/local/bin/hasocket'
owner='root'
group='root'
mode='755'
src: hasocket
dest: /usr/local/bin/hasocket
owner: root
group: root
mode: 0755
- name: Install error response files
copy:
src: '{{ item }}.http'
dest: /etc/haproxy/errors/{{ item }}.http
owner: root
group: root
mode: 0644
with_items:
- '500'
- '502'
- '503'
- '504'
- 'maintenance'
tags:
- errorfiles
notify:
- Check HAProxy Config
tasks/main.yml
View file @ 725e43ef
---
# file: roles/haproxy/tasks/main.yml
- name: "HaProxy Role"
set_fact: role_haproxy_started=true
tags: always
- name: HaProxy Role
set_fact:
role_haproxy_started: yes
tags:
- always
- block:
- include: install.yml
- include: configure.yml
tags: Config
- name: Import install
import_tasks: install.yml
when: '"haproxy" not in excluded_roles'
- name: Import configure
import_tasks: configure.yml
tags:
- Config
- name: Import blacklist
import_tasks: blacklists.yml
tags:
- Config
- Blacklists
when: not excluded_roles or "haproxy" not in excluded_roles
- block:
- name: "Install Certs"
include: '../../letsencrypt/tasks/cert.yml'
with_items: '{{ proxy_certificates_letsencrypt|default([]) }}'
loop_control:
loop_var: domain
- name: Install Certs
include_tasks: ../../letsencrypt/tasks/cert.yml
with_items: '{{ proxy_certificates|default([]) }}'
loop_control:
loop_var: domain
when: domain.letsencrypt|default(false) and domain.active|default(true)
- name: Renew Existing Cert
import_tasks: ../../letsencrypt/tasks/renew.yml
- name: "Renew Existing Cert"
include: '../../letsencrypt/tasks/renew.yml'
- name: Build HaProxy Certs
import_tasks: buildcerts.yml
- name: "Build HaCerts"
include: 'buildcerts.yml'
tags:
- Certs
when: proxy_active|default(true) and (not excluded_roles or "letsencrypt" not in excluded_roles)
tags: Certs
when: '"letsencrypt" not in excluded_roles'
- name: Import proxypool
import_tasks: proxypool.yml
when: not excluded_roles or "letsencrypt" not in excluded_roles
tags:
- Certs
tasks/proxypool.yml 0 → 100644
View file @ 725e43ef
---
# file: roles/haproxy/tasks/proxypool.yml
- block:
- name: Set directory permissions to current user
file:
path: /etc/letsencrypt
owner: '{{ ansible_env.SUDO_USER|default("root") }}'
recurse: yes
follow: no
when: proxy_active|default(true)
- name: Pull Certs from active Proxy
import_tasks: pullcerts.yml
when: not proxy_active|default(true)
- name: Set directory permissions to root
file:
path: /etc/letsencrypt
owner: root
recurse: yes
follow: no
when: proxy_active|default(true)
tags:
- Certs
tasks/pullcerts.yml 0 → 100644
View file @ 725e43ef
---
# file: roles/haproxy/tasks/pullcerts.yml
- name: Find out active proxy
set_fact:
proxy_active_host: '{{ item }}'
with_items: '{{ groups.proxyserver|default([]) }}'
when: hostvars[item].proxy_active|default(true)
- name: Set directory permissions to current user
file:
path: '{{ item }}'
owner: '{{ ansible_env.SUDO_USER|default("root") }}'
recurse: yes
follow: no
with_items:
- /etc/letsencrypt
- /etc/haproxy/certs
- name: Sync files
shell: 'rsync -rulp "{{ proxy_active_host }}:{{ item }}/" "{{ item }}"'
delegate_to: '{{ inventory_hostname }}'
become: no
with_items:
- /etc/letsencrypt
- /etc/haproxy/certs
ignore_errors: yes
# We ignore errors as they may happen if we run the script without the other proxy
- name: Set directory permissions to root
file:
path: '{{ item }}'
owner: root
recurse: yes
follow: no
with_items:
- /etc/letsencrypt
- /etc/haproxy/certs
templates/blacklist.agent
View file @ 725e43ef
{% if ansible_local is defined and ansible_local.blacklist is defined %}
{% for line in ansible_local.blacklist.agent|default([]) %}
{{line}}
{% endfor %}
{% endif %}
{% for line in proxy_blacklist.agent|default([]) %}
{{line}}
{% endfor %}
templates/blacklist.ip
View file @ 725e43ef
{% if ansible_local is defined and ansible_local.blacklist is defined %}
{% for line in ansible_local.blacklist.ip|default([]) %}
{{line}}
{% endfor %}
{% endif %}
{% for line in proxy_blacklist.ip|default([]) %}
{{line}}
{% endfor %}
templates/blacklist.referer
View file @ 725e43ef
{% if ansible_local is defined and ansible_local.blacklist is defined %}
{% for line in ansible_local.blacklist.referer|default([]) %}
{{line}}
{% endfor %}
{% endif %}
{% for line in proxy_blacklist.referer|default([]) %}
{{line}}
{% endfor %}
templates/haproxy_cfg deleted 100644 → 0
View file @ 8ec38b2b
global
log 127.0.0.1:20514 local1
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/haproxy/certs
crt-base /etc/haproxy/private
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
pidfile /run/haproxy.pid
defaults
log global
log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
mode http
option dontlognull
timeout connect {{ proxy_timeout_connect }}
timeout client {{ proxy_timeout_client }}
timeout server {{ proxy_timeout_server }}
timeout check 1s
timeout http-keep-alive 3s
timeout http-request 10s # slowloris protection
default-server inter 3s fall 2 rise 2 slowstart 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
option forwardfor
option http-server-close
retries 3
default_backend {{proxy_default_backend}}
listen stats
bind 127.0.0.1:7000
mode http
stats enable
stats admin if TRUE
stats uri /haproxy_stats
stats realm LoadBalancerStats
{% if kibana_users is defined %}
userlist kibana
{% for user in kibana_users %}
user {{ user.username }} insecure-password '{{ user.password }}'
{% endfor %}
{% endif %}
frontend http_in
bind *:80
http-request del-header Proxy
acl blockedip src -f /etc/haproxy/blacklist.ip
http-request deny if blockedip
acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
http-request deny if blockedreferer
acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
http-request deny if blockedagent
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
{% for from in redirect.from %}
{% for path in redirect.paths|default([]) %}
redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { path_beg /{{path.from}}{% endif %} }
{% endfor %}
redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{from}} }
{% endfor %}
{% endfor %}
{% if proxy_redirect_aliase %}
{% for drupal in hostvars[host].drupal_settings|default([]) %}
{% for domain in drupal.domains|default([]) %}
{% if not domain.multidomain|default(false) %}
{% for alias in domain.aliases|default([]) %}
redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
{% endfor %}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
{% if kibana_users is defined %}
acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
use_backend backend_redirect_ssl if kibana_present
{% endif %}
acl domain_uses_bigpipe hdr(host) -i -n -f /etc/haproxy/use_bigpipe.list
{% if varnish_host|default(false) %}
acl domain_ignores_varnish hdr(host) -i -n -f /etc/haproxy/ignore_varnish.list
use_backend backend_varnish_bigpipe if domain_uses_bigpipe !domain_ignores_varnish
acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
use_backend backend_varnish if static_content !domain_ignores_varnish
{% endif %}
{% for host in groups['all'] %}
acl domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
use_backend backend_{{host}}_bigpipe if domain_uses_bigpipe domain_in_{{host}}
use_backend backend_{{host}} if domain_in_{{host}}
{% if hostvars[host].proxy_crm_domains is defined %}
acl crm_domain_in_{{host}} hdr_dom(host) -i -n -f /etc/haproxy/{{host}}.crm.list
use_backend backend_{{host}} if crm_domain_in_{{host}}
{% endif %}
acl redirect_ssl_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
use_backend backend_redirect_ssl if redirect_ssl_{{host}}
{% endfor %}
{% for cert in proxy_certificates %}
frontend https_in_{{ cert.ip }}
bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
http-request del-header Proxy
acl blockedip src -f /etc/haproxy/blacklist.ip
http-request deny if blockedip
acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
http-request deny if blockedreferer
acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
http-request deny if blockedagent
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
{% for from in redirect.from %}
{% for path in redirect.paths|default([]) %}
redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { path_beg /{{path.from}}{% endif %} }
{% endfor %}
redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{from}} }
{% endfor %}
{% endfor %}
{% if proxy_redirect_aliase %}
{% for drupal in hostvars[host].drupal_settings|default([]) %}
{% for domain in drupal.domains|default([]) %}
{% if not domain.multidomain|default(false) %}
{% for alias in domain.aliases|default([]) %}
redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
{% endfor %}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
{% if kibana_users is defined %}
acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
use_backend backend_kibana if kibana_present
{% endif %}
{% for external in cert.external|default([]) %}
acl is_{{ external.key }} {{ external.acl }}
use_backend backend_{{ external.key }} if is_{{ external.key }}
{% endfor %}
acl domain_uses_bigpipe hdr(host) -i -n -f /etc/haproxy/use_bigpipe.list
{% if varnish_host|default(false) %}
acl domain_ignores_varnish hdr(host) -i -n -f /etc/haproxy/ignore_varnish.list
use_backend backend_varnish_bigpipe if domain_uses_bigpipe !domain_ignores_varnish
acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
use_backend backend_varnish if static_content !domain_ignores_varnish
{% endif %}
{% for host in groups['all'] %}
acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
use_backend backend_{{host}}_https_bigpipe if domain_uses_bigpipe ssl_domain_in_{{host}}
use_backend backend_{{host}}_https if ssl_domain_in_{{host}}
acl redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
use_backend backend_redirect if redirect_{{host}}
{% if hostvars[host].proxy_crm_domains is defined %}
acl crm_redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
use_backend backend_redirect if crm_redirect_{{host}}
{% endif %}
{% endfor %}
{% for external in cert.external|default([]) %}
backend backend_{{ external.key }}
server server_{{ external.key }} {{ external.server }} {{ external.options }}
{% endfor %}
{% endfor %}
{% for host in groups['all'] %}
backend backend_{{host}}
{% if host == inventory_hostname or host == 'localhost' %}
http-response deny
{% else %}
server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
{% endif %}
backend backend_{{host}}_bigpipe
{% if host == inventory_hostname or host == 'localhost' %}
http-response deny
{% else %}
no option http-buffer-request
server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
{% endif %}
backend backend_{{host}}_https
{% if host == inventory_hostname or host == 'localhost' %}
http-response deny
{% else %}
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
{% endif %}
backend backend_{{host}}_https_bigpipe
{% if host == inventory_hostname or host == 'localhost' %}
http-response deny
{% else %}
no option http-buffer-request
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
{% endif %}
{% endfor %}
{% if varnish_host|default(false) %}
backend backend_varnish
option httpchk HEAD /varnishcheck
http-check expect status 200
option forwardfor
hash-type consistent
{% if varnish_host == inventory_hostname %}
server varnish 127.0.0.1:6081 maxconn 1000
{% else %}
server varnish {{ varnish_host_ip|default('') }}:6081 maxconn 1000
{% endif %}
backend backend_varnish_bigpipe
no option http-buffer-request
option httpchk HEAD /varnishcheck
http-check expect status 200
option forwardfor
hash-type consistent
{% if varnish_host == inventory_hostname %}
server varnish 127.0.0.1:6081 maxconn 1000
{% else %}
server varnish {{ varnish_host_ip|default('') }}:6081 maxconn 1000
{% endif %}
{% endif %}
backend backend_redirect_ssl
redirect scheme https if TRUE
backend backend_redirect
redirect scheme http if TRUE
{% if kibana_users is defined %}
backend backend_kibana
server kibana 127.0.0.1:5601 maxconn 32
acl kibana_auth http_auth(kibana) if kibana_present
http-request auth realm Kibana if !kibana_auth
{% endif %}