haproxy_cfg

global
  log 127.0.0.1:20514 local1
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin
  stats timeout 30s
  user haproxy
  group haproxy
  daemon
  ca-base /etc/haproxy/certs
  crt-base /etc/haproxy/private
  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  pidfile /run/haproxy.pid

defaults
  log global
  log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
  mode http
  option dontlognull
  timeout connect {{ proxy_timeout_connect }}
  timeout client {{ proxy_timeout_client }}
  timeout server {{ proxy_timeout_server }}
  timeout check 1s
  timeout http-keep-alive 3s
  timeout http-request 10s  # slowloris protection
  default-server inter 3s fall 2 rise 2 slowstart 60s
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http
  option forwardfor
  option http-server-close
  retries 3
  default_backend {{proxy_default_backend}}

listen stats
  bind 127.0.0.1:7000
  mode http
  stats enable
  stats admin if TRUE
  stats uri /haproxy_stats
  stats realm LoadBalancerStats
{% if kibana_users is defined %}

userlist kibana
{% for user in kibana_users %}
  user {{ user.username }} insecure-password '{{ user.password }}'
{% endfor %}
{% endif %}

frontend http_in
  bind *:80
  http-request del-header Proxy
  acl blockedip src -f /etc/haproxy/blacklist.ip
  http-request deny if blockedip
  acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
  http-request deny if blockedreferer
  acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
  http-request deny if blockedagent
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
{% for from in redirect.from %}
{% for path in redirect.paths|default([]) %}
  redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { path_beg /{{path.from}}{% endif %} }
{% endfor %}
  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{from}} }
{% endfor %}
{% endfor %}
{% if proxy_redirect_aliase %}
{% for drupal in hostvars[host].drupal_settings|default([]) %}
{% for domain in drupal.domains|default([]) %}
{% if not domain.multidomain|default(false) %}
{% for alias in domain.aliases|default([]) %}
  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
{% endfor %}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
{% if kibana_users is defined %}
  acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
  use_backend backend_redirect_ssl if kibana_present
{% endif %}
{% if varnish_host|default(false) %}
  acl domain_ignores_varnish hdr(host) -i -n -f /etc/haproxy/ignore_varnish.list
  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
  use_backend backend_varnish if static_content !domain_ignores_varnish
{% endif %}
{% for host in groups['all'] %}
  acl domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
  use_backend backend_{{host}} if domain_in_{{host}}
{% if hostvars[host].proxy_crm_domains is defined %}
  acl crm_domain_in_{{host}} hdr_dom(host) -i -n -f /etc/haproxy/{{host}}.crm.list
  use_backend backend_{{host}} if crm_domain_in_{{host}}
{% endif %}
  acl redirect_ssl_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
  use_backend backend_redirect_ssl if redirect_ssl_{{host}}
{% endfor %}
{% for cert in proxy_certificates %}

frontend https_in_{{ cert.ip }}
  bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
  http-request del-header Proxy
  acl blockedip src -f /etc/haproxy/blacklist.ip
  http-request deny if blockedip
  acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
  http-request deny if blockedreferer
  acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
  http-request deny if blockedagent
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
{% for from in redirect.from %}
{% for path in redirect.paths|default([]) %}
  redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { path_beg /{{path.from}}{% endif %} }
{% endfor %}
  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{from}} }
{% endfor %}
{% endfor %}
{% if proxy_redirect_aliase %}
{% for drupal in hostvars[host].drupal_settings|default([]) %}
{% for domain in drupal.domains|default([]) %}
{% if not domain.multidomain|default(false) %}
{% for alias in domain.aliases|default([]) %}
  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
{% endfor %}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
{% if kibana_users is defined %}
  acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
  use_backend backend_kibana if kibana_present
{% endif %}
{% for external in cert.external|default([]) %}
  acl is_{{ external.key }} {{ external.acl }}
  use_backend backend_{{ external.key }} if is_{{ external.key }}
{% endfor %}
{% if varnish_host|default(false) %}
  acl domain_ignores_varnish hdr(host) -i -n -f /etc/haproxy/ignore_varnish.list
  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
  use_backend backend_varnish if static_content !domain_ignores_varnish
{% endif %}
{% for host in groups['all'] %}
  acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
  use_backend backend_{{host}}_https if ssl_domain_in_{{host}}
  acl redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
  use_backend backend_redirect if redirect_{{host}}
{% if hostvars[host].proxy_crm_domains is defined %}
  acl crm_redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
  use_backend backend_redirect if crm_redirect_{{host}}
{% endif %}
{% endfor %}
{% for external in cert.external|default([]) %}

backend backend_{{ external.key }}
  server server_{{ external.key }} {{ external.server }} {{ external.options }}
{% endfor %}
{% endfor %}
{% for host in groups['all'] %}

backend backend_{{host}}
{% if host == inventory_hostname or host == 'localhost' %}
  http-response deny
{% else %}
  server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
{% endif %}

backend backend_{{host}}_https
{% if host == inventory_hostname or host == 'localhost' %}
  http-response deny
{% else %}
  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
  server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
{% endif %}
{% endfor %}
{% if varnish_host|default(false) %}

backend backend_varnish
  option httpchk HEAD /varnishcheck
  http-check expect status 200
  option forwardfor
  hash-type consistent
{% if varnish_host == inventory_hostname %}
  server varnish 127.0.0.1:6081 maxconn 1000
{% else %}
  server varnish {{ varnish_host_ip|default('') }}:6081 maxconn 1000
{% endif %}
{% endif %}

backend backend_redirect_ssl
  redirect scheme https if TRUE

backend backend_redirect
  redirect scheme http if TRUE
{% if kibana_users is defined %}

backend backend_kibana
  server kibana 127.0.0.1:5601 maxconn 32
  acl kibana_auth http_auth(kibana) if kibana_present
  http-request auth realm Kibana if !kibana_auth
{% endif %}