Skip to content
Snippets Groups Projects
Commit 92751e5b authored by jurgenhaas's avatar jurgenhaas
Browse files

Optimize haproxy configuration and implement server checks so that netdata can monitor them

parent 7692ab57
No related branches found
No related tags found
No related merge requests found
......@@ -16,7 +16,7 @@
owner='root'
group='root'
mode='644'
with_items: '{{ groups.all }}'
with_items: '{{ groups.webserver }}'
notify: 'Proxy | Restart HAProxy'
- name: "Proxy | Create host ssl lists"
......@@ -26,7 +26,7 @@
owner='root'
group='root'
mode='644'
with_items: '{{ groups.all }}'
with_items: '{{ groups.webserver }}'
notify: 'Proxy | Restart HAProxy'
- name: "Proxy | Create use bigpipe host lists"
......@@ -54,7 +54,7 @@
group='root'
mode='644'
state='touch'
with_items: '{{ groups.all }}'
with_items: '{{ groups.webserver }}'
changed_when: false
- name: "Proxy | Create config file"
......
......@@ -33,7 +33,7 @@ defaults
option forwardfor
option http-server-close
retries 3
default_backend {{proxy_default_backend}}
default_backend backend_{{proxy_default_backend}}
listen stats
bind 127.0.0.1:7000
......@@ -68,6 +68,10 @@ frontend http_in
{% for path in redirect.paths|default([]) %}
{% if path.deny|default(false) %}
http-request deny if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% else %}
{% if path.regex is defined and path.from is defined %}
http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}
......@@ -78,9 +82,7 @@ frontend http_in
{% for from in redirect.from %}
{% for path in redirect.paths|default([]) %}
{% if not path.deny|default(false) %}
{% if path.regex is defined and path.from is defined %}
http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
{% else %}
{% if path.regex is not defined or path.from is not defined %}
redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% endif %}
{% endif %}
......@@ -106,7 +108,7 @@ frontend http_in
acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
use_backend backend_redirect_ssl if kibana_present
{% endif %}
{% for host in groups['all'] %}
{% for host in groups['webserver'] %}
acl redirect_ssl_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
use_backend backend_redirect_ssl if redirect_ssl_{{host}}
{% endfor %}
......@@ -121,7 +123,7 @@ frontend http_in
acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
use_backend backend_varnish if static_content !domain_ignores_varnish
{% endif %}
{% for host in groups['all'] %}
{% for host in groups['webserver'] %}
acl domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
use_backend backend_{{host}}_bigpipe if domain_uses_bigpipe domain_in_{{host}}
use_backend backend_{{host}} if domain_in_{{host}}
......@@ -154,6 +156,10 @@ frontend https_in_{{ cert.ip }}
{% for path in redirect.paths|default([]) %}
{% if path.deny|default(false) %}
http-request deny if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% else %}
{% if path.regex is defined and path.from is defined %}
http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}
......@@ -164,9 +170,7 @@ frontend https_in_{{ cert.ip }}
{% for from in redirect.from %}
{% for path in redirect.paths|default([]) %}
{% if not path.deny|default(false) %}
{% if path.regex is defined and path.from is defined %}
http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
{% else %}
{% if path.regex is not defined or path.from is not defined %}
redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% endif %}
{% endif %}
......@@ -196,7 +200,7 @@ frontend https_in_{{ cert.ip }}
acl is_{{ external.key }} {{ external.acl }}
use_backend backend_{{ external.key }} if is_{{ external.key }}
{% endfor %}
{% for host in groups['all'] %}
{% for host in groups['webserver'] %}
acl crm_redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
use_backend backend_redirect if crm_redirect_{{host}}
{% endfor %}
......@@ -207,7 +211,7 @@ frontend https_in_{{ cert.ip }}
acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
use_backend backend_varnish if static_content !domain_ignores_varnish
{% endif %}
{% for host in groups['all'] %}
{% for host in groups['webserver'] %}
acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
use_backend backend_{{host}}_https_bigpipe if domain_uses_bigpipe ssl_domain_in_{{host}}
use_backend backend_{{host}}_https if ssl_domain_in_{{host}}
......@@ -223,16 +227,21 @@ frontend https_in_{{ cert.ip }}
{% for external in cert.external|default([]) %}
backend backend_{{ external.key }}
server server_{{ external.key }} {{ external.server }} {{ external.options }}
server server_{{ external.key }} {{ external.server }} check {{ external.options }}
{% endfor %}
{% endfor %}
{% for host in groups['all'] %}
{% if proxy_default_backend not in groups['webserver'] %}
backend backend_{{ proxy_default_backend }}
http-response deny
{% endif %}
{% for host in groups['webserver'] %}
backend backend_{{host}}
{% if host == inventory_hostname or host == 'localhost' %}
http-response deny
{% else %}
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
{% endif %}
backend backend_{{host}}_bigpipe
......@@ -240,7 +249,7 @@ backend backend_{{host}}_bigpipe
http-response deny
{% else %}
no option http-buffer-request
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
{% endif %}
backend backend_{{host}}_https
......@@ -248,7 +257,7 @@ backend backend_{{host}}_https
http-response deny
{% else %}
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
{% endif %}
backend backend_{{host}}_https_bigpipe
......@@ -257,7 +266,7 @@ backend backend_{{host}}_https_bigpipe
{% else %}
no option http-buffer-request
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
{% endif %}
{% endfor %}
{% if varnish_host|default(false) %}
......@@ -295,7 +304,7 @@ backend backend_redirect
{% if kibana_users is defined %}
backend backend_kibana
server kibana 127.0.0.1:5601 maxconn 32
server kibana 127.0.0.1:5601 check maxconn 32
acl kibana_auth http_auth(kibana) if kibana_present
http-request auth realm Kibana if !kibana_auth
{% endif %}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment