From 92751e5b4a8c80577881b78dd55026fc76deab73 Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Thu, 12 Jan 2017 16:53:58 +0100
Subject: [PATCH] Optimize haproxy configuration and implement server checks so
 that netdata can monitor them

---
 tasks/configure.yml   |  6 +++---
 templates/haproxy_cfg | 45 ++++++++++++++++++++++++++-----------------
 2 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/tasks/configure.yml b/tasks/configure.yml
index 3038c65..0e9b8d1 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -16,7 +16,7 @@
     owner='root'
     group='root'
     mode='644'
-  with_items: '{{ groups.all }}'
+  with_items: '{{ groups.webserver }}'
   notify: 'Proxy | Restart HAProxy'
 
 - name: "Proxy | Create host ssl lists"
@@ -26,7 +26,7 @@
     owner='root'
     group='root'
     mode='644'
-  with_items: '{{ groups.all }}'
+  with_items: '{{ groups.webserver }}'
   notify: 'Proxy | Restart HAProxy'
 
 - name: "Proxy | Create use bigpipe host lists"
@@ -54,7 +54,7 @@
     group='root'
     mode='644'
     state='touch'
-  with_items: '{{ groups.all }}'
+  with_items: '{{ groups.webserver }}'
   changed_when: false
 
 - name: "Proxy | Create config file"
diff --git a/templates/haproxy_cfg b/templates/haproxy_cfg
index 0be95cf..b3915ed 100644
--- a/templates/haproxy_cfg
+++ b/templates/haproxy_cfg
@@ -33,7 +33,7 @@ defaults
   option forwardfor
   option http-server-close
   retries 3
-  default_backend {{proxy_default_backend}}
+  default_backend backend_{{proxy_default_backend}}
 
 listen stats
   bind 127.0.0.1:7000
@@ -68,6 +68,10 @@ frontend http_in
 {% for path in redirect.paths|default([]) %}
 {% if path.deny|default(false) %}
   http-request deny if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
+{% else %}
+{% if path.regex is defined and path.from is defined %}
+  http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
+{% endif %}
 {% endif %}
 {% endfor %}
 {% endfor %}
@@ -78,9 +82,7 @@ frontend http_in
 {% for from in redirect.from %}
 {% for path in redirect.paths|default([]) %}
 {% if not path.deny|default(false) %}
-{% if path.regex is defined and path.from is defined %}
-  http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
-{% else %}
+{% if path.regex is not defined or path.from is not defined %}
   redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
 {% endif %}
 {% endif %}
@@ -106,7 +108,7 @@ frontend http_in
   acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
   use_backend backend_redirect_ssl if kibana_present
 {% endif %}
-{% for host in groups['all'] %}
+{% for host in groups['webserver'] %}
   acl redirect_ssl_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
   use_backend backend_redirect_ssl if redirect_ssl_{{host}}
 {% endfor %}
@@ -121,7 +123,7 @@ frontend http_in
   acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
   use_backend backend_varnish if static_content !domain_ignores_varnish
 {% endif %}
-{% for host in groups['all'] %}
+{% for host in groups['webserver'] %}
   acl domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
   use_backend backend_{{host}}_bigpipe if domain_uses_bigpipe domain_in_{{host}}
   use_backend backend_{{host}} if domain_in_{{host}}
@@ -154,6 +156,10 @@ frontend https_in_{{ cert.ip }}
 {% for path in redirect.paths|default([]) %}
 {% if path.deny|default(false) %}
   http-request deny if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
+{% else %}
+{% if path.regex is defined and path.from is defined %}
+  http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
+{% endif %}
 {% endif %}
 {% endfor %}
 {% endfor %}
@@ -164,9 +170,7 @@ frontend https_in_{{ cert.ip }}
 {% for from in redirect.from %}
 {% for path in redirect.paths|default([]) %}
 {% if not path.deny|default(false) %}
-{% if path.regex is defined and path.from is defined %}
-  http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
-{% else %}
+{% if path.regex is not defined or path.from is not defined %}
   redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
 {% endif %}
 {% endif %}
@@ -196,7 +200,7 @@ frontend https_in_{{ cert.ip }}
   acl is_{{ external.key }} {{ external.acl }}
   use_backend backend_{{ external.key }} if is_{{ external.key }}
 {% endfor %}
-{% for host in groups['all'] %}
+{% for host in groups['webserver'] %}
   acl crm_redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
   use_backend backend_redirect if crm_redirect_{{host}}
 {% endfor %}
@@ -207,7 +211,7 @@ frontend https_in_{{ cert.ip }}
   acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
   use_backend backend_varnish if static_content !domain_ignores_varnish
 {% endif %}
-{% for host in groups['all'] %}
+{% for host in groups['webserver'] %}
   acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
   use_backend backend_{{host}}_https_bigpipe if domain_uses_bigpipe ssl_domain_in_{{host}}
   use_backend backend_{{host}}_https if ssl_domain_in_{{host}}
@@ -223,16 +227,21 @@ frontend https_in_{{ cert.ip }}
 {% for external in cert.external|default([]) %}
 
 backend backend_{{ external.key }}
-  server server_{{ external.key }} {{ external.server }} {{ external.options }}
+  server server_{{ external.key }} {{ external.server }} check {{ external.options }}
 {% endfor %}
 {% endfor %}
-{% for host in groups['all'] %}
+{% if proxy_default_backend not in groups['webserver'] %}
+
+backend backend_{{ proxy_default_backend }}
+  http-response deny
+{% endif %}
+{% for host in groups['webserver'] %}
 
 backend backend_{{host}}
 {% if host == inventory_hostname or host == 'localhost' %}
   http-response deny
 {% else %}
-  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
 {% endif %}
 
 backend backend_{{host}}_bigpipe
@@ -240,7 +249,7 @@ backend backend_{{host}}_bigpipe
   http-response deny
 {% else %}
   no option http-buffer-request
-  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
 {% endif %}
 
 backend backend_{{host}}_https
@@ -248,7 +257,7 @@ backend backend_{{host}}_https
   http-response deny
 {% else %}
   http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
-  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
 {% endif %}
 
 backend backend_{{host}}_https_bigpipe
@@ -257,7 +266,7 @@ backend backend_{{host}}_https_bigpipe
 {% else %}
   no option http-buffer-request
   http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
-  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
+  server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
 {% endif %}
 {% endfor %}
 {% if varnish_host|default(false) %}
@@ -295,7 +304,7 @@ backend backend_redirect
 {% if kibana_users is defined %}
 
 backend backend_kibana
-  server kibana 127.0.0.1:5601 maxconn 32
+  server kibana 127.0.0.1:5601 check maxconn 32
   acl kibana_auth http_auth(kibana) if kibana_present
   http-request auth realm Kibana if !kibana_auth
 {% endif %}
-- 
GitLab