Skip to content
Snippets Groups Projects
Commit 92751e5b authored by jurgenhaas's avatar jurgenhaas
Browse files

Optimize haproxy configuration and implement server checks so that netdata can monitor them

parent 7692ab57
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
tasks/configure.yml
+ 3
3
View file @ 92751e5b
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
owner='root' owner='root'
group='root' group='root'
mode='644' mode='644'
with_items: '{{ groups.all }}' with_items: '{{ groups.webserver }}'
notify: 'Proxy | Restart HAProxy' notify: 'Proxy | Restart HAProxy'
- name: "Proxy | Create host ssl lists" - name: "Proxy | Create host ssl lists"
...@@ -26,7 +26,7 @@ ...@@ -26,7 +26,7 @@
owner='root' owner='root'
group='root' group='root'
mode='644' mode='644'
with_items: '{{ groups.all }}' with_items: '{{ groups.webserver }}'
notify: 'Proxy | Restart HAProxy' notify: 'Proxy | Restart HAProxy'
- name: "Proxy | Create use bigpipe host lists" - name: "Proxy | Create use bigpipe host lists"
...@@ -54,7 +54,7 @@ ...@@ -54,7 +54,7 @@
group='root' group='root'
mode='644' mode='644'
state='touch' state='touch'
with_items: '{{ groups.all }}' with_items: '{{ groups.webserver }}'
changed_when: false changed_when: false
- name: "Proxy | Create config file" - name: "Proxy | Create config file"
......
templates/haproxy_cfg
+ 27
18
View file @ 92751e5b
...@@ -33,7 +33,7 @@ defaults ...@@ -33,7 +33,7 @@ defaults
option forwardfor option forwardfor
option http-server-close option http-server-close
retries 3 retries 3
default_backend {{proxy_default_backend}} default_backend backend_{{proxy_default_backend}}
listen stats listen stats
bind 127.0.0.1:7000 bind 127.0.0.1:7000
...@@ -68,6 +68,10 @@ frontend http_in ...@@ -68,6 +68,10 @@ frontend http_in
{% for path in redirect.paths|default([]) %} {% for path in redirect.paths|default([]) %}
{% if path.deny|default(false) %} {% if path.deny|default(false) %}
http-request deny if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} } http-request deny if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% else %}
{% if path.regex is defined and path.from is defined %}
http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
{% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
...@@ -78,9 +82,7 @@ frontend http_in ...@@ -78,9 +82,7 @@ frontend http_in
{% for from in redirect.from %} {% for from in redirect.from %}
{% for path in redirect.paths|default([]) %} {% for path in redirect.paths|default([]) %}
{% if not path.deny|default(false) %} {% if not path.deny|default(false) %}
{% if path.regex is defined and path.from is defined %} {% if path.regex is not defined or path.from is not defined %}
http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
{% else %}
redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} } redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% endif %} {% endif %}
{% endif %} {% endif %}
...@@ -106,7 +108,7 @@ frontend http_in ...@@ -106,7 +108,7 @@ frontend http_in
acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}' acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
use_backend backend_redirect_ssl if kibana_present use_backend backend_redirect_ssl if kibana_present
{% endif %} {% endif %}
{% for host in groups['all'] %} {% for host in groups['webserver'] %}
acl redirect_ssl_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list acl redirect_ssl_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
use_backend backend_redirect_ssl if redirect_ssl_{{host}} use_backend backend_redirect_ssl if redirect_ssl_{{host}}
{% endfor %} {% endfor %}
...@@ -121,7 +123,7 @@ frontend http_in ...@@ -121,7 +123,7 @@ frontend http_in
acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
use_backend backend_varnish if static_content !domain_ignores_varnish use_backend backend_varnish if static_content !domain_ignores_varnish
{% endif %} {% endif %}
{% for host in groups['all'] %} {% for host in groups['webserver'] %}
acl domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list acl domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
use_backend backend_{{host}}_bigpipe if domain_uses_bigpipe domain_in_{{host}} use_backend backend_{{host}}_bigpipe if domain_uses_bigpipe domain_in_{{host}}
use_backend backend_{{host}} if domain_in_{{host}} use_backend backend_{{host}} if domain_in_{{host}}
...@@ -154,6 +156,10 @@ frontend https_in_{{ cert.ip }} ...@@ -154,6 +156,10 @@ frontend https_in_{{ cert.ip }}
{% for path in redirect.paths|default([]) %} {% for path in redirect.paths|default([]) %}
{% if path.deny|default(false) %} {% if path.deny|default(false) %}
http-request deny if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} } http-request deny if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% else %}
{% if path.regex is defined and path.from is defined %}
http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
{% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
...@@ -164,9 +170,7 @@ frontend https_in_{{ cert.ip }} ...@@ -164,9 +170,7 @@ frontend https_in_{{ cert.ip }}
{% for from in redirect.from %} {% for from in redirect.from %}
{% for path in redirect.paths|default([]) %} {% for path in redirect.paths|default([]) %}
{% if not path.deny|default(false) %} {% if not path.deny|default(false) %}
{% if path.regex is defined and path.from is defined %} {% if path.regex is not defined or path.from is not defined %}
http-request redirect code 301 location %[capture.req.uri,regsub({{path.regex}},)] if { hdr(host) -i -n {{from}} } { path_beg /{{path.from}} }
{% else %}
redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} } redirect location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}} code 301 if { hdr(host) -i -n {{from}}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% endif %} {% endif %}
{% endif %} {% endif %}
...@@ -196,7 +200,7 @@ frontend https_in_{{ cert.ip }} ...@@ -196,7 +200,7 @@ frontend https_in_{{ cert.ip }}
acl is_{{ external.key }} {{ external.acl }} acl is_{{ external.key }} {{ external.acl }}
use_backend backend_{{ external.key }} if is_{{ external.key }} use_backend backend_{{ external.key }} if is_{{ external.key }}
{% endfor %} {% endfor %}
{% for host in groups['all'] %} {% for host in groups['webserver'] %}
acl crm_redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list acl crm_redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
use_backend backend_redirect if crm_redirect_{{host}} use_backend backend_redirect if crm_redirect_{{host}}
{% endfor %} {% endfor %}
...@@ -207,7 +211,7 @@ frontend https_in_{{ cert.ip }} ...@@ -207,7 +211,7 @@ frontend https_in_{{ cert.ip }}
acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
use_backend backend_varnish if static_content !domain_ignores_varnish use_backend backend_varnish if static_content !domain_ignores_varnish
{% endif %} {% endif %}
{% for host in groups['all'] %} {% for host in groups['webserver'] %}
acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
use_backend backend_{{host}}_https_bigpipe if domain_uses_bigpipe ssl_domain_in_{{host}} use_backend backend_{{host}}_https_bigpipe if domain_uses_bigpipe ssl_domain_in_{{host}}
use_backend backend_{{host}}_https if ssl_domain_in_{{host}} use_backend backend_{{host}}_https if ssl_domain_in_{{host}}
...@@ -223,16 +227,21 @@ frontend https_in_{{ cert.ip }} ...@@ -223,16 +227,21 @@ frontend https_in_{{ cert.ip }}
{% for external in cert.external|default([]) %} {% for external in cert.external|default([]) %}
backend backend_{{ external.key }} backend backend_{{ external.key }}
server server_{{ external.key }} {{ external.server }} {{ external.options }} server server_{{ external.key }} {{ external.server }} check {{ external.options }}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% for host in groups['all'] %} {% if proxy_default_backend not in groups['webserver'] %}
backend backend_{{ proxy_default_backend }}
http-response deny
{% endif %}
{% for host in groups['webserver'] %}
backend backend_{{host}} backend backend_{{host}}
{% if host == inventory_hostname or host == 'localhost' %} {% if host == inventory_hostname or host == 'localhost' %}
http-response deny http-response deny
{% else %} {% else %}
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}} server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
{% endif %} {% endif %}
backend backend_{{host}}_bigpipe backend backend_{{host}}_bigpipe
...@@ -240,7 +249,7 @@ backend backend_{{host}}_bigpipe ...@@ -240,7 +249,7 @@ backend backend_{{host}}_bigpipe
http-response deny http-response deny
{% else %} {% else %}
no option http-buffer-request no option http-buffer-request
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}} server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
{% endif %} {% endif %}
backend backend_{{host}}_https backend backend_{{host}}_https
...@@ -248,7 +257,7 @@ backend backend_{{host}}_https ...@@ -248,7 +257,7 @@ backend backend_{{host}}_https
http-response deny http-response deny
{% else %} {% else %}
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}} server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
{% endif %} {% endif %}
backend backend_{{host}}_https_bigpipe backend backend_{{host}}_https_bigpipe
...@@ -257,7 +266,7 @@ backend backend_{{host}}_https_bigpipe ...@@ -257,7 +266,7 @@ backend backend_{{host}}_https_bigpipe
{% else %} {% else %}
no option http-buffer-request no option http-buffer-request
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}} server server_{{host}} {{hostvars[host]['static_ipv4']}}:80 check maxconn {{hostvars[host]['proxy_maxconn']|default(proxy_maxconn)}}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% if varnish_host|default(false) %} {% if varnish_host|default(false) %}
...@@ -295,7 +304,7 @@ backend backend_redirect ...@@ -295,7 +304,7 @@ backend backend_redirect
{% if kibana_users is defined %} {% if kibana_users is defined %}
backend backend_kibana backend backend_kibana
server kibana 127.0.0.1:5601 maxconn 32 server kibana 127.0.0.1:5601 check maxconn 32
acl kibana_auth http_auth(kibana) if kibana_present acl kibana_auth http_auth(kibana) if kibana_present
http-request auth realm Kibana if !kibana_auth http-request auth realm Kibana if !kibana_auth
{% endif %} {% endif %}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment