-
Notifications
You must be signed in to change notification settings - Fork 11
/
loadbalancer.yaml
137 lines (116 loc) · 4.35 KB
/
loadbalancer.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
{%- from 'init.yaml' import env, event_name, event_year, event_tag, private_ip, tag_match -%}
{%- set port = stack['reggie'].get('port', 443) -%}
{%- set nonssl_port = stack['reggie'].get('nonssl_port', 80) -%}
{%- set url_path = stack['reggie'].get('cherrypy_mount_path', '/reggie') -%}
{%- set loadbalancer_password = stack['reggie'].get('loadbalancer', {}).get('password') -%}
{%- set onsite_redirect_host = stack['reggie'].get('onsite_redirect_host', '') -%}
{%- set backends = __salt__['saltutil.runner']('mine.get',
tgt='G@roles:reggie and G@roles:web and G@env:' ~ env ~ ' and G@event_name:' ~ event_name ~ ' and G@event_year:' ~ event_year ~ ' and ' ~ tag_match,
fun='private_ip',
tgt_type='compound').items() %}
ufw:
services:
http:
protocol: tcp
comment: Public HTTP
https:
protocol: tcp
comment: Public HTTPS
9000:
protocol: tcp
comment: Public HAProxy Stats
'*':
deny: True
protocol: any
from_addr: {{ pillar['ip_blacklist'] }}
haproxy:
enabled: True
overwrite: True
lookup:
config_show_changes: {{ False if loadbalancer_password else True}}
global:
tune.ssl.default-dh-param: 2048
stats:
enable: True
socketpath: /var/run/haproxy/admin.sock
mode: 660
level: admin
extra: user root group haproxy
listens:
{%- if loadbalancer_password %}
haproxy_stats:
mode: http
bind: "0.0.0.0:9000 ssl crt {{ stack['ssl']['certs_dir'] }}/{{ minion_id }}.pem"
stats:
enable: True
hide-version: True
uri: '/haproxy_stats'
realm: 'HAProxy\ Statistics'
refresh: '20s'
auth: 'admin:{{ loadbalancer_password }}'
{%- endif %}
reggie_http_to_https_redirect:
mode: http
bind: '0.0.0.0:{{ nonssl_port }}'
acls:
'is_letsencrypt path_beg -i /.well-known/acme-challenge/'
httprequests: 'redirect location https://%[hdr(host),regsub(:{{ nonssl_port }},:{{ port }},i)]%[capture.req.uri] code 301 if !is_letsencrypt'
servers:
letsencrypt:
host: 127.0.0.1
port: 9999
{% if onsite_redirect_host %}
reggie_onsite_redirect:
mode: http
bind: "0.0.0.0:{{ port }} ssl crt {{ stack['ssl']['certs_dir'] }}/{{ minion_id }}.pem"
httprequests: 'redirect location https://{{ onsite_redirect_host }}%[capture.req.uri] code 301'
{% else %}
frontends:
reggie_load_balancer:
mode: http
bind: "0.0.0.0:{{ port }} ssl crt {{ stack['ssl']['certs_dir'] }}/{{ minion_id }}.pem"
redirects: 'scheme https code 301 if !{ ssl_fc }'
acls:
{%- for header in ['Location', 'Refresh'] %}
- 'header_{{ header|lower }}_exists res.hdr({{ header }}) -m found'
{%- endfor %}
{%- for path in [url_path.strip('/'), 'profiler', 'stats'] %}
- 'path_is_{{ path }} path -i /{{ path }}'
- 'path_starts_with_{{ path }} path_beg -i /{{ path }}/'
{%- endfor %}
- 'path_starts_with_static path_beg -i {{ url_path }}/static/ {{ url_path }}/static_views/ /static/ /static_views/'
options:
- forwardfor
httprequests:
- 'set-header X-Real-IP %[src]'
- 'del-header Cookie if path_starts_with_static'
{%- for path in [url_path.strip('/')] %}
- 'redirect location https://%[hdr(host)]%[url,regsub(^/{{ path }}/?,/,i)] code 302 if path_is_{{ path }} OR path_starts_with_{{ path }}'
{%- endfor %}
- 'set-path {{ url_path }}%[path] if !path_is_profiler !path_starts_with_profiler !path_is_stats !path_starts_with_stats'
httpresponses:
{%- for header in ['Location', 'Refresh'] %}
- 'replace-value {{ header }} https://([^/]*)(?:{{ url_path }})?(.*) https://\1:{{ port }}\2 if header_{{ header|lower }}_exists'
{%- endfor %}
use_backends: 'reggie_http_backend if path_starts_with_static'
default_backend: 'reggie_https_backend'
backends:
reggie_https_backend:
mode: http
servers:
{%- for server, addr in backends %}
{{ server }}:
host: {{ addr }}
port: 8443
extra: 'check ssl verify none'
{%- endfor %}
reggie_http_backend:
mode: http
servers:
{%- for server, addr in backends %}
{{ server }}:
host: {{ addr }}
port: 8080
extra: 'check'
{%- endfor %}
{% endif %}