net-ops/lb-common/overlay/opt/frontend/config/kubetest/haproxy.j2

global
    log stdout  format raw  local0  debug

    daemon
    maxconn 256
    stats socket /haproxy_control/stats mode 660
    #server-state-file /tmp/server_state

    # whole container is started as non-root
    #user haproxy
    #group haproxy

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Mozilla Guideline v5.7 intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    # end Mozilla config

    tune.ssl.default-dh-param 2048

    spread-checks 20

defaults
    log global
    mode http
    option httplog
    option dontlognull
    option redispatch
    option forwardfor
    # funny looking values because recommendation is to have these slightly
    # above mulitples of three seconds to play nice with TCP resend timers
    timeout check 5s
    timeout connect 4s
    timeout client 17s
    timeout server 17s
    timeout http-request 5s

    # never fail on address resolution
    default-server init-addr libc,none
    balance roundrobin

frontend LB-http
    # expose stats info over HTTP to exabgp
    bind 127.0.0.1:9000
    http-request set-log-level silent
    default_backend LB

backend LB
    stats enable
    #stats hide-version
    stats uri /haproxy_stats

{% block frontend %}
frontend http-frontend
    bind 0.0.0.0:80
    bind :::80

    use_backend {{site_name}}__letsencrypt

frontend {{ site_name }}
    log stdout format raw local0 debug
    mode tcp
    bind 0.0.0.0:443
    bind :::443

    stats enable

    use_backend {{ site_name }}__default

frontend {{ site_name }}__16443
    mode tcp
    bind 0.0.0.0:16443
    bind :::16443

    use_backend {{ site_name }}__16443
{% endblock frontend %}

{% block backend %}
backend {{ site_name }}__16443
    mode tcp
    balance leastconn
    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:16443 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:16443 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:16443 check inter 1s rise 30 fall 3
backend {{ site_name }}__default
    mode tcp
    balance leastconn
    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:443 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:443 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:443 check inter 1s rise 30 fall 3
backend {{ site_name }}__letsencrypt
    mode http
    balance leastconn
    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:80 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:80 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:80 check inter 1s rise 30 fall 3
{% endblock backend %}
move tug-lb-1.sunet.se to net-ops 2025-02-25 17:51:13 +01:00			`global`
			`log stdout format raw local0 debug`

			`daemon`
			`maxconn 256`
			`stats socket /haproxy_control/stats mode 660`
			`#server-state-file /tmp/server_state`

			`# whole container is started as non-root`
			`#user haproxy`
			`#group haproxy`

			`# Default SSL material locations`
			`ca-base /etc/ssl/certs`
			`crt-base /etc/ssl/private`

			`# Mozilla Guideline v5.7 intermediate configuration`
			`ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305`
			`ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256`
			`ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets`

			`ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305`
			`ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256`
			`ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets`
			`# end Mozilla config`

			`tune.ssl.default-dh-param 2048`

			`spread-checks 20`

			`defaults`
			`log global`
			`mode http`
			`option httplog`
			`option dontlognull`
			`option redispatch`
			`option forwardfor`
			`# funny looking values because recommendation is to have these slightly`
			`# above mulitples of three seconds to play nice with TCP resend timers`
			`timeout check 5s`
			`timeout connect 4s`
			`timeout client 17s`
			`timeout server 17s`
			`timeout http-request 5s`

			`# never fail on address resolution`
			`default-server init-addr libc,none`
			`balance roundrobin`

			`frontend LB-http`
			`# expose stats info over HTTP to exabgp`
			`bind 127.0.0.1:9000`
			`http-request set-log-level silent`
			`default_backend LB`

			`backend LB`
			`stats enable`
			`#stats hide-version`
			`stats uri /haproxy_stats`

			`{% block frontend %}`
			`frontend http-frontend`
			`bind 0.0.0.0:80`
			`bind :::80`

			`use_backend {{site_name}}__letsencrypt`

			`frontend {{ site_name }}`
			`log stdout format raw local0 debug`
			`mode tcp`
			`bind 0.0.0.0:443`
			`bind :::443`

			`stats enable`

			`use_backend {{ site_name }}__default`

			`frontend {{ site_name }}__16443`
			`mode tcp`
			`bind 0.0.0.0:16443`
			`bind :::16443`

			`use_backend {{ site_name }}__16443`
			`{% endblock frontend %}`

			`{% block backend %}`
			`backend {{ site_name }}__16443`
			`mode tcp`
			`balance leastconn`
			`server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:16443 check inter 1s rise 30 fall 3`
			`server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:16443 check inter 1s rise 30 fall 3`
			`server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:16443 check inter 1s rise 30 fall 3`
			`backend {{ site_name }}__default`
			`mode tcp`
			`balance leastconn`
			`server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:443 check inter 1s rise 30 fall 3`
			`server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:443 check inter 1s rise 30 fall 3`
			`server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:443 check inter 1s rise 30 fall 3`
			`backend {{ site_name }}__letsencrypt`
			`mode http`
			`balance leastconn`
			`server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:80 check inter 1s rise 30 fall 3`
			`server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:80 check inter 1s rise 30 fall 3`
			`server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:80 check inter 1s rise 30 fall 3`
			`{% endblock backend %}`