diff --git a/global/overlay/etc/puppet/cosmos-modules/sunet b/global/overlay/etc/puppet/cosmos-modules/sunet new file mode 120000 index 0000000..43373e6 --- /dev/null +++ b/global/overlay/etc/puppet/cosmos-modules/sunet @@ -0,0 +1 @@ +/Users/mariahaider/Git Repositories/puppet-sunet \ No newline at end of file diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index 9a7c560..195991d 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -121,6 +121,12 @@ lb-tug-test-1.sunet.se: sunet::lb::load_balancer: interface: 'ens3' +tug-lb-1.sunet.se: + sunet::dockerhost2: + sunet::lb::load_balancer: + interface: 'enp67s0f0np0' + sunet::fleetlock_client: + nifrontend-sto1-prod-1.sunet.se: autoupdate: sunet::dockerhost2: diff --git a/lb-common/overlay/etc/hiera/data/group.yaml b/lb-common/overlay/etc/hiera/data/group.yaml new file mode 100644 index 0000000..c191e0b --- /dev/null +++ b/lb-common/overlay/etc/hiera/data/group.yaml @@ -0,0 +1,691 @@ +--- +sunet_frontend: + + load_balancer: + haproxy_imagetag: '20230228-stable' + api_imagetag: 'stable' + exabgp_imagetag: 'stable' + + peers: + se-tug-rs-2.sunet.se: + as: '65434' + remote_ip: '192.36.171.71' + se-tug-rs-2.sunet.se_v6: + as: '65434' + remote_ip: '2001:6b0:8:7::71' + se-sthb-rs-1.sunet.se: + as: '65434' + remote_ip: '192.36.171.130' + se-sthb-rs-1.sunet.se_v6: + as: '65434' + remote_ip: '2001:6b0:8:1::130' + + websites: + 'edusealapit': + site_name: 'test-api.eduseal.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.18', '2001:6b0:60:c0::18'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.19', '2001:6b0:60:c0::19'] + backends: + default: + 'car-test-1.eduseal.sunet.se': + ips: ['89.45.237.159'] + server_args: 'ssl check verify none' + allow_ports: + - 80 + - 443 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'edusealapi': + site_name: 'api.eduseal.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.104', '2001:6b0:60:c0::104'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.105', '2001:6b0:60:c0::105'] + backends: + default: + 'car-prod-1.eduseal.sunet.se': + ips: ['89.45.236.85'] + server_args: 'ssl check verify none' + 'car-prod-2.eduseal.sunet.se': + ips: ['89.45.237.154'] + server_args: 'ssl check verify none' + allow_ports: + - 80 + - 443 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'geteduroam': + site_name: 'geteduroam.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.108', '2001:6b0:60:c0::108'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.109', '2001:6b0:60:c0::109'] + backends: + default: + 'internal-sto1-prod-app-1.geteduroam.sunet.se': + ips: ['89.47.184.239', '2001:6b0:5a:4020::41d'] + server_args: 'ssl check verify none' + 'internal-dco-prod-app-2.geteduroam.sunet.se': + ips: ['89.47.191.96', '2001:6b0:7d:40::19c'] + server_args: 'ssl check verify none' + 'internal-sto3-prod-app-3.geteduroam.sunet.se': + ips: ['89.45.236.66', '2001:6b0:40::3f'] + server_args: 'ssl check verify none' + allow_ports: + - 80 + - 443 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'scdemwqa': + site_name: 'qa.demw.eidas.swedenconnect.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.42', '2001:6b0:60:c0::42'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.43', '2001:6b0:60:c0::43'] + backends: + default: + 'demw-1.qa.sveidas.se': + ips: ['89.47.184.66'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'artisanidp': + site_name: 'artisan-idp-proxy.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.3', '2001:6b0:60:c0::3'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.4', '2001:6b0:60:c0::4'] + backends: + default: + 'artisan-saas-idp-proxy-1.sunet.se': + ips: ['89.47.185.109'] + server_args: 'ssl check verify none' + 'artisan-saas-idp-proxy-3.sunet.se': + ips: ['89.46.21.236'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'outscan': + site_name: 'outscan-idp-proxy.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.68', '2001:6b0:60:c0::68'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.69', '2001:6b0:60:c0::69'] + backends: + default: + 'outscan-idp-proxy-1.sunet.se': + ips: ['89.45.236.70'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'forum': + site_name: 'forum.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.15', '2001:6b0:60:c0::15'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.16', '2001:6b0:60:c0::16'] + backends: + default: + 'forum-1.sunet.se': + ips: ['89.45.236.168'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'humhubidp': + site_name: 'humhub-idp-proxy.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.13', '2001:6b0:60:c0::13'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.14', '2001:6b0:60:c0::14'] + backends: + default: + 'humhub-idp-proxy-1.sunet.se': + ips: ['89.45.236.42'] + server_args: 'ssl check verify none' + 'humhub-idp-proxy-2.sunet.se': + ips: ['89.47.185.213'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'sunetidp': + site_name: 'idp.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.20', '2001:6b0:60:c0::20'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.21', '2001:6b0:60:c0::21'] + backends: + default: + 'idp-2.sunet.se': + ips: ['192.36.171.241'] + server_args: 'ssl check verify none cookie idp2' + 'idp-3.sunet.se': + ips: ['89.45.237.76'] + server_args: 'ssl check verify none cookie idp3' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'zoomidp': + site_name: 'zoom-saas-idp-proxy.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.26', '2001:6b0:60:c0::26'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.27', '2001:6b0:60:c0::27'] + backends: + default: + 'zoom-saas-idp-proxy-3.sunet.se': + ips: ['192.36.171.243'] + server_args: 'ssl check verify none' + 'zoomproxy-sto1-prod-1.sunet.se': + ips: ['89.47.184.173'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'driveidp': + site_name: 'drive-idp-proxy.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.9', '2001:6b0:60:c0::9'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.10', '2001:6b0:60:c0::10'] + backends: + default: + 'drive-idp-proxy-1.sunet.se': + ips: ['89.45.237.92'] + server_args: 'ssl check verify none' + 'drive-idp-proxy-2.sunet.se': + ips: ['89.46.20.165'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'kubetest': + site_name: 'kubetest.streams.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.38', '2001:6b0:60:c0::38'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.39', '2001:6b0:60:c0::39'] + backends: + default: + 'internal-dco-test-k8sc-1.streams.sunet.se': + ips: ['89.47.191.134'] + haproxy_config: ' server SERVER_v4 REMOTE_IP:PORT' + server_args: 'check inter 1s rise 30 fall 3' + 'internal-dco-test-k8sc-2.streams.sunet.se': + ips: ['89.47.191.169'] + haproxy_config: ' server SERVER_v4 REMOTE_IP:PORT' + server_args: 'check inter 1s rise 30 fall 3' + 'internal-dco-test-k8sc-3.streams.sunet.se': + ips: ['89.47.190.18'] + haproxy_config: ' server SERVER_v4 REMOTE_IP:PORT' + server_args: 'check inter 1s rise 30 fall 3' + allow_ports: + - 16443 + - 443 + - 80 + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'sveidas1': + site_name: 'qa.proxy.eidas.swedenconnect.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.30', '2001:6b0:60:c0::30'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.31', '2001:6b0:60:c0::31'] + backends: + default: + 'eidas-proxy-1.qa.sveidas.se': + ips: ['89.47.184.111'] + haproxy_config: ' server SERVER_v4 REMOTE_IP:PORT' + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'sveidas2': + site_name: 'qa.connector.eidas.swedenconnect.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.32', '2001:6b0:60:c0::32'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.33', '2001:6b0:60:c0::33'] + backends: + default: + 'eidas-node-1.qa.sveidas.se': + ips: ['89.47.185.69'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'sweconn1': + site_name: 'qa.md.swedenconnect.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.34', '2001:6b0:60:c0::34'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.35', '2001:6b0:60:c0::35'] + backends: + default: + 'p1.komreg.net': + ips: ['89.47.185.233'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'sweconn2': + site_name: 'qa.md.eidas.swedenconnect.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.36', '2001:6b0:60:c0::36'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.37', '2001:6b0:60:c0::37'] + backends: + default: + 'p2.qa.komreg.net': + ips: ['89.47.184.153'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'scapi': + site_name: 'api.swedenconnect.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.11', '2001:6b0:60:c0::11'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.12', '2001:6b0:60:c0::12'] + backends: + default: + 'eidastest-1.qa.sveidas.se': + ips: ['89.47.185.83'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'sctestqa': + site_name: 'qa.test.swedenconnect.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.40', '2001:6b0:60:c0::40'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.41', '2001:6b0:60:c0::41'] + backends: + default: + 'test-1.qa.sveidas.se': + ips: ['89.47.184.60'] + server_args: 'ssl check verify none' + refidp: + 'refidp-1.qa.sveidas.se': + ips: ['89.47.184.213'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'idmqa': + site_name: 'qa.idm.eidas.swedenconnect.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.96', '2001:6b0:60:c0::96'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.97', '2001:6b0:60:c0::97'] + backends: + default: + 'idm-sto1-qa-app-1.komreg.net': + ips: ['89.47.184.15'] + server_args: 'ssl check verify none' + 'idm-sto3-qa-app-2.komreg.net': + ips: ['89.45.236.223'] + server_args: 'ssl check verify none' + 'idm-sto1-qa-app-3.komreg.net': + ips: ['89.47.184.233'] + server_args: 'ssl check verify none' + allow_ports: + - 80 + - 443 + letsencrypt_server: 'acme-c.sunet.se' + eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'sunetse': + site_name: 'sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.50', '2001:6b0:60:c0::50'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.51', '2001:6b0:60:c0::51'] + backends: + default: + 'web-b1.sunet.se': + ips: ['89.47.185.81'] + server_args: 'ssl check verify none' + 'web-b2.sunet.se': + ips: ['89.47.185.150'] + server_args: 'ssl check verify none' + 'web-b3.sunet.se': + ips: ['192.36.171.85'] + server_args: 'ssl check verify none' + 'web-sb1.sunet.se': + ips: ['192.36.171.160'] + server_args: 'ssl check verify none backup' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'ers': + site_name: 'ers.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.92', '2001:6b0:60:c0::92'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.93', '2001:6b0:60:c0::93'] + backends: + default: + 'projecttool-prod-1.sunet.se': + ips: ['89.47.184.234'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'fidusmd': + site_name: 'md.fidus.skolverket.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.46', '2001:6b0:60:c0::46'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.47', '2001:6b0:60:c0::47'] + backends: + default: + 'pub-1.fidus.sunet.se': + ips: ['130.242.132.147'] + server_args: 'ssl check verify none' + 'pub-2.fidus.sunet.se': + ips: ['130.242.132.19'] + server_args: 'ssl check verify none' + test: + 'p-test-1.fidus.sunet.se': + ips: ['89.45.236.10'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'fidusds': + haproxy_volumes: + - "/opt/frontend/config/common/robots.txt:/opt/frontend/config/common/robots.txt:ro" + site_name: 'ds.fidus.skolverket.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.48', '2001:6b0:60:c0::48'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.49', '2001:6b0:60:c0::49'] + backends: + default: + 'dsi-3.fidus.sunet.se': + ips: ['130.242.132.149'] + server_args: 'ssl check verify none' + 'dsi-4.fidus.sunet.se': + ips: ['130.242.132.21'] + server_args: 'ssl check verify none' + test: + 'dsi-test-2.fidus.sunet.se': + ips: ['89.45.236.191'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'signgnt': + site_name: 'edusign.geant.org' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.78', '2001:6b0:60:c0::78'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.79', '2001:6b0:60:c0::79'] + backends: + default: + 'signapp-geant-sthb-1.edusign.sunet.se': + ips: ['130.242.113.24'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'sigsvcgnt': + site_name: 'signservice-geant.edusign.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.90', '2001:6b0:60:c0::90'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.91', '2001:6b0:60:c0::91'] + backends: + default: + 'signservice-sthb-1.edusign.sunet.se': + ips: ['130.242.113.22'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'apignt': + site_name: 'apignt.edusign.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.44', '2001:6b0:60:c0::44'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.45', '2001:6b0:60:c0::45'] + backends: + default: + 'signapi-sthb-1.edusign.sunet.se': + ips: ['130.242.113.23'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'edusign': + site_name: 'edusign.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.56', '2001:6b0:60:c0::56'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.57', '2001:6b0:60:c0::57'] + backends: + default: + 'signapp-tug-1.edusign.sunet.se': + ips: ['130.242.113.4'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'edusignapi': + site_name: 'api.edusign.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.24', '2001:6b0:60:c0::24'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.25', '2001:6b0:60:c0::25'] + backends: + default: + 'signapp-sthb-1.edusign.sunet.se': + ips: ['130.242.113.21'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + +## cannot be migrated due to "ssl handshake failure". Probably too old version of signservice. +# 'signservice': +# site_name: 'signservice.edusign.sunet.se' +# frontends: +# 'tug-lb-1.sunet.se': +# ips: ['37.156.192.58', '2001:6b0:60:c0::58'] +# 'sthb-lb-1.sunet.se': +# ips: ['37.156.192.59', '2001:6b0:60:c0::59'] +# backends: +# default: +# 'signservice-tug-1.edusign.sunet.se': +# ips: ['130.242.113.5'] +# server_args: 'ssl check verify none' +# allow_ports: +# - 443 +# - 80 +# letsencrypt_server: 'acme-c.sunet.se' +# haproxy_imagetag: '20230228-stable' +# frontendtools_imagetag: '20230228' + + 'validator': + site_name: 'validator.edusign.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.7', '2001:6b0:60:c0::7'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.8', '2001:6b0:60:c0::8'] + backends: + default: + 'validator-sthb-1.edusign.sunet.se': + ips: ['130.242.113.20'] + server_args: 'ssl check verify none' + allow_ports: + - 443 + - 80 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' + + 'rutprod': + site_name: 'kubeprod.rut.sunet.se' + frontends: + 'tug-lb-1.sunet.se': + ips: ['37.156.192.94', '2001:6b0:60:c0::94'] + 'sthb-lb-1.sunet.se': + ips: ['37.156.192.95', '2001:6b0:60:c0::95'] + backends: + default: + 'internal-sto4-prod-k8sc-0.rut.sunet.se': + ips: ['2001:6b0:6c::1dd', '89.46.21.223'] + 'internal-sto4-prod-k8sc-1.rut.sunet.se': + ips: ['2001:6b0:6c::27f', '89.46.21.87'] + 'internal-sto4-prod-k8sc-2.rut.sunet.se': + ips: ['2001:6b0:6c::3b7', '89.46.20.39'] + allow_ports: + - 80 + - 443 + haproxy_imagetag: '20230228-stable' + frontendtools_imagetag: '20230228' diff --git a/lb-common/overlay/etc/sunet-machine-healthy/health-checks.d/lb_healthcheck.py.check b/lb-common/overlay/etc/sunet-machine-healthy/health-checks.d/lb_healthcheck.py.check new file mode 100755 index 0000000..4c95aab --- /dev/null +++ b/lb-common/overlay/etc/sunet-machine-healthy/health-checks.d/lb_healthcheck.py.check @@ -0,0 +1,71 @@ +#!/usr/bin/env python3 + +import yaml +import subprocess +import time +import sys + +groupyaml = '/etc/hiera/data/group.yaml' + +def get_frontends(data): + try: + return list(data['sunet_frontend']['load_balancer']['websites'].keys()) + except KeyError: + return [] + +def check_docker_instance_status(instance): + cmd = f"docker inspect -f {r'{{.State.Status}}'} {instance}" + result = subprocess.run(cmd, shell=True, capture_output=True, text=True) + return result.stdout.strip() == 'running' + +def is_exabgp_running(): + cmd = ["systemctl", "is-active", "exabgp.service"] + result = subprocess.run(cmd, capture_output=True, text=True) + return result.stdout.strip() == 'active' + +def check_docker_instances(instances, max_retries=3, initial_wait=10): + for instance in instances: + retries = 0 + while retries < max_retries: + if check_docker_instance_status(instance): + print(f"Instance: {instance} is running!") + break + else: + print(f"Instance: {instance} is not running! Will try again in {initial_wait * (2**retries)} seconds.") + time.sleep(initial_wait * (2**retries)) + retries += 1 + if retries == max_retries: + print(f"Max retries reached for instance: {instance}, exiting!") + sys.exit(1) + +def check_exabgp_running(max_retries=3, initial_wait=10): + retries = 0 + while retries < max_retries: + if is_exabgp_running(): + print("ExaBGP service is running!") + break + else: + print(f"Exabgp is not running! Will try again in {initial_wait * (2**retries)} seconds.") + time.sleep(initial_wait * (2**retries)) + retries += 1 + if retries == max_retries: + print(f"Max retries reached for checking if exabgp is running, exiting!") + sys.exit(1) + +with open(groupyaml, 'r') as f: + data = yaml.safe_load(f) + +frontends = get_frontends(data) +instances = [] + +for frontend in frontends: + instances.append(frontend + '-haproxy-1') + instances.append(frontend + '-monitor-1') + instances.append(frontend + '-config-1') + +instances.append('frontend-api-1') +instances.append('frontend-telegraf-1') + +check_exabgp_running() +check_docker_instances(instances) +sys.exit(0) diff --git a/lb-common/overlay/opt/frontend/config/apignt/haproxy.j2 b/lb-common/overlay/opt/frontend/config/apignt/haproxy.j2 new file mode 100644 index 0000000..c8369d1 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/apignt/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/artisanidp/haproxy.j2 b/lb-common/overlay/opt/frontend/config/artisanidp/haproxy.j2 new file mode 100644 index 0000000..b3afbc4 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/artisanidp/haproxy.j2 @@ -0,0 +1,21 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/bankidp/haproxy.j2 b/lb-common/overlay/opt/frontend/config/bankidp/haproxy.j2 new file mode 100644 index 0000000..1d47059 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/bankidp/haproxy.j2 @@ -0,0 +1,28 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%} +{%- for ip in bind_ips %} + bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }} {{ extra }} +{%- endfor %} +{%- endmacro %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional crt-ignore-err all ca-file /etc/ssl/certs/ca-certificates.crt") }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + http-request set-header client-cert %{+Q}[ssl_c_der,base64] + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/common/haproxy_22_tcp_mode.j2 b/lb-common/overlay/opt/frontend/config/common/haproxy_22_tcp_mode.j2 new file mode 100644 index 0000000..7b82304 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/common/haproxy_22_tcp_mode.j2 @@ -0,0 +1,122 @@ +# haproxy for SUNET frontend load balancer nodes. +# +{% from "common/haproxy_macros.j2" import output_backends %} + +{% block global %} +global + log stdout format raw local0 debug + + daemon + maxconn 256 + stats socket /haproxy_control/stats mode 660 + #server-state-file /tmp/server_state + hard-stop-after 10s + + # whole container is started as non-root + #user haproxy + #group haproxy + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Mozilla Guideline v5.7 intermediate configuration + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + # end Mozilla config + + tune.ssl.default-dh-param 2048 + + max-spread-checks 10s + spread-checks 5 +{% endblock global %} + + +{% block defaults %} +defaults + log global + mode http + option httplog + option dontlognull + option redispatch + option forwardfor + # funny looking values because recommendation is to have these slightly + # above mulitples of three seconds to play nice with TCP resend timers + timeout check 5s + timeout connect 4s + timeout client 17s + timeout server 17s + timeout http-request 5s + balance roundrobin + + # never fail on address resolution + default-server init-addr libc,none +{% endblock defaults %} + +{% block stats %} +frontend LB-http + # expose stats info over HTTP to exabgp + bind 127.0.0.1:9000 + http-request set-log-level silent + default_backend LB + +backend LB + stats enable + #stats hide-version + stats uri /haproxy_stats +{% endblock stats %} + +# +# Frontend section +# +{% block frontend_80 %} +{% endblock frontend_80 %} +{% block frontend %} +{% endblock frontend %} + + +# +# Backend section +# +{% block pre_backend %} +{% endblock pre_backend %} + +{% block backend %} +{% if backends is defined %} +{%- for this in backends %} +backend {{ this.name }} +mode tcp + {{ config|join('\n ') }} + {%- for server in this.servers %} + {%- if server.server_args is defined %} + {%- set server_args = server.server_args %} + {%- endif %} + {% if server is defined %} + server {{ server.server }}_{{ server.address_family }} {{ server.ip }}:{{ server.port }} {{ server_args }} + {%- endif %} + {%- endfor %} +{%- endfor %} + +{%- for this in backends %} +backend {{ this.name | replace("__default","__port80") }} +mode tcp + {{ config|join('\n ') }} + {%- for server in this.servers %} + {%- if server.server_args is defined %} + {%- set server_args = server.server_args %} + {%- endif %} + {% if server is defined %} + server {{ server.server }}_{{ server.address_family }} {{ server.ip }}:80 {{ server_args }} + {%- endif %} + {%- endfor %} +{%- endfor %} +{% else %} +# No backends found in context +{% endif %} + +{% endblock backend %} diff --git a/lb-common/overlay/opt/frontend/config/common/haproxy_base.j2 b/lb-common/overlay/opt/frontend/config/common/haproxy_base.j2 new file mode 100644 index 0000000..2a763aa --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/common/haproxy_base.j2 @@ -0,0 +1,116 @@ +# haproxy for SUNET frontend load balancer nodes. +# +{% from "common/haproxy_macros.j2" import output_backends %} + +{% block global %} +global + log stdout format raw local0 debug + + daemon + maxconn 256 + stats socket /haproxy_control/stats mode 660 + #server-state-file /tmp/server_state + + # whole container is started as non-root + #user haproxy + #group haproxy + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Mozilla Guideline v5.7 intermediate configuration + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + # end Mozilla config + + tune.ssl.default-dh-param 2048 + + spread-checks 20 + + + +{% endblock global %} + + +{% block defaults %} +defaults + log global + mode http + option httplog + option dontlognull + option redispatch + option forwardfor + # funny looking values because recommendation is to have these slightly + # above mulitples of three seconds to play nice with TCP resend timers + timeout check 5s + timeout connect 4s + timeout client 17s + timeout server 17s + timeout http-request 5s + + # never fail on address resolution + default-server init-addr libc,none + balance roundrobin +{% endblock defaults %} + +{% block stats %} +frontend LB-http + # expose stats info over HTTP to exabgp + bind 127.0.0.1:9000 + http-request set-log-level silent + default_backend LB + +backend LB + stats enable + #stats hide-version + stats uri /haproxy_stats +{% endblock stats %} + + +{% block global_backends %} +{% if letsencrypt_server is defined %} +backend letsencrypt_{{ letsencrypt_server }} + server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80 +{% else %} +# letsencrypt_backend not defined +{% endif %} +{% endblock global_backends %} + + +{% block https_everything %} +# +# Redirect _everything_ to HTTPS +frontend http-frontend + bind 0.0.0.0:80 + bind :::80 + + redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } +{% if letsencrypt_server is defined %} + use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ } +{% else %} + # letsencrypt_backend not defined +{% endif %} +{% endblock https_everything %} + +# +# Frontend section +# +{% block frontend %} +{% endblock frontend %} + + +# +# Backend section +# +{% block pre_backend %} +{% endblock pre_backend %} + +{% block backend %} +{{ output_backends(backends, config=[]) }} +{% endblock backend %} diff --git a/lb-common/overlay/opt/frontend/config/common/haproxy_eidas.j2 b/lb-common/overlay/opt/frontend/config/common/haproxy_eidas.j2 new file mode 100644 index 0000000..41462c6 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/common/haproxy_eidas.j2 @@ -0,0 +1,31 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + http-request set-header X-Proxy-Authenticate "{{ eidas_proxy_auth }}" + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + {{ csp(["default-src " + ["'self'"]|join(' '), + "font-src " + ["'self'", "fonts.googleapis.com", "fonts.gstatic.com"]|join(' '), + "script-src " + ["'self'", "'unsafe-inline'", "swedenconnect.status.io", "api.status.io", "www.google-analytics.com", "ajax.googleapis.com"]|join(' '), + "connect-src " + ["'self'","api.status.io"]|join(' '), + "img-src " + ["*", "data:", "'self'"]|join(' '), + "style-src " + ["'self'", "'unsafe-inline'", "fonts.googleapis.com"]|join(' '), + ]) }} + + {{ acme_challenge(letsencrypt_server) }} + + {% block usebackend %} + use_backend {{ site_name }}__default + {% endblock usebackend %} +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/common/haproxy_fidus.j2 b/lb-common/overlay/opt/frontend/config/common/haproxy_fidus.j2 new file mode 100644 index 0000000..259a9cf --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/common/haproxy_fidus.j2 @@ -0,0 +1,32 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['hsts', 'no_sniff', 'no_cache']) }} + + {{ csp(["default-src " + ["'self'"]|join(' '), + "frame-src " + ["ds.fidus.skolverket.se"]|join(' '), + "font-src " + ["'self'", "fonts.googleapis.com", "ds.fidus.skolverket.se", "bootstrapcdn.com", "fonts.gstatic.com"]|join(' '), + "script-src " + ["'self'", "'unsafe-inline'", "'unsafe-eval'", "fidus.status.io", "ds.fidus.skolverket.se", "stackpath.bootstrapcdn.com", "api.status.io", "www.google-analytics.com", "ajax.googleapis.com"]|join(' '), + "connect-src " + ["'self'","api.status.io"]|join(' '), + "img-src " + ["*", "data:", "'self'"]|join(' '), + "style-src " + ["'self'", "'unsafe-inline'", "ds.fidus.skolverket.se", "stackpath.bootstrapcdn.com", "fonts.googleapis.com"]|join(' '), + "object-src " + ["'none'"]|join(' '), + ]) }} + + {{ acme_challenge(letsencrypt_server) }} + + {% block usebackend %} + use_backend {{ site_name }}__default + {% endblock usebackend %} +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/common/haproxy_fidus_ds.j2 b/lb-common/overlay/opt/frontend/config/common/haproxy_fidus_ds.j2 new file mode 100644 index 0000000..59613a0 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/common/haproxy_fidus_ds.j2 @@ -0,0 +1,35 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + + http-request return status 200 content-type "text/plain" file "/opt/frontend/config/common/robots.txt" hdr "cache-control" "no-cache" if { path /robots.txt } + + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['hsts', 'no_sniff', 'no_cache']) }} + + {{ csp(["default-src " + ["'self'"]|join(' '), + "frame-src " + ["ds.fidus.skolverket.se"]|join(' '), + "font-src " + ["data:", "'self'", "ds.fidus.skolverket.se"]|join(' '), + "script-src " + ["'self'", "'unsafe-inline'", "'unsafe-eval'", "ds.fidus.skolverket.se"]|join(' '), + "connect-src " + ["'self'"]|join(' '), + "img-src " + ["*", "data:", "'self'"]|join(' '), + "style-src " + ["'self'", "'unsafe-inline'", "ds.fidus.skolverket.se"]|join(' '), + "object-src " + ["'none'"]|join(' '), + ]) }} + + {{ acme_challenge(letsencrypt_server) }} + + {% block usebackend %} + use_backend {{ site_name }}__default + {% endblock usebackend %} +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/common/haproxy_idp.j2 b/lb-common/overlay/opt/frontend/config/common/haproxy_idp.j2 new file mode 100644 index 0000000..633a67e --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/common/haproxy_idp.j2 @@ -0,0 +1,24 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + {{ csp(["default-src " + [csp_app_src]|join(' '), + "script-src " + [csp_script_src]|join(' '), + ]) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/common/haproxy_macros.j2 b/lb-common/overlay/opt/frontend/config/common/haproxy_macros.j2 new file mode 100644 index 0000000..dec367c --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/common/haproxy_macros.j2 @@ -0,0 +1,77 @@ +# +# Macros +# + +{%- macro bind_ip_tls(bind_ips, port, tls_cert) -%} +{%- for ip in bind_ips %} + bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }} +{%- endfor %} +{%- endmacro %} + + +{%- macro web_security_options(list) -%} +{%- for this in list %} +{%- if this == 'no_frames' %} + # Do not allow rendering the site within an frame, which prevents clickjacking. + http-response set-header X-Frame-Options "DENY" + +{% endif %} +{%- if this == 'block_xss' %} + # Enable browser supplied XSS-protection, even if has been turned off. + # If XSS is detected by the browser, block it instead of trying to sanitize it. + http-response set-header X-XSS-Protection "1; mode=block" + +{% endif %} +{%- if this == 'hsts' %} + # 20 years in seconds is 630720000 (86400 * 365 * 20) + http-response set-header Strict-Transport-Security "max-age=630720000" + +{% endif %} +{%- if this == 'no_sniff' %} + # Prevent MIME-confusion attacks that can lead to e.g. XSS + http-response set-header X-Content-Type-Options "nosniff" + +{% endif %} +{%- if this == 'no_cache' %} + # The information is intended for a single user and must not + # be cached by a shared cache and should always be revalidated. + http-response set-header Cache-Control "no-cache, no-store, must-revalidate" + http-response set-header Pragma "no-cache" + http-response set-header Expires "0" + +{% endif %} +{%- endfor %} +{%- endmacro %} + + +{%- macro acme_challenge(letsencrypt_server) -%} +{%- if letsencrypt_server is defined %} + use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ } +{%- else %} + # No letsencrypt_server specified +{%- endif %} +{%- endmacro %} + +{%- macro csp(data) -%} + # Content Security Policy + http-response set-header Content-Security-Policy "{{ data|join('; ') }}" +{%- endmacro %} + +{%- macro output_backends(backends, config=[], server_args='') -%} +{% if backends is defined %} +{%- for this in backends %} +backend {{ this.name }} + {{ config|join('\n ') }} + {%- for server in this.servers %} + {%- if server.server_args is defined %} + {%- set server_args = server.server_args %} + {%- endif %} + {% if server is defined %} + server {{ server.server }}_{{ server.address_family }} {{ server.ip }}:{{ server.port }} {{ server_args }} + {%- endif %} + {%- endfor %} +{%- endfor %} +{% else %} +# No backends found in context +{% endif %} +{%- endmacro %} diff --git a/lb-common/overlay/opt/frontend/config/common/robots.txt b/lb-common/overlay/opt/frontend/config/common/robots.txt new file mode 100644 index 0000000..c6742d8 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/common/robots.txt @@ -0,0 +1,2 @@ +User-Agent: * +Disallow: / diff --git a/lb-common/overlay/opt/frontend/config/driveidp/haproxy.j2 b/lb-common/overlay/opt/frontend/config/driveidp/haproxy.j2 new file mode 100644 index 0000000..b3afbc4 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/driveidp/haproxy.j2 @@ -0,0 +1,21 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/edusealapi/haproxy.j2 b/lb-common/overlay/opt/frontend/config/edusealapi/haproxy.j2 new file mode 100644 index 0000000..c8369d1 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/edusealapi/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/edusealapit/haproxy.j2 b/lb-common/overlay/opt/frontend/config/edusealapit/haproxy.j2 new file mode 100644 index 0000000..c8369d1 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/edusealapit/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/edusign/haproxy.j2 b/lb-common/overlay/opt/frontend/config/edusign/haproxy.j2 new file mode 100644 index 0000000..c1b4585 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/edusign/haproxy.j2 @@ -0,0 +1,25 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + option forwardfor header X-Real-IP + http-request set-header X-Real-IP %[src] + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + ## acl user_eudsign hdr(user-agent) -i edusign + ## http-request redirect location https://www.sunet.se/maintenance/edusign/ if ! user_eudsign + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/edusignapi/haproxy.j2 b/lb-common/overlay/opt/frontend/config/edusignapi/haproxy.j2 new file mode 100644 index 0000000..c8369d1 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/edusignapi/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/ers/haproxy.j2 b/lb-common/overlay/opt/frontend/config/ers/haproxy.j2 new file mode 100644 index 0000000..c8369d1 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/ers/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/fidusds/haproxy.j2 b/lb-common/overlay/opt/frontend/config/fidusds/haproxy.j2 new file mode 100644 index 0000000..34b3ccd --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/fidusds/haproxy.j2 @@ -0,0 +1,6 @@ +{% extends 'common/haproxy_fidus_ds.j2' %} + +{% block usebackend %} + use_backend {{ site_name }}__test if { path_beg /test/ } + use_backend {{ site_name }}__default +{% endblock usebackend %} diff --git a/lb-common/overlay/opt/frontend/config/fidusmd/haproxy.j2 b/lb-common/overlay/opt/frontend/config/fidusmd/haproxy.j2 new file mode 100644 index 0000000..ebc9385 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/fidusmd/haproxy.j2 @@ -0,0 +1,7 @@ +{% extends 'common/haproxy_fidus.j2' %} + +{% block usebackend %} + use_backend {{ site_name }}__test if { path_beg /test/ } + use_backend {{ site_name }}__default +{% endblock usebackend %} + diff --git a/lb-common/overlay/opt/frontend/config/forum/haproxy.j2 b/lb-common/overlay/opt/frontend/config/forum/haproxy.j2 new file mode 100644 index 0000000..c8369d1 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/forum/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/geteduroam/haproxy.j2 b/lb-common/overlay/opt/frontend/config/geteduroam/haproxy.j2 new file mode 100644 index 0000000..5bf70eb --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/geteduroam/haproxy.j2 @@ -0,0 +1,32 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%} +{%- for ip in bind_ips %} + bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }} {{ extra }} +{%- endfor %} +{%- endmacro %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional crt-ignore-err all ca-file /etc/ssl/certs/ca-certificates.crt") }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + http-request set-header client-cert %{+Q}[ssl_c_der,base64] + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} +{% block backend %} +{{ output_backends(backends, config=['cookie SERVERID insert indirect nocache +']) }} +{% endblock backend %} diff --git a/lb-common/overlay/opt/frontend/config/humhubidp/haproxy.j2 b/lb-common/overlay/opt/frontend/config/humhubidp/haproxy.j2 new file mode 100644 index 0000000..b3afbc4 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/humhubidp/haproxy.j2 @@ -0,0 +1,21 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/idmqa/haproxy.j2 b/lb-common/overlay/opt/frontend/config/idmqa/haproxy.j2 new file mode 100644 index 0000000..b79da09 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/idmqa/haproxy.j2 @@ -0,0 +1 @@ +{% extends 'common/haproxy_eidas.j2' %} diff --git a/lb-common/overlay/opt/frontend/config/kubemtx/haproxy.j2 b/lb-common/overlay/opt/frontend/config/kubemtx/haproxy.j2 new file mode 100644 index 0000000..6e914de --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/kubemtx/haproxy.j2 @@ -0,0 +1,39 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%} +{%- for ip in bind_ips %} + bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }} {{ extra }} +{%- endfor %} +{%- endmacro %} + +{% block frontend_80 %} +frontend {{ site_name }}_port80 +{%- for ip in bind_ips %} + bind {{ ip }}:80 +{%- endfor %} + mode tcp + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + + use_backend {{ site_name }}__port80 +{% endblock frontend_80 %} + +{% block frontend %} +frontend {{ site_name }} +{%- for ip in bind_ips %} + bind {{ ip }}:443 +{%- endfor %} + mode tcp + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/kubetest/haproxy.j2 b/lb-common/overlay/opt/frontend/config/kubetest/haproxy.j2 new file mode 100644 index 0000000..a5c648b --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/kubetest/haproxy.j2 @@ -0,0 +1,105 @@ +global + log stdout format raw local0 debug + + daemon + maxconn 256 + stats socket /haproxy_control/stats mode 660 + #server-state-file /tmp/server_state + + # whole container is started as non-root + #user haproxy + #group haproxy + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Mozilla Guideline v5.7 intermediate configuration + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + # end Mozilla config + + tune.ssl.default-dh-param 2048 + + spread-checks 20 + +defaults + log global + mode http + option httplog + option dontlognull + option redispatch + option forwardfor + # funny looking values because recommendation is to have these slightly + # above mulitples of three seconds to play nice with TCP resend timers + timeout check 5s + timeout connect 4s + timeout client 17s + timeout server 17s + timeout http-request 5s + + # never fail on address resolution + default-server init-addr libc,none + balance roundrobin + +frontend LB-http + # expose stats info over HTTP to exabgp + bind 127.0.0.1:9000 + http-request set-log-level silent + default_backend LB + +backend LB + stats enable + #stats hide-version + stats uri /haproxy_stats + +{% block frontend %} +frontend http-frontend + bind 0.0.0.0:80 + bind :::80 + + use_backend {{site_name}}__letsencrypt + +frontend {{ site_name }} + log stdout format raw local0 debug + mode tcp + bind 0.0.0.0:443 + bind :::443 + + stats enable + + use_backend {{ site_name }}__default + +frontend {{ site_name }}__16443 + mode tcp + bind 0.0.0.0:16443 + bind :::16443 + + use_backend {{ site_name }}__16443 +{% endblock frontend %} + +{% block backend %} +backend {{ site_name }}__16443 + mode tcp + balance leastconn + server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:16443 check inter 1s rise 30 fall 3 + server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:16443 check inter 1s rise 30 fall 3 + server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:16443 check inter 1s rise 30 fall 3 +backend {{ site_name }}__default + mode tcp + balance leastconn + server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:443 check inter 1s rise 30 fall 3 + server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:443 check inter 1s rise 30 fall 3 + server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:443 check inter 1s rise 30 fall 3 +backend {{ site_name }}__letsencrypt + mode http + balance leastconn + server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:80 check inter 1s rise 30 fall 3 + server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:80 check inter 1s rise 30 fall 3 + server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:80 check inter 1s rise 30 fall 3 +{% endblock backend %} diff --git a/lb-common/overlay/opt/frontend/config/outscan/haproxy.j2 b/lb-common/overlay/opt/frontend/config/outscan/haproxy.j2 new file mode 100644 index 0000000..2d968e3 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/outscan/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/rutprod/haproxy.j2 b/lb-common/overlay/opt/frontend/config/rutprod/haproxy.j2 new file mode 100644 index 0000000..2c61050 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/rutprod/haproxy.j2 @@ -0,0 +1,37 @@ +{% extends 'common/haproxy_22_tcp_mode.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%} +{%- for ip in bind_ips %} + bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }} {{ extra }} +{%- endfor %} +{%- endmacro %} + +{% block frontend_80 %} +frontend {{ site_name }}_port80 +{%- for ip in bind_ips %} + bind {{ ip }}:80 +{%- endfor %} + mode tcp + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + + use_backend {{ site_name }}__port80 +{% endblock frontend_80 %} + +{% block frontend %} +frontend {{ site_name }} +{%- for ip in bind_ips %} + bind {{ ip }}:443 +{%- endfor %} + mode tcp + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/scapi/haproxy.j2 b/lb-common/overlay/opt/frontend/config/scapi/haproxy.j2 new file mode 100644 index 0000000..36a7789 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/scapi/haproxy.j2 @@ -0,0 +1,7 @@ +{% extends 'common/haproxy_eidas.j2' %} + +{% block usebackend %} + http-response set-header Access-Control-Allow-Origin "*" + use_backend {{ site_name }}__default if { path_beg /testid/ } +{% endblock usebackend %} + diff --git a/lb-common/overlay/opt/frontend/config/scdemwqa/haproxy.j2 b/lb-common/overlay/opt/frontend/config/scdemwqa/haproxy.j2 new file mode 100644 index 0000000..b79da09 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/scdemwqa/haproxy.j2 @@ -0,0 +1 @@ +{% extends 'common/haproxy_eidas.j2' %} diff --git a/lb-common/overlay/opt/frontend/config/sctestqa/haproxy.j2 b/lb-common/overlay/opt/frontend/config/sctestqa/haproxy.j2 new file mode 100644 index 0000000..b126a74 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sctestqa/haproxy.j2 @@ -0,0 +1,6 @@ +{% extends 'common/haproxy_eidas.j2' %} + +{% block usebackend %} + use_backend {{ site_name }}__refidp if { path_beg /idp/ } + use_backend {{ site_name }}__default +{% endblock usebackend %} diff --git a/lb-common/overlay/opt/frontend/config/signgnt/haproxy.j2 b/lb-common/overlay/opt/frontend/config/signgnt/haproxy.j2 new file mode 100644 index 0000000..b4ab3f7 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/signgnt/haproxy.j2 @@ -0,0 +1,22 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + option forwardfor header X-Real-IP + http-request set-header X-Real-IP %[src] + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/signservice/haproxy.j2 b/lb-common/overlay/opt/frontend/config/signservice/haproxy.j2 new file mode 100644 index 0000000..750dfe8 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/signservice/haproxy.j2 @@ -0,0 +1,19 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + timeout http-request 300s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/sigsvcgnt/haproxy.j2 b/lb-common/overlay/opt/frontend/config/sigsvcgnt/haproxy.j2 new file mode 100644 index 0000000..c8369d1 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sigsvcgnt/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/sunetidp/haproxy.j2 b/lb-common/overlay/opt/frontend/config/sunetidp/haproxy.j2 new file mode 100644 index 0000000..2d968e3 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sunetidp/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/sunetse/haproxy.j2 b/lb-common/overlay/opt/frontend/config/sunetse/haproxy.j2 new file mode 100644 index 0000000..05c9510 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sunetse/haproxy.j2 @@ -0,0 +1,361 @@ +{% extends 'sunetse/haproxy_sunetse_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + + ## defines for hosts + acl host_swamid hdr_reg(host) -i ^(www\.)?swamid\.se$ + acl host_wiki_swamid hdr_reg(host) -i ^wiki\.swamid\.se$ + acl host_eduroam hdr_reg(host) -i ^(www\.)?eduroam\.se$ + acl host_sunet hdr_reg(host) -i ^(www\.)?sunet\.se$ + acl host_lms_sunet hdr_reg(host) -i ^lms\.sunet\.se$ + acl host_sunetdagarna hdr_reg(host) -i ^(www\.)?sunetdagarna\.se$ + + ## General redirects + + acl url_ping path /ping + acl url_root path / + acl req_head method HEAD + + # dos with specific user-agent + acl user_adam hdr(user-agent) -i snapchat.com/add/adam.kindvall + http-request deny deny_status 200 if user_adam + + # /ping + http-request deny deny_status 200 if host_sunet url_ping + + # rate limiting for head requests + stick-table type ip size 100k expire 30s store http_req_rate(10s) + http-request track-sc0 src + acl too_many_requests sc_http_req_rate(0) gt 50 + + http-request deny deny_status 429 if url_root req_head too_many_requests + + # deny (200) all head request for / + http-request deny deny_status 200 if url_root req_head + + + ## Redirects for eduroam + + acl url_eduroam path_beg /eduroam + + http-request redirect location https://www.sunet.se/services/nat/eduroam if host_eduroam + + http-request redirect location https://www.sunet.se/services/nat/eduroam if host_sunet url_eduroam + + ## Redirects for swamid + + acl url_swamid_incident path_beg /incident + acl url_swamid_community path_beg /community-consultation + acl url_swamid_getting_started path_beg /getting-started + acl url_swamid_policy path_beg /policy + acl url_swamid_policy_eduroam path_beg /policy/technology/eduroam + acl url_swamid_policy_saml path_beg /policy/technology/saml + acl url_swamid_policy_al1 path_beg /policy/assurance/al1 + acl url_swamid_policy_al2 path_beg /policy/assurance/al2 + acl url_swamid_policy_al3 path_beg /policy/assurance/al3 + acl url_swamid_policy_mdrps path_beg /policy/mdrps + acl url_swamid path_beg /swamid + acl url_swamid_kontakt path_beg /swamid/kontakt + + http-request redirect location https://wiki.sunet.se/display/SWAMID/SWAMID+Incident+Management+Procedures if host_swamid url_swamid_incident + http-request redirect location https://wiki.sunet.se/display/SWAMID/SWAMID+Consultations if host_swamid url_swamid_community + http-request redirect location https://wiki.sunet.se/display/SWAMID/Getting+Started+with+SWAMID if host_swamid url_swamid_getting_started + http-request redirect location https://wiki.sunet.se/display/SWAMID/eduroam+Technology+Profile if host_swamid url_swamid_policy_eduroam + http-request redirect location https://wiki.sunet.se/display/SWAMID/SAML+WebSSO+Technology+Profile if host_swamid url_swamid_policy_saml + http-request redirect location https://wiki.sunet.se/display/SWAMID/Identity+Assurance+Level+1+Profile if host_swamid url_swamid_policy_al1 + http-request redirect location https://wiki.sunet.se/display/SWAMID/Identity+Assurance+Level+2+Profile if host_swamid url_swamid_policy_al2 + http-request redirect location https://wiki.sunet.se/display/SWAMID/Identity+Assurance+Level+3+Profile if host_swamid url_swamid_policy_al3 + http-request redirect location https://wiki.sunet.se/display/SWAMID/SWAMID+eduGAIN+Metadata+Registration+Practice+Statement if host_swamid url_swamid_policy_mdrps + + http-request redirect location https://wiki.sunet.se/display/SWAMID/SWAMID+Policy if host_swamid url_swamid_policy + + http-request redirect location https://wiki.sunet.se/display/SWAMID if host_swamid + http-request redirect location https://wiki.sunet.se/display/SWAMID if host_wiki_swamid + + http-request redirect location https://wiki.sunet.se/display/SWAMID/Contact+SWAMID if host_sunet url_swamid_kontakt + http-request redirect location https://wiki.sunet.se/display/SWAMID if host_sunet url_swamid + + + ## Redirects for sunet + + acl url_sunet_net_policy path_beg /policy-for-tillaten-anvandning + acl url_sunet_cert_2350 path_beg /sunet-cert-rfc-2350-profile + acl url_sunet_portalpriser path_beg /portalpriser.pdf + acl url_sunet_molnet_policy path_beg /tjanster/molnportal + acl url_sunet_snc path_beg /snc + + http-request redirect location https://wiki.sunet.se/pages/viewpage.action?pageId=59572260 if host_lms_sunet + + #http-request redirect location https://eu01events.zoom.us/ev/Am3l_EqP5rTwqgwT_GPlwpThTY9DFKP8HgwDLEwAVFSXrjrF5Eg8~AggLXsr32QYFjq8BlYLZ5I06Dg if host_sunetdagarna + #http-request redirect location https://registration.invajo.com/2d97d036-e9cf-49be-bf6a-ba2aca5b99a5 if host_sunetdagarna + http-request redirect location https://wiki.sunet.se/pages/viewpage.action?pageId=229814010 if host_sunetdagarna + + http-request redirect location https://sunet.se/services/molnbaserade-tjanster/virtuella-servrar if host_sunet url_sunet_molnet_policy + http-request redirect location https://www.sunet.se/om-sunet/policy-for-tillaten-anvandning-och-etiska-regler if host_sunet url_sunet_net_policy + http-request redirect location https://wiki.sunet.se/display/OperativtSakerhetscenter/SUNET+CERT+RFC+2350+PROFILE if host_sunet url_sunet_cert_2350 + http-request redirect location https://sunet.se/wp-content/uploads/2019/09/Prislista-Molntja%%CC%%88nster.pdf if host_sunet url_sunet_portalpriser + http-request redirect location https://sunet.se/om-sunet/snc-project/ if host_sunet url_sunet_snc + + # Redirects for old sunet blog + + acl url_sunet_blog_1 path_beg /case/praktikfall-ett-radioteleskop-kommer-sallan-ensamt + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Praktikfall-Ett-radioteleskop-kommer-sa%%CC%%88llan-ensamt-SUNET-2018-04-18.pdf if host_sunet url_sunet_blog_1 + + acl url_sunet_blog_2 path_beg /case/det-svenska-tidslagret-och-varfor-du-behover-det + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Praktikfall-Det-svenska-tidslagret-och-varfo%%CC%%88r-du-beho%%CC%%88ver-det-SUNET-2018-02-08.pdf if host_sunet url_sunet_blog_2 + + acl url_sunet_blog_3 path_beg /case/praktikfall-tradlosa-nat-as-pa-su + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Praktikfall-Tra%%CC%%8Adlo%%CC%%88sa-na%%CC%%88t-%%E2%%80%%93-AS-pa%%CC%%8A-SU-SUNET-2017-11-29.pdf if host_sunet url_sunet_blog_3 + + acl url_sunet_blog_4 path_beg /blogg/dns-och-dnssec-utan-facksnack + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/DNS-och-DNSSEC-utan-facksnack-SUNET-2018-01-30.pdf if host_sunet url_sunet_blog_4 + + acl url_sunet_blog_6 path_beg /blogg/sunet-i-hongkong + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/SUNET-i-Hongkong-SUNET-2017-09-20.pdf if host_sunet url_sunet_blog_6 + + acl url_sunet_blog_5 path_beg /blogg/sa-arbetar-noc + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Sa%%CC%%8A-arbetar-NOC-SUNET-2017-11-13.pdf if host_sunet url_sunet_blog_5 + + acl url_sunet_blog_7 path_beg /blogg/sunets-handbok-i-informations-och-it-sakerhet/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/SUNETs-handbok-i-informations-och-IT-sa%%CC%%88kerhet-SUNET-2017-09-01.pdf if host_sunet url_sunet_blog_7 + + + acl url_sunet_blog_8 path_beg /blogg/den-okanda-hasten-fran-troja/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Den-o%%CC%%88ka%%CC%%88nda-ha%%CC%%88sten-fra%%CC%%8An-Troja-SUNET-2017-07-31.pdf if host_sunet url_sunet_blog_8 + + + acl url_sunet_blog_9 path_beg /blogg/redundans-ar-allt/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Redundans-a%%CC%%88r-allt-SUNET-2017-07-03.pdf if host_sunet url_sunet_blog_9 + + + acl url_sunet_blog_10 path_beg /blogg/snic-snack/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/SNIC-snack-SUNET-2017-06-02.pdf if host_sunet url_sunet_blog_10 + + + acl url_sunet_blog_11 path_beg /blogg/we-are-at-the-forefront/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Maria-Ha%%CC%%88ll-We-are-at-the-Forefront-SUNET-2017-04-13.pdf if host_sunet url_sunet_blog_11 + + + acl url_sunet_blog_12 path_beg /blogg/we-have-liftoff-del-5-av-2/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-5-av-2-SUNET-2017-05-03.pdf if host_sunet url_sunet_blog_12 + + + acl url_sunet_blog_13 path_beg /blogg/we-have-liftoff-del-4-av-2/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-4-av-2-SUNET-2017-02-22.pdf if host_sunet url_sunet_blog_13 + + + acl url_sunet_blog_14 path_beg /blogg/we-have-liftoff-del-3-av-2/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-3-av-2-SUNET-2017-01-30.pdf if host_sunet url_sunet_blog_14 + + + acl url_sunet_blog_15 path_beg /blogg/we-have-liftoff-del-2-av-2/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-2-av-2-SUNET-2017-01-09.pdf if host_sunet url_sunet_blog_15 + + + acl url_sunet_blog_16 path_beg /blogg/we-have-liftoff-del-1-av-2/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-1-av-2-SUNET-2016-12-16.pdf if host_sunet url_sunet_blog_16 + + + acl url_sunet_blog_17 path_beg /blogg/long-read-cleanliness-is-a-virtue/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Long-Read-%%E2%%80%%93-Cleanliness-is-a-Virtue-SUNET-2016-09-20.pdf if host_sunet url_sunet_blog_17 + + + acl url_sunet_blog_18 path_beg /blogg/langlasning-folja-fiber-fran-tulegatan-till-stockholms-universitet/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/La%%CC%%8Angla%%CC%%88sning-Fo%%CC%%88lja-fiber-%%E2%%80%%93-fra%%CC%%8An-Tulegatan-till-Stockholms-universitet-SUNET-2016-08-26.pdf if host_sunet url_sunet_blog_18 + + + acl url_sunet_blog_19 path_beg /blogg/topologier/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Topologier-One-ring-to-rule-them-all-SUNET-2016-05-24.pdf if host_sunet url_sunet_blog_19 + + + acl url_sunet_blog_20 path_beg /blogg/long-read-how-to-design-a-fibre-optic-network/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Long-read-How-to-Design-a-Fibre-Optic-Network-SUNET-2016-05-05.pdf if host_sunet url_sunet_blog_20 + + + acl url_sunet_blog_21 path_beg /blogg/forsta-dellanken-i-nya-sunet-ar-igang/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fo%%CC%%88rsta-della%%CC%%88nken-i-Nya-SUNET-a%%CC%%88r-iga%%CC%%8Ang-SUNET-2016-02-19.pdf if host_sunet url_sunet_blog_21 + + + acl url_sunet_blog_22 path_beg /blogg/spektrumanalysatorn-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-spektrumanalysatorn-SUNET-2016-02-17.pdf if host_sunet url_sunet_blog_22 + + + acl url_sunet_blog_23 path_beg /blogg/otdr-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-OTDR-SUNET-2016-02-15.pdf if host_sunet url_sunet_blog_23 + + + acl url_sunet_blog_24 path_beg /blogg/distribuerad-forstarkning-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-distribuerad-fo%%CC%%88rsta%%CC%%88rkning-SUNET-2017-01-15.pdf if host_sunet url_sunet_blog_24 + + + acl url_sunet_blog_25 path_beg /blogg/dampning-och-forstarkning-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-da%%CC%%88mpning-och-fo%%CC%%88rsta%%CC%%88rkning-SUNET-2016-01-14.pdf if host_sunet url_sunet_blog_25 + + + acl url_sunet_blog_26 path_beg /blogg/l-bandet-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-L-bandet-SUNET-2016-01-14.pdf if host_sunet url_sunet_blog_26 + + + acl url_sunet_blog_27 path_beg /blogg/c-bandet-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-C-bandet-SUNET-2016-01-14.pdf if host_sunet url_sunet_blog_27 + + + acl url_sunet_blog_28 path_beg /blogg/cern-krossen-som-slar-sonder-materiens-minsta-byggstenar/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/CERN-%%E2%%80%%93-krossen-som-sla%%CC%%8Ar-so%%CC%%88nder-materiens-minsta-byggstenar-SUNET-2016-01-12.pdf if host_sunet url_sunet_blog_28 + + + acl url_sunet_blog_29 path_beg /blogg/belastningsdiagram-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-belastningsdiagram-SUNET-2015-12-19.pdf if host_sunet url_sunet_blog_29 + + + acl url_sunet_blog_30 path_beg /blogg/atomur-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-atomur-SUNET-2015-12-19.pdf if host_sunet url_sunet_blog_30 + + + acl url_sunet_blog_31 path_beg /blogg/fiberkontakter-en-hel-massa-standarder/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fiberkontakter-%%E2%%80%%93-en-hel-massa-standarder-SUNET-2015-12-04.pdf if host_sunet url_sunet_blog_31 + + + acl url_sunet_blog_32 path_beg /blogg/geant-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-GE%%CC%%81ANT-SUNET-2015-11-26.pdf if host_sunet url_sunet_blog_32 + + + acl url_sunet_blog_33 path_beg /blogg/decibel-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-decibel-SUNET-2016-01-14.pdf if host_sunet url_sunet_blog_33 + + + acl url_sunet_blog_34 path_beg /blogg/switch-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-switch-SUNET-2015-11-10.pdf if host_sunet url_sunet_blog_34 + + + acl url_sunet_blog_35 path_beg /blogg/router-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-router-SUNET-2015-11-10.pdf if host_sunet url_sunet_blog_35 + + + acl url_sunet_blog_36 path_beg /blogg/kvarts-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-kvarts-SUNET-2015-11-10.pdf if host_sunet url_sunet_blog_36 + + + acl url_sunet_blog_37 path_beg /blogg/foton-grundlaggande-om/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-foton-SUNET-2015-11-10.pdf if host_sunet url_sunet_blog_37 + + + acl url_sunet_blog_38 path_beg /blogg/i-morkret-ar-alla-katter-infraroda/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/I-mo%%CC%%88rkret-a%%CC%%88r-alla-katter-infraro%%CC%%88da-SUNET-2015-11-04.pdf if host_sunet url_sunet_blog_38 + + + acl url_sunet_blog_39 path_beg /blogg/fibertyperna-i-natet-och-deras-optiska-felaktigheter/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fibertyperna-i-na%%CC%%88tet-och-deras-optiska-felaktigheter-SUNET-2015-10-29.pdf if host_sunet url_sunet_blog_39 + + + acl url_sunet_blog_40 path_beg /blogg/vad-ar-klockan-egentligen/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Vad-a%%CC%%88r-klockan-egentligen-SUNET-2015-10-21.pdf if host_sunet url_sunet_blog_40 + + + acl url_sunet_blog_41 path_beg /blogg/natets-centrum/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Na%%CC%%88tets-centrum-SUNET-2015-10-20.pdf if host_sunet url_sunet_blog_41 + + + acl url_sunet_blog_42 path_beg /blogg/den-optiska-transceivern/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Den-optiska-transceivern-SUNET-2015-10-17.pdf if host_sunet url_sunet_blog_42 + + + acl url_sunet_blog_43 path_beg /blogg/polarisation-och-informationsoverforing/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Polarisation-och-informationso%%CC%%88verfo%%CC%%88ring-SUNET-2015-10-01.pdf if host_sunet url_sunet_blog_43 + + + acl url_sunet_blog_44 path_beg /blogg/laserns-historia/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Laserns-historia-SUNET-2015-09-30.pdf if host_sunet url_sunet_blog_44 + + + acl url_sunet_blog_45 path_beg /blogg/koherent-ljus-vad-ar-det/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Koherent-ljus-vad-a%%CC%%88r-det-SUNET-2015-09-28.pdf if host_sunet url_sunet_blog_45 + + + acl url_sunet_blog_46 path_beg /blogg/sunet-nu-annu-battre/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/SUNET-%%E2%%80%%93-nu-a%%CC%%88nnu-ba%%CC%%88ttre-SUNET-2015-09-16.pdf if host_sunet url_sunet_blog_46 + + + acl url_sunet_blog_47 path_beg /blogg/fibern-fruktar-fukten/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fibern-fruktar-fukten-SUNET-2015-09-11.pdf if host_sunet url_sunet_blog_47 + + + acl url_sunet_blog_48 path_beg /blogg/att-fa-kontakt/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Att-fa%%CC%%8A-kontakt-SUNET-2015-09-11.pdf if host_sunet url_sunet_blog_48 + + + acl url_sunet_blog_49 path_beg /blogg/sa-tillverkas-optisk-fiber/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Sa%%CC%%8A-tillverkas-optisk-fiber-SUNET-2015-08-31.pdf if host_sunet url_sunet_blog_49 + + + acl url_sunet_blog_50 path_beg /blogg/artikel-emc-emi-emp/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/EMC-%%E2%%80%%93-EMI-%%E2%%80%%93-EMP-SUNET-2015-09-31.pdf if host_sunet url_sunet_blog_50 + + + acl url_sunet_blog_51 path_beg /blogg/glasbiten-som-gav-nobelpris/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Glasbiten-som-gav-nobelpris-SUNET-2015-08-21.pdf if host_sunet url_sunet_blog_51 + + + acl url_sunet_blog_52 path_beg /blogg/megabit-pa-langden-och-tvaren/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Megabit-pa%%CC%%8A-la%%CC%%88ngden-och-tva%%CC%%88ren-SUNET-2015-09-21.pdf if host_sunet url_sunet_blog_52 + + + acl url_sunet_blog_53 path_beg /blogg/langartikel-fibern-fran-frostmofjallet/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fibern-fra%%CC%%8An-Frostmofja%%CC%%88llet-SUNET-2015-08-21.pdf if host_sunet url_sunet_blog_53 + + + acl url_sunet_blog_54 path_beg /blogg/upphandling-av-optiskt-nat-nar-allt-bara-flyter-pa/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Upphandling-av-optiskt-na%%CC%%88t-%%E2%%80%%93-na%%CC%%88r-allt-bara-flyter-pa%%CC%%8A-SUNET-2015-07-25.pdf if host_sunet url_sunet_blog_54 + + + acl url_sunet_blog_55 path_beg /blogg/optasense-nar-fiber-blir-sensorer/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/OptaSense-%%E2%%80%%93-na%%CC%%88r-fiber-blir-sensorer-SUNET-2015-07-03.pdf if host_sunet url_sunet_blog_55 + + + acl url_sunet_blog_56 path_beg /blogg/teknisk-djupdykning-optisk-magi-med-ramanforstarkare/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Teknisk-djupdykning-Optisk-magi-med-ramanfo%%CC%%88rsta%%CC%%88rkare-SUNET-2015-07-02.pdf if host_sunet url_sunet_blog_56 + + + acl url_sunet_blog_57 path_beg /blogg/teknisk-utvikning-130-000-fibrer-som-i-en-liten-ask/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Teknisk-utvikning-130.000-fibrer-som-i-en-liten-ask-SUNET-2015-07-01.pdf if host_sunet url_sunet_blog_57 + + + acl url_sunet_blog_58 path_beg /blogg/nocen-spekulerar-2-felrapporter/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/NOCen-spekulerar-2-Felrapporter-SUNET-2015-06-27.pdf if host_sunet url_sunet_blog_58 + + + acl url_sunet_blog_59 path_beg /blogg/nocen-spekulerar-1-hog-belastning/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/NOCen-spekulerar-1-ho%%CC%%88g-belastning-SUNET-2015-06-26.pdf if host_sunet url_sunet_blog_59 + + + acl url_sunet_blog_60 path_beg /blogg/teknisk-djupdykning-optisk-magi-med-edfa/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Teknisk-djupdykning-Optisk-magi-med-EDFA-SUNET-2015-06-22.pdf if host_sunet url_sunet_blog_60 + + + acl url_sunet_blog_61 path_beg /blogg/sa-designar-man-ett-fiberoptiskt-nat/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/La%%CC%%8Angartikel-Sa%%CC%%8A-designar-man-ett-fiberoptiskt-na%%CC%%88t-SUNET-2015-06-11.pdf if host_sunet url_sunet_blog_61 + + + acl url_sunet_blog_62 path_beg /blogg/1249/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/La%%CC%%8Angartikel-Vad-som-har-varit-och-vad-som-komma-skall-SUNET-2015-05-19.pdf if host_sunet url_sunet_blog_62 + + + acl url_sunet_blog_63 path_beg /blogg/teknisk-djupdykning-den-mystiska-routerkraschen/ + http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Teknisk-djupdykning-den-mystiska-routerkraschen-SUNET-2006-06-11.pdf if host_sunet url_sunet_blog_63 + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/sunetse/haproxy_sunetse_base.j2 b/lb-common/overlay/opt/frontend/config/sunetse/haproxy_sunetse_base.j2 new file mode 100644 index 0000000..001d815 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sunetse/haproxy_sunetse_base.j2 @@ -0,0 +1,117 @@ +# haproxy for SUNET frontend load balancer nodes. +# +{% from "common/haproxy_macros.j2" import output_backends %} + +{% block global %} +global + log stdout format raw local0 debug + + daemon + maxconn 256 + stats socket /haproxy_control/stats mode 660 + #server-state-file /tmp/server_state + + # whole container is started as non-root + #user haproxy + #group haproxy + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Mozilla Guideline v5.7 intermediate configuration + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + # end Mozilla config + + tune.ssl.default-dh-param 2048 + + spread-checks 20 + + + +{% endblock global %} + + +{% block defaults %} +defaults + log global + mode http + option httplog + option dontlognull + option redispatch + option forwardfor + # funny looking values because recommendation is to have these slightly + # above mulitples of three seconds to play nice with TCP resend timers + timeout check 5s + timeout connect 4s + timeout client 17s + timeout server 17s + timeout http-request 5s + + # never fail on address resolution + default-server init-addr libc,none + balance roundrobin +{% endblock defaults %} + +{% block stats %} +frontend LB-http + # expose stats info over HTTP to exabgp + bind 127.0.0.1:9000 + http-request set-log-level silent + default_backend LB + +backend LB + stats enable + #stats hide-version + stats uri /haproxy_stats +{% endblock stats %} + + +{% block global_backends %} +{% if letsencrypt_server is defined %} +backend letsencrypt_{{ letsencrypt_server }} + server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80 +{% else %} +# letsencrypt_backend not defined +{% endif %} +{% endblock global_backends %} + + +{% block https_everything %} +# +# Redirect _everything_ to HTTPS +frontend http-frontend + bind 0.0.0.0:80 + bind :::80 + + redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } ! { hdr(host) -i ip.sunet.se } + use_backend {{ site_name }}__default if { hdr(host) -i ip.sunet.se } ! { path_beg /.well-known/acme-challenge/ } +{% if letsencrypt_server is defined %} + use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ } +{% else %} + # letsencrypt_backend not defined +{% endif %} +{% endblock https_everything %} + +# +# Frontend section +# +{% block frontend %} +{% endblock frontend %} + + +# +# Backend section +# +{% block pre_backend %} +{% endblock pre_backend %} + +{% block backend %} +{{ output_backends(backends, config=[]) }} +{% endblock backend %} diff --git a/lb-common/overlay/opt/frontend/config/sveidas1/haproxy.j2 b/lb-common/overlay/opt/frontend/config/sveidas1/haproxy.j2 new file mode 100644 index 0000000..b79da09 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sveidas1/haproxy.j2 @@ -0,0 +1 @@ +{% extends 'common/haproxy_eidas.j2' %} diff --git a/lb-common/overlay/opt/frontend/config/sveidas2/haproxy.j2 b/lb-common/overlay/opt/frontend/config/sveidas2/haproxy.j2 new file mode 100644 index 0000000..b79da09 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sveidas2/haproxy.j2 @@ -0,0 +1 @@ +{% extends 'common/haproxy_eidas.j2' %} diff --git a/lb-common/overlay/opt/frontend/config/sweconn1/haproxy.j2 b/lb-common/overlay/opt/frontend/config/sweconn1/haproxy.j2 new file mode 100644 index 0000000..b79da09 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sweconn1/haproxy.j2 @@ -0,0 +1 @@ +{% extends 'common/haproxy_eidas.j2' %} diff --git a/lb-common/overlay/opt/frontend/config/sweconn2/haproxy.j2 b/lb-common/overlay/opt/frontend/config/sweconn2/haproxy.j2 new file mode 100644 index 0000000..b79da09 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/sweconn2/haproxy.j2 @@ -0,0 +1 @@ +{% extends 'common/haproxy_eidas.j2' %} diff --git a/lb-common/overlay/opt/frontend/config/validator/haproxy.j2 b/lb-common/overlay/opt/frontend/config/validator/haproxy.j2 new file mode 100644 index 0000000..a00b16c --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/validator/haproxy.j2 @@ -0,0 +1,19 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/lb-common/overlay/opt/frontend/config/zoomidp/haproxy.j2 b/lb-common/overlay/opt/frontend/config/zoomidp/haproxy.j2 new file mode 100644 index 0000000..2d968e3 --- /dev/null +++ b/lb-common/overlay/opt/frontend/config/zoomidp/haproxy.j2 @@ -0,0 +1,20 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }} + + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default +{% endblock frontend %} diff --git a/tug-lb-1.sunet.se/README b/tug-lb-1.sunet.se/README new file mode 100644 index 0000000..9a73bce --- /dev/null +++ b/tug-lb-1.sunet.se/README @@ -0,0 +1,4 @@ + +The system documentation is in the docs directory of the multiverse repository. + +- type make upgrade to run ubuntu/debian upgrade on all boxes diff --git a/tug-lb-1.sunet.se/overlay/etc/hiera/data/local.eyaml b/tug-lb-1.sunet.se/overlay/etc/hiera/data/local.eyaml new file mode 100644 index 0000000..fd4b8b3 --- /dev/null +++ b/tug-lb-1.sunet.se/overlay/etc/hiera/data/local.eyaml @@ -0,0 +1,32 @@ + + + +acme_c_ssh_key: > + ENC[PKCS7,MIIEeQYJKoZIhvcNAQcDoIIEajCCBGYCAQAxggJ9MIICeQIBAD + BhMEkxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRV + lBTUwxGjAYBgNVBAMMEXR1Zy1sYi0xLnN1bmV0LnNlAhRGbgvGqNZzUuYMy5 + +AuzDsP6l1pDANBgkqhkiG9w0BAQEFAASCAgABMA5DtkCFFelPWYvHHW+7y0 + hGG+iJarmJhamv72/Yig0v/5OiTFpSVa6DvzNe1OPvO9RHvufFoPQlksR8Jo + J1YaXtVrUsRtPQwt7S29ymj356HuLe4e230tl7LNoubMJGpA1F54aX3QcFO6 + /JO5DG+/3EJMAD4LE/LgiyvD4cIpj5f8gJBQp8rywlsLFBA2Nrsl7mSY9MUn + MPzb4wpByOt7a/zWIRjgyF/y2zTCoqFvuigKejBACx3GkXzutzry4jzBAQsN + Qi2bfdNWWXEKFPOQO7x8zpJ2nh4iP/uNG5TNfGooTsnMv21zmD/nHnWo8dE+ + hYmWQ2uoIW4XqRFLeUPg/u4hKcSDFNsF5YqA8MLGs6MHSZrQqzSIExgruiKU + DwDG144q6E1uEny21BdM84z1DrDZDWP4UqnT8uQWU56Z2j8kSyFscig7oUeR + 2ihgmNo11YobH/SMn36tFvQ7u74IrSnH9wSNtL0Ml/IssShmIys6ZvFBtByM + yzUpiTJYlHY+hEnKncMPTri/iRdghNG7kZyFMsdHNBnR1P5a8oNzD6756TdY + 6rOMEQG2SDrcodx7nKIOUrE5wPIdLeN9ZhFuEK7hBVlJPxBu2/lVcEykrDI6 + /t/106mz3GYDllPzWKLUv8rZSpsroh36Tr/LQaU9rEVuN5DnzUMMzfae7IZj + CCAd4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEP+hDktlSD+Eld1OebGMiV + eAggGw79qzPfz43WZFqt8dkyXhuxvSACbbdfi27KagltOwiI7HSBatRdUv09 + 3yhEPgbt6Wcfj/M47ScYOKqSobPc/Z+HxgnvhXhrzMwnTq6Phz3jYRxRkulj + zbbe60pWbDh1zDBdk1Kj6H2Drw9m7NP0bDtmJ0Tr6it6eLmT9OXeaTXjW52L + Xs5wcZl5bNAxaTY6mwjaJIwOsM/Y1v+ADKaKlkor0q27OcevKo7UlERqE1px + m4dF0R21s5Ee37yjHHtjLket4mm6Ek3KhrIekBJh5QOzg083U1DK0JFJzW0A + P8eXzAAheZpRck7nYtBwZMAwIL5vUkQ51KdwAMVN4D2ZT/AM4P9KtNHRbEcb + NBBOMNCOsxOuKZsSJsMBnI+QL30ngVNvzz2QMyidhJ5YFPV0voFj17/vibWC + 140bTetiJFNFFhkICB5SLGaq8OEe5zN5mGUCU2cWMBhbKaBE/HUv9c10oSVA + 6V3593t7s4mZmUa1oTylliuO3AchUD5pi562DxklJqCCair9J24nVCNvwt5F + aNMUAWHrjdlhSiCge7CfUAS+r7C3KDBBuJbPNMxkFL] + +fleetlock_password: ENC[PKCS7,MIIC5QYJKoZIhvcNAQcDoIIC1jCCAtICAQAxggJ9MIICeQIBADBhMEkxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxGjAYBgNVBAMMEXR1Zy1sYi0xLnN1bmV0LnNlAhRGbgvGqNZzUuYMy5+AuzDsP6l1pDANBgkqhkiG9w0BAQEFAASCAgCEEKZvmD6FsRfpqKazFi3pZQuk5XjUfplsAExuDlzdCNKFKjXqbTogXRqVG6LL57xquzavLgqC3bXGps0kcN6ahOSAJziBgLAePQ4NAtBBiuLvXYGJ6FXf1llbWV2YlruAzUfHnCZ6n1/NJrHIQz8IwAVEhiwhcV0L2DK6a3e2KmvZiaNkuVCiKS+UNsi8ry5Fl2oLn4h/SwZdFgOldlrCsLRlk+06B8icZukeVJC232HBYDhubdFSUy149lzA2J8lbuLQ7haRwanyATh/mQs2XQi3l32B0yPnDsmuUXyEwORZ+2eOMPpXNrUT2r0Waj/nVtdqhT2pqSNBzy0tvr8Urcij9tYdKdLZzubkNXPMDjaFI0wEqpd/QW/a44QE0myYsACDjc2sZPiCdb4GCM57YXzP2sVulYuKVr4lRbGEThszZDvz4osEQ+Bo5r7dz13Yq+N7E/kEwedIEb85/Snfu/QM4QhMNkM2Qs8XUqrxT89Bk8LuJ3JS3nEK6HV0MaNkKmX9jI6qiWuxp1sXdoFmW+afvgyNPRNHTrttE0yTcPA//aRqlDQ7czxyR+UMthhFHA+5XfmIHo/eLgDFwC9gsXB5eMRTvjb8l2yumiIbSjpfiwms0MLe/8F8Y5TQPg599/DCba3dU9sIaWPG9JOra98P4MtkbhrAw4/e6ZCVXDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD8IbrfUQLJmXACUGllcvhjgCBNFkhZ3CKV8dMUDY9mWhb0MI6UzMBZWwnK0pbHE8KEmg==] diff --git a/tug-lb-1.sunet.se/overlay/etc/netplan/00-installer-config.yaml b/tug-lb-1.sunet.se/overlay/etc/netplan/00-installer-config.yaml new file mode 100644 index 0000000..9fd72a3 --- /dev/null +++ b/tug-lb-1.sunet.se/overlay/etc/netplan/00-installer-config.yaml @@ -0,0 +1,41 @@ +# This file is manged by puppet. +network: + version: 2 + ethernets: + enp67s0f0np0: + addresses: [] + dhcp4: false + dhcp6: false + accept-ra: no + enp67s0f1np1: + addresses: [] + dhcp4: false + dhcp6: false + accept-ra: no + switchports: + match: {name: "bond0"} + bonds: + bond0: + addresses: + - 130.242.126.195/31 + - 2001:6b0:8:a::2/64 + routes: + - to: default + via: 130.242.126.194 + - to: default + via: 2001:6b0:8:a::1 + on-link: true + nameservers: + addresses: + - 89.32.32.32 + interfaces: + - enp67s0f0np0 + - enp67s0f1np1 + dhcp4: false + dhcp6: false + accept-ra: no + parameters: + mode: active-backup + mii-monitor-interval: 1 + gratuitious-arp: 5 + primary-reselect-policy: failure diff --git a/tug-lb-1.sunet.se/overlay/etc/ssl/tug-lb-1.sunet.se_infra.pem b/tug-lb-1.sunet.se/overlay/etc/ssl/tug-lb-1.sunet.se_infra.pem new file mode 100644 index 0000000..ce4dd29 --- /dev/null +++ b/tug-lb-1.sunet.se/overlay/etc/ssl/tug-lb-1.sunet.se_infra.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGKjCCBBKgAwIBAgIIbZCsL+IJlogwDQYJKoZIhvcNAQELBQAwPzEgMB4GA1UE +AxMXU1VORVQgSW5mcmFzdHJ1Y3R1cmUgQ0ExDjAMBgNVBAoTBVNVTkVUMQswCQYD +VQQGEwJTRTAeFw0yNDA2MjgwODM1MDhaFw0yNTA2MjgwODM1MDhaMDkxCzAJBgNV +BAYTAlNFMQ4wDAYDVQQKEwVTVU5FVDEaMBgGA1UEAxMRdHVnLWxiLTEuc3VuZXQu +c2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDnTfQHQm8tIFj0fbM4 +V3pvuB3wMrQoPcX6Ln4Pb+uHy1wcePX9FRtxV31TiW3oiZxomH5DL0t209/XKTzo +cjuj7fI8KuWsq0fYWiEoc+O7vAWPVnlRs1e1btaPsuYtytUkPNK7kVSyaMedEOub +vjyi062MMCfBSPrZEAtftWRc1IRz0XO0IEfwcCwBVadjNteZp2kZ8QO62THWBJJU +GNgIF3yPrybY+nAfD4olcpkAobmQhONzPP6JJ7KpWaIImuNuUwmhMk4UexVXx3Nr +eWZ0TMCRU+6WtF2mTr4W910zQMsyvuQS4BcwRU6GsoXA64Ur9YUEYWiBL6ce3aXG +B8987LfWRNmlNeV2oExFAK7yWr4fZQMTIiMjKoKhzqK5FqGIM4g/2lXgMF0QmK6y +oLpSH5kp2rMRgrbc4bga/FOC2MJDV/M2SZJDiiH1O4gc1B9HWdrk3UjLK2TW0qQI +dBXFlL4H3XsLvpLbyistR6nTVBXpmkcMZDg9PxDJaTc4ZgKhQ6EafM2aPL+aIYwe +wyAucpK9CwxkWsHSEneV9ZY2FlnWaX/cJC5l23Xb3/7YDa6FlSnmQeTHQU3rbLVM +po0wmc8H9ZBDwDNCP18cyr5COGMs+C7UmPAq9qYXIKWGbZhUHniABU4CTxS6skwU +pemi38xae4K28zzpPSKr3rhUiQIDAQABo4IBLjCCASowHQYDVR0OBBYEFHNT/SG7 +8bexN/XTiLVEhZfjdp/tMB8GA1UdIwQYMBaAFOcsnlEasB0BHeZCtCcaNZNwwG3X +MDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL2NhLnN1bmV0LnNl +L2luZnJhL2NhLmNydDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY2Euc3VuZXQu +c2UvaW5mcmEvY3JsLnBlbTAjBgNVHRIEHDAahhhodHRwOi8vY2Euc3VuZXQuc2Uv +aW5mcmEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH +AwEGCCsGAQUFBwMCMBwGA1UdEQQVMBOCEXR1Zy1sYi0xLnN1bmV0LnNlMA0GCSqG +SIb3DQEBCwUAA4ICAQBBzHfnpUAnyd4+ix4BlzMAC2O06LuopbS3eCBDskE6PFU5 +gxYxuvJpWq3aoZ3ymKdY4vh/RjsAeEWTT9PvVGZffNBqHYfEtApxzM6179xIu/rv +z7Ch9VZE6CBdArJ75lt9YUrs5Nv4JRmgLBQdczRCRFohnaVGMqMsYaeQWp3nkZ0x +I+kuWIVZwuYee6dArmLvAwFWD5ECn84yKCY8whFABn2i2VivukY1d98kDuJ+KcDs +SP3aahsMDTO6fkz1AE8r03YFU6E/lxqIfSKWS7sZ7oycJGSQaT8y3QtfOdIGLLos +tjJvurAxZ6XH2AV+r9Ewx7uP8gPeUtymx4cKx+CEewjxCBHm6q2qgMWm0p9/8Mxe +x6NOdBIm08bscrhAIgFHWUsoOiS+4m2ZcQFgh9g0JQ9q/Ypid6J6W16YxxP3lpJX +IcrMDu87pDzECM0VDb/kkLhhbVyqIchnyewaP/pmz2zYjW4IRMnsoEXIT7wCuECA +1g/yTHWVLh7jWtMtVDYWBu2Bx6ofUQ0dfXqKE1jIuhT2fXpzdUegSO6D1+An/j2U +OjR4gl8StGo7O7mHhLDYpRHl6CpkSjoSfEjVgrlIcMUY3HbYuIEJS4QjmTqJ8ftl +vvlkkQFXf92wHnmLUOY2bY2i81RVyBUUtyt4fyShTesKAwZt9dTFPdPtEpaSag== +-----END CERTIFICATE-----