moved 3 more sites to new LBs

2025-04-08 10:52:53 +02:00 · 2025-04-08 10:52:53 +02:00 · 25990db55d
commit 25990db55d
parent 66bc7d98cb
4 changed files with 142 additions and 0 deletions
--- a/lb-common/overlay/etc/hiera/data/group.yaml
+++ b/lb-common/overlay/etc/hiera/data/group.yaml
@ -733,3 +733,66 @@ sunet_frontend:
        letsencrypt_server: 'acme-c.sunet.se'
        haproxy_imagetag: '20230228-stable'
        frontendtools_imagetag: '20230228'
+
+      'nutidauthtst':
+        haproxy_volumes:
+          - "/etc/ssl/certs/infra.crt:/etc/ssl/certs/infra.crt:ro"
+          - "/opt/frontend/config/ssl/infra_haproxy.crt:/opt/frontend/config/ssl/infra_haproxy.crt:ro"
+        site_name: 'nutid-auth-test.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.22', '2001:6b0:60:c0::22']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.23', '2001:6b0:60:c0::23']
+        backends:
+          default:
+            'nutid-auth-test-2.sunet.se':
+              ips: ['89.47.185.33']
+              server_args: 'ssl  alpn h2  crt /opt/frontend/config/ssl/infra_haproxy.crt  verify required  ca-file /etc/ssl/certs/infra.crt  check check-alpn http/1.1'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'nutidauth':
+        haproxy_volumes:
+          - "/etc/ssl/certs/infra.crt:/etc/ssl/certs/infra.crt:ro"
+          - "/opt/frontend/config/ssl/infra_haproxy.crt:/opt/frontend/config/ssl/infra_haproxy.crt:ro"
+        site_name: 'nutid-auth.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.62', '2001:6b0:60:c0::62']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.63', '2001:6b0:60:c0::63']
+        backends:
+          default:
+            'nutid-auth-3.sunet.se':
+              ips: ['192.36.171.72']
+              server_args: 'ssl  alpn h2  crt /opt/frontend/config/ssl/infra_haproxy.crt  verify required  ca-file /etc/ssl/certs/infra.crt  check check-alpn http/1.1'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'fidustest':
+        site_name: 'fidustest.skolverket.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.52', '2001:6b0:60:c0::52']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.53', '2001:6b0:60:c0::53']
+        backends:
+          default:
+            'fidustest-1.fidus.sunet.se':
+              ips: ['89.45.236.185']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
--- a/lb-common/overlay/opt/frontend/config/fidustest/haproxy.j2
+++ b/lb-common/overlay/opt/frontend/config/fidustest/haproxy.j2
@ -0,0 +1 @@
+{% extends 'common/haproxy_fidus.j2' %}
--- a/lb-common/overlay/opt/frontend/config/nutidauth/haproxy.j2
+++ b/lb-common/overlay/opt/frontend/config/nutidauth/haproxy.j2
@ -0,0 +1,39 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}  {{ extra }}
+{%- endfor %}
+{%- endmacro %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional  crt-ignore-err all  ca-file /etc/ssl/certs/ca-certificates.crt") }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header client-cert %{+Q}[ssl_c_der,base64]
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}
+
+{% block backend %}
+{{ output_backends(backends,
+        config=['option httpchk GET /status/healthy HTTP/1.1',
+        'http-check expect string STATUS_OK',
+        'http-check send-state',
+        'http-check disable-on-404',
+        ],
+    )
+}}
+{% endblock backend %}
--- a/lb-common/overlay/opt/frontend/config/nutidauthtst/haproxy.j2
+++ b/lb-common/overlay/opt/frontend/config/nutidauthtst/haproxy.j2
@ -0,0 +1,39 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}  {{ extra }}
+{%- endfor %}
+{%- endmacro %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional  crt-ignore-err all  ca-file /etc/ssl/certs/ca-certificates.crt") }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header client-cert %{+Q}[ssl_c_der,base64]
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}
+
+{% block backend %}
+{{ output_backends(backends,
+        config=['option httpchk GET /status/healthy HTTP/1.1',
+        'http-check expect string STATUS_OK',
+        'http-check send-state',
+        'http-check disable-on-404',
+        ],
+    )
+}}
+{% endblock backend %}