migrated auth auth-test to new lb
This commit is contained in:
parent
cb75d218ae
commit
e1c5d9b737
2 changed files with 61 additions and 0 deletions
|
|
@ -40,6 +40,28 @@ sunet_frontend:
|
||||||
haproxy_imagetag: '20230228-stable'
|
haproxy_imagetag: '20230228-stable'
|
||||||
frontendtools_imagetag: '20230228'
|
frontendtools_imagetag: '20230228'
|
||||||
|
|
||||||
|
'authtest':
|
||||||
|
haproxy_volumes:
|
||||||
|
- "/etc/ssl/certs/infra.crt:/etc/ssl/certs/infra.crt:ro"
|
||||||
|
- "/etc/ssl/private/infra_haproxy.crt:/etc/ssl/private/infra_haproxy.crt:ro"
|
||||||
|
site_name: 'auth-test.sunet.se'
|
||||||
|
frontends:
|
||||||
|
'lb-test-tug-1.sunet.se':
|
||||||
|
ips: ['37.156.192.64', '2001:6b0:60:c0::64']
|
||||||
|
'lb-test-sthb-1.sunet.se':
|
||||||
|
ips: ['37.156.192.65', '2001:6b0:60:c0::65']
|
||||||
|
backends:
|
||||||
|
default:
|
||||||
|
'auth-test-1.sunet.se':
|
||||||
|
ips: ['89.47.185.11']
|
||||||
|
server_args: 'ssl alpn h2 crt /etc/ssl/private/infra_haproxy.crt verify required ca-file /etc/ssl/certs/infra.crt check check-alpn http/1.1'
|
||||||
|
allow_ports:
|
||||||
|
- 443
|
||||||
|
- 80
|
||||||
|
letsencrypt_server: 'acme-c.sunet.se'
|
||||||
|
haproxy_imagetag: '20230228-stable'
|
||||||
|
frontendtools_imagetag: '20230228'
|
||||||
|
|
||||||
# 'edusealapit':
|
# 'edusealapit':
|
||||||
# site_name: 'test-api.eduseal.sunet.se'
|
# site_name: 'test-api.eduseal.sunet.se'
|
||||||
# frontends:
|
# frontends:
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,39 @@
|
||||||
|
{% extends 'common/haproxy_base.j2' %}
|
||||||
|
|
||||||
|
{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
|
||||||
|
|
||||||
|
{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
|
||||||
|
{%- for ip in bind_ips %}
|
||||||
|
bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }} {{ extra }}
|
||||||
|
{%- endfor %}
|
||||||
|
{%- endmacro %}
|
||||||
|
|
||||||
|
{% block frontend %}
|
||||||
|
frontend {{ site_name }}
|
||||||
|
{{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional crt-ignore-err all ca-file /etc/ssl/certs/ca-certificates.crt") }}
|
||||||
|
|
||||||
|
|
||||||
|
timeout http-request 10s
|
||||||
|
timeout http-keep-alive 4s
|
||||||
|
option forwardfor
|
||||||
|
http-request set-header X-Forwarded-Proto https
|
||||||
|
http-request set-header client-cert %{+Q}[ssl_c_der,base64]
|
||||||
|
|
||||||
|
{{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
|
||||||
|
|
||||||
|
|
||||||
|
{{ acme_challenge(letsencrypt_server) }}
|
||||||
|
|
||||||
|
use_backend {{ site_name }}__default
|
||||||
|
{% endblock frontend %}
|
||||||
|
|
||||||
|
{% block backend %}
|
||||||
|
{{ output_backends(backends,
|
||||||
|
config=['option httpchk GET /status/healthy HTTP/1.1',
|
||||||
|
'http-check expect string STATUS_OK',
|
||||||
|
'http-check send-state',
|
||||||
|
'http-check disable-on-404',
|
||||||
|
],
|
||||||
|
)
|
||||||
|
}}
|
||||||
|
{% endblock backend %}
|
||||||
Loading…
Add table
Reference in a new issue