SUNET/net-ops
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Consolidate configuration

Browse source
This commit is contained in:
Johan Wassberg 2025-05-14 12:23:40 +02:00
parent e6314d3f72
commit e5af02109f
Signed by: jocar
GPG key ID: BE4EC2EEADF2C31B
2 changed files with 42 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

135
lb-common/overlay/opt/frontend/config/common/haproxy_swamid_mds.j2
View file

@ -1,118 +1,29 @@
{% extends 'common/haproxy_base.j2' %}
# haproxy for SWAMIDs MDS load balancer nodes.
#
{% from "common/haproxy_macros.j2" import output_backends %}
{% block global %}
global
log stdout format raw local0 debug
daemon
maxconn 256
stats socket /haproxy_control/stats mode 660
#server-state-file /tmp/server_state
# whole container is started as non-root
#user haproxy
#group haproxy
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Mozilla Guideline v5.7 intermediate configuration
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# end Mozilla config
tune.ssl.default-dh-param 2048
spread-checks 20
{% endblock global %}
{% block defaults %}
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
option forwardfor
# funny looking values because recommendation is to have these slightly
# above mulitples of three seconds to play nice with TCP resend timers
timeout check 5s
timeout connect 4s
timeout client 17s
timeout server 17s
timeout http-request 5s
# never fail on address resolution
default-server init-addr libc,none
balance roundrobin
{% endblock defaults %}
{% block stats %}
frontend LB-http
# expose stats info over HTTP to exabgp
bind 127.0.0.1:9000
http-request set-log-level silent
default_backend LB
backend LB
stats enable
#stats hide-version
stats uri /haproxy_stats
{% endblock stats %}
{% block global_backends %}
{% if letsencrypt_server is defined %}
backend letsencrypt_{{ letsencrypt_server }}
server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
{% else %}
# letsencrypt_backend not defined
{% endif %}
{% endblock global_backends %}
{% block https_everything %}
#
# Redirect _everything_ to HTTPS
frontend http-frontend
bind 0.0.0.0:80
bind :::80
redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } ! { path_beg /md/ }
{% if letsencrypt_server is defined %}
use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
{% else %}
# letsencrypt_backend not defined
{% endif %}
use_backend {{ site_name }}__default
{% endblock https_everything %}
#
# Frontend section
#
{% block frontend %}
frontend {{ site_name }}
{{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
timeout http-request 10s
timeout http-keep-alive 4s
option forwardfor
http-request set-header X-Forwarded-Proto https
{{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
{{ csp(["default-src " + [csp_app_src]|join(' '),
"script-src " + ["'self'", "'unsafe-inline'"]|join(' '),
"font-src " + ["'self'"]|join(' '),
"style-src " + ["'self'", "'unsafe-inline'"]|join(' '),
"img-src " + ["'self'"]|join(' '),
]) }}
{{ acme_challenge(letsencrypt_server) }}
{% block usebackend %}
use_backend {{ site_name }}__default
{% endblock usebackend %}
{% endblock frontend %}
#
# Backend section
#
{% block pre_backend %}
{% endblock pre_backend %}
{% block backend %}
{{ output_backends(backends, config=[]) }}
{% endblock backend %}

43
lb-common/overlay/opt/frontend/config/swamidmds/haproxy.j2
View file

@ -2,30 +2,25 @@
{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
{% block frontend %}
frontend {{ site_name }}
{{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
{# Exclude /md/ from the default redirect for non HTTPS traffic #}
{% block https_everything %}
#
# Redirect _everything_ to HTTPS
frontend http-frontend
bind 0.0.0.0:80
bind :::80
redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } ! { path_beg /md/ }
{% if letsencrypt_server is defined %}
use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
{% else %}
# letsencrypt_backend not defined
{% endif %}
timeout http-request 10s
timeout http-keep-alive 4s
option forwardfor
http-request set-header X-Forwarded-Proto https
use_backend {{ site_name }}__default
{% endblock https_everything %}
{{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
{{ csp(["default-src " + [csp_app_src]|join(' '),
"script-src " + ["'self'", "'unsafe-inline'"]|join(' '),
"font-src " + ["'self'"]|join(' '),
"style-src " + ["'self'", "'unsafe-inline'"]|join(' '),
"img-src " + ["'self'"]|join(' '),
]) }}
{{ acme_challenge(letsencrypt_server) }}
{% block usebackend %}
use_backend {{ site_name }}__qa if { path_beg /qa/ }
use_backend {{ site_name }}__default
{% endblock usebackend %}
{% endblock frontend %}
{% block usebackend %}
use_backend {{ site_name }}__qa if { path_beg /qa/ }
use_backend {{ site_name }}__default
{% endblock usebackend %}