From e5af02109fede5eacd40a44fe310d9d7e1d72acc Mon Sep 17 00:00:00 2001
From: Johan Wassberg <jocar@sunet.se>
Date: Wed, 14 May 2025 12:23:40 +0200
Subject: [PATCH] Consolidate configuration

---
 .../config/common/haproxy_swamid_mds.j2       | 135 +++---------------
 .../opt/frontend/config/swamidmds/haproxy.j2  |  43 +++---
 2 files changed, 42 insertions(+), 136 deletions(-)

diff --git a/lb-common/overlay/opt/frontend/config/common/haproxy_swamid_mds.j2 b/lb-common/overlay/opt/frontend/config/common/haproxy_swamid_mds.j2
index ad2c87b..5f45d84 100644
--- a/lb-common/overlay/opt/frontend/config/common/haproxy_swamid_mds.j2
+++ b/lb-common/overlay/opt/frontend/config/common/haproxy_swamid_mds.j2
@@ -1,118 +1,29 @@
+{% extends 'common/haproxy_base.j2' %}
 # haproxy for SWAMIDs MDS load balancer nodes.
 #
 {% from "common/haproxy_macros.j2" import output_backends %}
 
-{% block global %}
-global
-    log stdout  format raw  local0  debug
-
-    daemon
-    maxconn 256
-    stats socket /haproxy_control/stats mode 660
-    #server-state-file /tmp/server_state
-
-    # whole container is started as non-root
-    #user haproxy
-    #group haproxy
-
-    # Default SSL material locations
-    ca-base /etc/ssl/certs
-    crt-base /etc/ssl/private
-
-    # Mozilla Guideline v5.7 intermediate configuration
-    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-
-    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-    # end Mozilla config
-
-    tune.ssl.default-dh-param 2048
-
-    spread-checks 20
-
-
-
-{% endblock global %}
-
-
-{% block defaults %}
-defaults
-    log global
-    mode http
-    option httplog
-    option dontlognull
-    option redispatch
-    option forwardfor
-    # funny looking values because recommendation is to have these slightly
-    # above mulitples of three seconds to play nice with TCP resend timers
-    timeout check 5s
-    timeout connect 4s
-    timeout client 17s
-    timeout server 17s
-    timeout http-request 5s
-
-    # never fail on address resolution
-    default-server init-addr libc,none
-    balance roundrobin
-{% endblock defaults %}
-
-{% block stats %}
-frontend LB-http
-    # expose stats info over HTTP to exabgp
-    bind 127.0.0.1:9000
-    http-request set-log-level silent
-    default_backend LB
-
-backend LB
-    stats enable
-    #stats hide-version
-    stats uri /haproxy_stats
-{% endblock stats %}
-
-
-{% block global_backends %}
-{% if letsencrypt_server is defined %}
-backend letsencrypt_{{ letsencrypt_server }}
-  server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
-{% else %}
-# letsencrypt_backend not defined
-{% endif %}
-{% endblock global_backends %}
-
-
-{% block https_everything %}
-#
-# Redirect _everything_ to HTTPS
-frontend http-frontend
-    bind 0.0.0.0:80
-    bind :::80
-
-    redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } ! { path_beg /md/ }
-{% if letsencrypt_server is defined %}
-    use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
-{% else %}
-    # letsencrypt_backend not defined
-{% endif %}
-
-    use_backend {{ site_name }}__default
-{% endblock https_everything %}
-
-#
-# Frontend section
-#
 {% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+    {{ csp(["default-src "               + [csp_app_src]|join(' '),
+            "script-src "                + ["'self'", "'unsafe-inline'"]|join(' '),
+            "font-src "                  + ["'self'"]|join(' '),
+            "style-src "                 + ["'self'", "'unsafe-inline'"]|join(' '),
+            "img-src "                   + ["'self'"]|join(' '),
+            ]) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    {% block usebackend %}
+    use_backend {{ site_name }}__default
+    {% endblock usebackend %}
 {% endblock frontend %}
-
-
-#
-# Backend section
-#
-{% block pre_backend %}
-{% endblock pre_backend %}
-
-{% block backend %}
-{{ output_backends(backends, config=[]) }}
-{% endblock backend %}
diff --git a/lb-common/overlay/opt/frontend/config/swamidmds/haproxy.j2 b/lb-common/overlay/opt/frontend/config/swamidmds/haproxy.j2
index 7b6ecf5..863fc8b 100644
--- a/lb-common/overlay/opt/frontend/config/swamidmds/haproxy.j2
+++ b/lb-common/overlay/opt/frontend/config/swamidmds/haproxy.j2
@@ -2,30 +2,25 @@
 
 {% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
 
-{% block frontend %}
-frontend {{ site_name }}
-    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+{# Exclude /md/ from the default redirect for non HTTPS traffic #}
+{% block https_everything %}
+#
+# Redirect _everything_ to HTTPS
+frontend http-frontend
+    bind 0.0.0.0:80
+    bind :::80
 
+    redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } ! { path_beg /md/ }
+{% if letsencrypt_server is defined %}
+    use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
+{% else %}
+    # letsencrypt_backend not defined
+{% endif %}
 
-    timeout http-request 10s
-    timeout http-keep-alive 4s
-    option forwardfor
-    http-request set-header X-Forwarded-Proto https
+    use_backend {{ site_name }}__default
+{% endblock https_everything %}
 
-    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
-
-    {{ csp(["default-src "               + [csp_app_src]|join(' '),
-            "script-src "                + ["'self'", "'unsafe-inline'"]|join(' '),
-            "font-src "                  + ["'self'"]|join(' '),
-            "style-src "                 + ["'self'", "'unsafe-inline'"]|join(' '),
-            "img-src "                   + ["'self'"]|join(' '),
-            ]) }}
-
-    {{ acme_challenge(letsencrypt_server) }}
-
-    {% block usebackend %}
-        use_backend {{ site_name }}__qa if { path_beg /qa/ }
-        use_backend {{ site_name }}__default
-    {% endblock usebackend %}
-
-{% endblock frontend %}
+{% block usebackend %}
+    use_backend {{ site_name }}__qa if { path_beg /qa/ }
+    use_backend {{ site_name }}__default
+{% endblock usebackend %}