Consolidate configuration
This commit is contained in:
parent
e6314d3f72
commit
e5af02109f
GPG key ID:
BE4EC2EEADF2C31B
2 changed files with 42 additions and 136 deletions
|
|
@ -1,118 +1,29 @@
|
||||||
|
{% extends 'common/haproxy_base.j2' %}
|
||||||
# haproxy for SWAMIDs MDS load balancer nodes.
|
# haproxy for SWAMIDs MDS load balancer nodes.
|
||||||
#
|
#
|
||||||
{% from "common/haproxy_macros.j2" import output_backends %}
|
{% from "common/haproxy_macros.j2" import output_backends %}
|
||||||
|
|
||||||
{% block global %}
|
|
||||||
global
|
|
||||||
log stdout format raw local0 debug
|
|
||||||
|
|
||||||
daemon
|
|
||||||
maxconn 256
|
|
||||||
stats socket /haproxy_control/stats mode 660
|
|
||||||
#server-state-file /tmp/server_state
|
|
||||||
|
|
||||||
# whole container is started as non-root
|
|
||||||
#user haproxy
|
|
||||||
#group haproxy
|
|
||||||
|
|
||||||
# Default SSL material locations
|
|
||||||
ca-base /etc/ssl/certs
|
|
||||||
crt-base /etc/ssl/private
|
|
||||||
|
|
||||||
# Mozilla Guideline v5.7 intermediate configuration
|
|
||||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
|
||||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
||||||
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
||||||
|
|
||||||
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
|
||||||
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
||||||
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
||||||
# end Mozilla config
|
|
||||||
|
|
||||||
tune.ssl.default-dh-param 2048
|
|
||||||
|
|
||||||
spread-checks 20
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
{% endblock global %}
|
|
||||||
|
|
||||||
|
|
||||||
{% block defaults %}
|
|
||||||
defaults
|
|
||||||
log global
|
|
||||||
mode http
|
|
||||||
option httplog
|
|
||||||
option dontlognull
|
|
||||||
option redispatch
|
|
||||||
option forwardfor
|
|
||||||
# funny looking values because recommendation is to have these slightly
|
|
||||||
# above mulitples of three seconds to play nice with TCP resend timers
|
|
||||||
timeout check 5s
|
|
||||||
timeout connect 4s
|
|
||||||
timeout client 17s
|
|
||||||
timeout server 17s
|
|
||||||
timeout http-request 5s
|
|
||||||
|
|
||||||
# never fail on address resolution
|
|
||||||
default-server init-addr libc,none
|
|
||||||
balance roundrobin
|
|
||||||
{% endblock defaults %}
|
|
||||||
|
|
||||||
{% block stats %}
|
|
||||||
frontend LB-http
|
|
||||||
# expose stats info over HTTP to exabgp
|
|
||||||
bind 127.0.0.1:9000
|
|
||||||
http-request set-log-level silent
|
|
||||||
default_backend LB
|
|
||||||
|
|
||||||
backend LB
|
|
||||||
stats enable
|
|
||||||
#stats hide-version
|
|
||||||
stats uri /haproxy_stats
|
|
||||||
{% endblock stats %}
|
|
||||||
|
|
||||||
|
|
||||||
{% block global_backends %}
|
|
||||||
{% if letsencrypt_server is defined %}
|
|
||||||
backend letsencrypt_{{ letsencrypt_server }}
|
|
||||||
server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
|
|
||||||
{% else %}
|
|
||||||
# letsencrypt_backend not defined
|
|
||||||
{% endif %}
|
|
||||||
{% endblock global_backends %}
|
|
||||||
|
|
||||||
|
|
||||||
{% block https_everything %}
|
|
||||||
#
|
|
||||||
# Redirect _everything_ to HTTPS
|
|
||||||
frontend http-frontend
|
|
||||||
bind 0.0.0.0:80
|
|
||||||
bind :::80
|
|
||||||
|
|
||||||
redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } ! { path_beg /md/ }
|
|
||||||
{% if letsencrypt_server is defined %}
|
|
||||||
use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
|
|
||||||
{% else %}
|
|
||||||
# letsencrypt_backend not defined
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
use_backend {{ site_name }}__default
|
|
||||||
{% endblock https_everything %}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Frontend section
|
|
||||||
#
|
|
||||||
{% block frontend %}
|
{% block frontend %}
|
||||||
|
frontend {{ site_name }}
|
||||||
|
{{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
|
||||||
|
|
||||||
|
timeout http-request 10s
|
||||||
|
timeout http-keep-alive 4s
|
||||||
|
option forwardfor
|
||||||
|
http-request set-header X-Forwarded-Proto https
|
||||||
|
|
||||||
|
{{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
|
||||||
|
|
||||||
|
{{ csp(["default-src " + [csp_app_src]|join(' '),
|
||||||
|
"script-src " + ["'self'", "'unsafe-inline'"]|join(' '),
|
||||||
|
"font-src " + ["'self'"]|join(' '),
|
||||||
|
"style-src " + ["'self'", "'unsafe-inline'"]|join(' '),
|
||||||
|
"img-src " + ["'self'"]|join(' '),
|
||||||
|
]) }}
|
||||||
|
|
||||||
|
{{ acme_challenge(letsencrypt_server) }}
|
||||||
|
|
||||||
|
{% block usebackend %}
|
||||||
|
use_backend {{ site_name }}__default
|
||||||
|
{% endblock usebackend %}
|
||||||
{% endblock frontend %}
|
{% endblock frontend %}
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Backend section
|
|
||||||
#
|
|
||||||
{% block pre_backend %}
|
|
||||||
{% endblock pre_backend %}
|
|
||||||
|
|
||||||
{% block backend %}
|
|
||||||
{{ output_backends(backends, config=[]) }}
|
|
||||||
{% endblock backend %}
|
|
||||||
|
|
|
||||||
|
|
@ -2,30 +2,25 @@
|
||||||
|
|
||||||
{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
|
{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
|
||||||
|
|
||||||
{% block frontend %}
|
{# Exclude /md/ from the default redirect for non HTTPS traffic #}
|
||||||
frontend {{ site_name }}
|
{% block https_everything %}
|
||||||
{{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
|
#
|
||||||
|
# Redirect _everything_ to HTTPS
|
||||||
|
frontend http-frontend
|
||||||
|
bind 0.0.0.0:80
|
||||||
|
bind :::80
|
||||||
|
|
||||||
|
redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } ! { path_beg /md/ }
|
||||||
|
{% if letsencrypt_server is defined %}
|
||||||
|
use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
|
||||||
|
{% else %}
|
||||||
|
# letsencrypt_backend not defined
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
timeout http-request 10s
|
use_backend {{ site_name }}__default
|
||||||
timeout http-keep-alive 4s
|
{% endblock https_everything %}
|
||||||
option forwardfor
|
|
||||||
http-request set-header X-Forwarded-Proto https
|
|
||||||
|
|
||||||
{{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
|
{% block usebackend %}
|
||||||
|
use_backend {{ site_name }}__qa if { path_beg /qa/ }
|
||||||
{{ csp(["default-src " + [csp_app_src]|join(' '),
|
use_backend {{ site_name }}__default
|
||||||
"script-src " + ["'self'", "'unsafe-inline'"]|join(' '),
|
{% endblock usebackend %}
|
||||||
"font-src " + ["'self'"]|join(' '),
|
|
||||||
"style-src " + ["'self'", "'unsafe-inline'"]|join(' '),
|
|
||||||
"img-src " + ["'self'"]|join(' '),
|
|
||||||
]) }}
|
|
||||||
|
|
||||||
{{ acme_challenge(letsencrypt_server) }}
|
|
||||||
|
|
||||||
{% block usebackend %}
|
|
||||||
use_backend {{ site_name }}__qa if { path_beg /qa/ }
|
|
||||||
use_backend {{ site_name }}__default
|
|
||||||
{% endblock usebackend %}
|
|
||||||
|
|
||||||
{% endblock frontend %}
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue