moving bankidp.qa.swamid.se to new LBs
This commit is contained in:
parent
cac3c36c8e
commit
fbf62ab7a4
GPG key ID:
6EF520A1829E8B1D
2 changed files with 53 additions and 0 deletions
|
|
@ -795,3 +795,28 @@ sunet_frontend:
|
||||||
letsencrypt_server: 'acme-c.sunet.se'
|
letsencrypt_server: 'acme-c.sunet.se'
|
||||||
haproxy_imagetag: '20230228-stable'
|
haproxy_imagetag: '20230228-stable'
|
||||||
frontendtools_imagetag: '20230228'
|
frontendtools_imagetag: '20230228'
|
||||||
|
|
||||||
|
'bankidpqa':
|
||||||
|
haproxy_volumes:
|
||||||
|
- "/etc/ssl/certs/infra.crt:/etc/ssl/certs/infra.crt:ro"
|
||||||
|
- "/opt/frontend/config/ssl/infra_haproxy.crt:/opt/frontend/config/ssl/infra_haproxy.crt:ro"
|
||||||
|
site_name: 'bankidp.qa.swamid.se'
|
||||||
|
frontends:
|
||||||
|
'tug-lb-1.sunet.se':
|
||||||
|
ips: ['37.156.192.84', '2001:6b0:60:c0::84']
|
||||||
|
'sthb-lb-1.sunet.se':
|
||||||
|
ips: ['37.156.192.85', '2001:6b0:60:c0::85']
|
||||||
|
backends:
|
||||||
|
default:
|
||||||
|
'bankid-idp-app1.qa.swamid.se':
|
||||||
|
ips: ['89.46.21.115']
|
||||||
|
server_args: 'ssl alpn h2 crt /opt/frontend/config/ssl/infra_haproxy.crt verify required ca-file /etc/ssl/certs/infra.crt check check-alpn http/1.1'
|
||||||
|
'bankid-idp-app2.qa.swamid.se':
|
||||||
|
ips: ['89.45.236.159']
|
||||||
|
server_args: 'ssl alpn h2 crt /opt/frontend/config/ssl/infra_haproxy.crt verify required ca-file /etc/ssl/certs/infra.crt check check-alpn http/1.1'
|
||||||
|
allow_ports:
|
||||||
|
- 443
|
||||||
|
- 80
|
||||||
|
letsencrypt_server: 'acme-c.sunet.se'
|
||||||
|
haproxy_imagetag: '20230228-stable'
|
||||||
|
frontendtools_imagetag: '20230228'
|
||||||
|
|
|
||||||
28
lb-common/overlay/opt/frontend/config/bankidpqa/haproxy.j2
Normal file
28
lb-common/overlay/opt/frontend/config/bankidpqa/haproxy.j2
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
{% extends 'common/haproxy_base.j2' %}
|
||||||
|
|
||||||
|
{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
|
||||||
|
|
||||||
|
{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
|
||||||
|
{%- for ip in bind_ips %}
|
||||||
|
bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }} {{ extra }}
|
||||||
|
{%- endfor %}
|
||||||
|
{%- endmacro %}
|
||||||
|
|
||||||
|
{% block frontend %}
|
||||||
|
frontend {{ site_name }}
|
||||||
|
{{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional crt-ignore-err all ca-file /etc/ssl/certs/ca-certificates.crt") }}
|
||||||
|
|
||||||
|
|
||||||
|
timeout http-request 10s
|
||||||
|
timeout http-keep-alive 4s
|
||||||
|
option forwardfor
|
||||||
|
http-request set-header X-Forwarded-Proto https
|
||||||
|
http-request set-header client-cert %{+Q}[ssl_c_der,base64]
|
||||||
|
|
||||||
|
{{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
|
||||||
|
|
||||||
|
|
||||||
|
{{ acme_challenge(letsencrypt_server) }}
|
||||||
|
|
||||||
|
use_backend {{ site_name }}__default
|
||||||
|
{% endblock frontend %}
|
||||||
Loading…
Add table
Reference in a new issue