added configs etc for new test LBs

2025-04-09 17:43:07 +02:00 · 2025-04-09 17:43:07 +02:00 · d10def05f8
commit d10def05f8
parent 6b47ef7a7b
12 changed files with 422 additions and 0 deletions
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -1385,6 +1385,12 @@ eumdsigner-test-sto3-1.komreg.net:
   eid::de_client:
      path: '/var/cache/metadata_r1.komreg.net'

+'^lb-test-.+-\d+\.komreg\.net$':
+   sunet::dockerhost2:
+   sunet::lb::load_balancer:
+      interface: 'ens3'
+   sunet::fleetlock_client:
+
 log-test-sto3-1.komreg.net:
   autoupdate:
   sunet::dockerhost2:
--- a/lb-test-common/overlay/etc/hiera/data/group.yaml
+++ b/lb-test-common/overlay/etc/hiera/data/group.yaml
@ -0,0 +1,49 @@
+---
+sunet_frontend:
+
+  load_balancer:
+    api_imagetag: 'stable'
+    exabgp_imagetag: 'stable'
+
+    peers:
+      se-tug-rs-2.sunet.se:
+        as: '65434'
+        remote_ip: '192.36.171.71'
+      se-tug-rs-2.sunet.se_v6:
+        as: '65434'
+        remote_ip: '2001:6b0:8:7::71'
+      se-sthb-rs-1.sunet.se:
+        as: '65434'
+        remote_ip: '192.36.171.130'
+      se-sthb-rs-1.sunet.se_v6:
+        as: '65434'
+        remote_ip: '2001:6b0:8:1::130'
+
+
+    websites:
+      'connectortst':
+        site_name: 'test.connector.eidas.swedenconnect.se'
+        frontends:
+          'lb-test-tug-1.komreg.net':
+            ips: ['94.176.226.128', '2001:6b0:65:2::128']
+          'lb-test-sthb-1.komreg.net':
+            ips: ['94.176.226.129', '2001:6b0:65:2::129']
+        backends:
+          default:
+            'connector-test-sto3-1.komreg.net':
+              ips: ['89.45.236.201']
+              server_args: 'ssl verify required ca-file /etc/ssl/certs/infra.crt cookie ect1'
+            'connector-test-sto3-2.komreg.net':
+              ips: ['89.45.237.40']
+              server_args: 'ssl verify required ca-file /etc/ssl/certs/infra.crt cookie ect1'
+            'connector-test-sto3-3.komreg.net':
+              ips: ['89.45.237.212']
+              server_args: 'ssl verify required ca-file /etc/ssl/certs/infra.crt cookie ect1'
+        allow_ports:
+          - 80
+          - 443
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+        haproxy_volumes:
+          - "/etc/ssl/certs/infra.crt:/etc/ssl/certs/infra.crt:ro"
--- a/lb-test-common/overlay/opt/frontend/config/common/haproxy_base.j2
+++ b/lb-test-common/overlay/opt/frontend/config/common/haproxy_base.j2
@ -0,0 +1,116 @@
+# haproxy for SUNET frontend load balancer nodes.
+#
+{% from "common/haproxy_macros.j2" import output_backends %}
+
+{% block global %}
+global
+    log stdout  format raw  local0  debug
+
+    daemon
+    maxconn 256
+    stats socket /haproxy_control/stats mode 660
+    #server-state-file /tmp/server_state
+
+    # whole container is started as non-root
+    #user haproxy
+    #group haproxy
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # Mozilla Guideline v5.7 intermediate configuration
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    # end Mozilla config
+
+    tune.ssl.default-dh-param 2048
+
+    spread-checks 20
+
+
+
+{% endblock global %}
+
+
+{% block defaults %}
+defaults
+    log global
+    mode http
+    option httplog
+    option dontlognull
+    option redispatch
+    option forwardfor
+    # funny looking values because recommendation is to have these slightly
+    # above mulitples of three seconds to play nice with TCP resend timers
+    timeout check 5s
+    timeout connect 4s
+    timeout client 17s
+    timeout server 17s
+    timeout http-request 5s
+
+    # never fail on address resolution
+    default-server init-addr libc,none
+    balance roundrobin
+{% endblock defaults %}
+
+{% block stats %}
+frontend LB-http
+    # expose stats info over HTTP to exabgp
+    bind 127.0.0.1:9000
+    http-request set-log-level silent
+    default_backend LB
+
+backend LB
+    stats enable
+    #stats hide-version
+    stats uri /haproxy_stats
+{% endblock stats %}
+
+
+{% block global_backends %}
+{% if letsencrypt_server is defined %}
+backend letsencrypt_{{ letsencrypt_server }}
+  server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
+{% else %}
+# letsencrypt_backend not defined
+{% endif %}
+{% endblock global_backends %}
+
+
+{% block https_everything %}
+#
+# Redirect _everything_ to HTTPS
+frontend http-frontend
+    bind 0.0.0.0:80
+    bind :::80
+
+    redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ }
+{% if letsencrypt_server is defined %}
+    use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
+{% else %}
+    # letsencrypt_backend not defined
+{% endif %}
+{% endblock https_everything %}
+
+#
+# Frontend section
+#
+{% block frontend %}
+{% endblock frontend %}
+
+
+#
+# Backend section
+#
+{% block pre_backend %}
+{% endblock pre_backend %}
+
+{% block backend %}
+{{ output_backends(backends, config=['cookie SERVERID insert indirect nocache']) }}
+{% endblock backend %}
--- a/lb-test-common/overlay/opt/frontend/config/common/haproxy_macros.j2
+++ b/lb-test-common/overlay/opt/frontend/config/common/haproxy_macros.j2
@ -0,0 +1,83 @@
+#
+# Macros
+#
+
+{%- macro bind_ip_tls(bind_ips, port, tls_cert) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}
+{%- endfor %}
+{%- endmacro %}
+
+{%- macro bind_ip_tcp(bind_ips, port) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }}
+{%- endfor %}
+{%- endmacro %}
+
+
+{%- macro web_security_options(list) -%}
+{%- for this in list %}
+{%- if this == 'no_frames' %}
+    # Do not allow rendering the site within an frame, which prevents clickjacking.
+    http-response set-header X-Frame-Options "DENY"
+
+{% endif %}
+{%- if this == 'block_xss' %}
+    # Enable browser supplied XSS-protection, even if has been turned off.
+    # If XSS is detected by the browser, block it instead of trying to sanitize it.
+    http-response set-header X-XSS-Protection "1; mode=block"
+
+{% endif %}
+{%- if this == 'hsts' %}
+    # 20 years in seconds is 630720000 (86400 * 365 * 20)
+    http-response set-header Strict-Transport-Security "max-age=630720000"
+
+{% endif %}
+{%- if this == 'no_sniff' %}
+    # Prevent MIME-confusion attacks that can lead to e.g. XSS
+    http-response set-header X-Content-Type-Options "nosniff"
+
+{% endif %}
+{%- if this == 'no_cache' %}
+    # The information is intended for a single user and must not
+    # be cached by a shared cache and should always be revalidated.
+    http-response set-header Cache-Control "no-cache, no-store, must-revalidate"
+    http-response set-header Pragma "no-cache"
+    http-response set-header Expires "0"
+
+{% endif %}
+{%- endfor %}
+{%- endmacro %}
+
+
+{%- macro acme_challenge(letsencrypt_server) -%}
+{%- if letsencrypt_server is defined %}
+    use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
+{%- else %}
+    # No letsencrypt_server specified
+{%- endif %}
+{%- endmacro %}
+
+{%- macro csp(data) -%}
+    # Content Security Policy
+    http-response set-header Content-Security-Policy "{{ data|join('; ') }}"
+{%- endmacro %}
+
+{%- macro output_backends(backends, config=[], server_args='') -%}
+{% if backends is defined %}
+{%- for this in backends %}
+backend {{ this.name }}
+  {{ config|join('\n  ') }}
+  {%- for server in this.servers %}
+  {%- if server.server_args is defined %}
+  {%-   set server_args = server.server_args %}
+  {%- endif %}
+  {% if server is defined %}
+  server {{ server.server }}_{{ server.address_family }} {{ server.ip }}:{{ server.port }} {{ server_args }}
+  {%- endif %}
+  {%- endfor %}
+{%- endfor %}
+{% else %}
+# No backends found in context
+{% endif %}
+{%- endmacro %}
--- a/lb-test-common/overlay/opt/frontend/config/connectortst/haproxy.j2
+++ b/lb-test-common/overlay/opt/frontend/config/connectortst/haproxy.j2
@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
+
--- a/lb-test-common/overlay/opt/frontend/config/demwtest/haproxy.j2
+++ b/lb-test-common/overlay/opt/frontend/config/demwtest/haproxy.j2
@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
+
--- a/lb-test-common/overlay/opt/frontend/config/idmtest/haproxy.j2
+++ b/lb-test-common/overlay/opt/frontend/config/idmtest/haproxy.j2
@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
+
--- a/lb-test-common/overlay/opt/frontend/config/mdeidastest/haproxy.j2
+++ b/lb-test-common/overlay/opt/frontend/config/mdeidastest/haproxy.j2
@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
+
--- a/lb-test-common/overlay/opt/frontend/config/mdtest/haproxy.j2
+++ b/lb-test-common/overlay/opt/frontend/config/mdtest/haproxy.j2
@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
+
--- a/lb-test-common/overlay/opt/frontend/config/proxytest/haproxy.j2
+++ b/lb-test-common/overlay/opt/frontend/config/proxytest/haproxy.j2
@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
+
--- a/lb-test-common/overlay/opt/frontend/config/testtest/haproxy.j2
+++ b/lb-test-common/overlay/opt/frontend/config/testtest/haproxy.j2
@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__refidp if { path_beg /idp/ }
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
--- a/lb-test-common/overlay/opt/frontend/config/validatortst/haproxy.j2
+++ b/lb-test-common/overlay/opt/frontend/config/validatortst/haproxy.j2
@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
+