2020-05-16 18:28:07 +00:00
|
|
|
global
|
|
|
|
maxconn 2048
|
|
|
|
maxconnrate 40
|
2020-05-21 18:20:43 +00:00
|
|
|
unix-bind prefix {{ haproxy.socketroot }} user {{ haproxy.user }} group {{ haproxy.group }}
|
2020-05-31 09:57:28 +00:00
|
|
|
stats socket {{ haproxy.socketroot }}/haproxy-stats.sock mode 666 level admin
|
2020-05-16 18:28:07 +00:00
|
|
|
|
|
|
|
defaults
|
|
|
|
mode http
|
|
|
|
retries 1
|
|
|
|
option forwardfor
|
|
|
|
option http-keep-alive
|
|
|
|
option tcp-smart-connect
|
|
|
|
option tcpka
|
|
|
|
balance roundrobin
|
|
|
|
compression algo gzip
|
|
|
|
timeout http-request 10s
|
|
|
|
timeout connect 10s
|
|
|
|
timeout client 60s
|
|
|
|
timeout server 240s
|
|
|
|
timeout http-keep-alive 240s
|
|
|
|
default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check
|
|
|
|
|
2020-06-07 14:16:32 +00:00
|
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
|
2020-05-16 18:28:07 +00:00
|
|
|
resolvers local
|
|
|
|
nameserver unbound 127.0.0.1:53
|
|
|
|
resolve_retries 2
|
|
|
|
timeout retry 300ms
|
|
|
|
hold other 100ms
|
|
|
|
hold refused 100ms
|
|
|
|
hold nx 100ms
|
|
|
|
hold timeout 3s
|
|
|
|
hold valid 5s
|
2020-05-21 18:20:43 +00:00
|
|
|
{% for entry in haproxy.ports.tcp %}
|
2020-05-16 18:28:07 +00:00
|
|
|
|
|
|
|
listen {{ entry.group }}
|
|
|
|
mode tcp
|
|
|
|
bind ipv4@*:{{ entry.expose }},ipv6@*:{{ entry.expose }}
|
|
|
|
option tcp-check
|
|
|
|
{% for host in groups[entry.group] %}
|
|
|
|
server {{ entry.group }}-{{ loop.index0 }} {{ hostvars[host]['ansible_ens10']['ipv4']['address'] }}:{{ entry.proxy }} {% if loop.index0 != 0 %}backup{% endif %}
|
|
|
|
|
|
|
|
{% endfor %}
|
|
|
|
{% endfor %}
|
|
|
|
|
|
|
|
frontend http
|
|
|
|
mode http
|
2020-06-19 21:22:04 +00:00
|
|
|
bind /haproxy.sock mode 660 alpn h2,http/1.1
|
2020-05-16 18:28:07 +00:00
|
|
|
|
|
|
|
acl root url /
|
|
|
|
|
2020-05-21 18:20:43 +00:00
|
|
|
{% for domains in haproxy.public %}
|
2020-06-04 18:18:32 +00:00
|
|
|
use_backend backend-{{ domains.service }}{% if domains.domain != "root" %} if { hdr_beg(host) -i {{ domains.domain }} }{% else %} if { hdr(host) -i redxen.eu }{% endif %}
|
|
|
|
|
2020-05-16 18:28:07 +00:00
|
|
|
{% endfor %}
|
|
|
|
|
2020-06-01 11:32:29 +00:00
|
|
|
{% for pfred in haproxy.redirect.prefix %}
|
|
|
|
redirect prefix {{ pfred.pfx }} code {{ pfred.code|default("302") }} {% if pfred.acl|default() %} if {{ pfred.acl }}{% endif %}
|
|
|
|
{% endfor %}
|
|
|
|
|
2020-05-16 18:28:07 +00:00
|
|
|
http-response add-header X-Forwarded-Proto https
|
|
|
|
http-response set-header X-XSS-Protection 1;\ mode=block
|
|
|
|
http-response set-header X-Content-Type-Options nosniff
|
|
|
|
http-response set-header Referrer-Policy no-referrer-when-downgrade
|
|
|
|
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
|
2020-05-21 18:20:43 +00:00
|
|
|
{% for domains in haproxy.public %}
|
2020-05-16 18:28:07 +00:00
|
|
|
|
|
|
|
backend backend-{{ domains.service }}
|
2020-05-31 09:57:28 +00:00
|
|
|
server-template {{ domains.service }} {{ domains.count }} _{{ domains.service }}._tcp.redxen.localhost
|
2020-05-16 18:28:07 +00:00
|
|
|
{% if domains.httpchk %}
|
|
|
|
option httpchk HEAD / HTTP/1.1\r\nHost:\ {{ domains.domain }}.redxen.eu
|
|
|
|
{% endif %}
|
|
|
|
{% endfor %}
|