From 2d906bc42318e3ef4b2ed53542dfb9a329f4aafe Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 16 May 2020 20:28:07 +0200 Subject: [PATCH] Initial commit --- tasks/main.yml | 12 +++++++ templates/haproxy.conf.j2 | 66 +++++++++++++++++++++++++++++++++++++++ vars/main.yml | 4 +++ 3 files changed, 82 insertions(+) create mode 100644 tasks/main.yml create mode 100644 templates/haproxy.conf.j2 create mode 100644 vars/main.yml diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..a870ce9 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,12 @@ +- name: Copy HAProxy files + loop: + - { src: 'haproxy.conf.j2', dest: '/etc/haproxy/haproxy.cfg' } + template: + follow: yes + src: "{{ item.src }}" + dest: "{{ item.dest }}" + notify: Run service actions + tags: + - update + - haproxy + - configs diff --git a/templates/haproxy.conf.j2 b/templates/haproxy.conf.j2 new file mode 100644 index 0000000..8a0d54a --- /dev/null +++ b/templates/haproxy.conf.j2 @@ -0,0 +1,66 @@ +global + maxconn 2048 + maxconnrate 40 + unix-bind prefix /run/haproxy user nobody group nogroup + +defaults + mode http + retries 1 + option forwardfor + option http-keep-alive + option tcp-smart-connect + option tcpka + option http-buffer-request + balance roundrobin + compression algo gzip + timeout http-request 10s + timeout connect 10s + timeout client 60s + timeout server 240s + timeout http-keep-alive 240s + default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check + +resolvers local + nameserver unbound 127.0.0.1:53 + resolve_retries 2 + timeout retry 300ms + hold other 100ms + hold refused 100ms + hold nx 100ms + hold timeout 3s + hold valid 5s +{% for entry in services.haproxy.ports.tcp %} + +listen {{ entry.group }} + mode tcp + bind ipv4@*:{{ entry.expose }},ipv6@*:{{ entry.expose }} + option tcp-check +{% for host in groups[entry.group] %} + server {{ entry.group }}-{{ loop.index0 }} {{ hostvars[host]['ansible_ens10']['ipv4']['address'] }}:{{ entry.proxy }} {% if loop.index0 != 0 %}backup{% endif %} + +{% endfor %} +{% endfor %} + +frontend http + mode http + bind /haproxy.sock mode 660 + + acl root url / + +{% for domains in services.haproxy.public %} + use_backend backend-{{ domains.service }} if { hdr_beg(host) -i {{ domains.domain }} } +{% endfor %} + + http-response add-header X-Forwarded-Proto https + http-response set-header X-XSS-Protection 1;\ mode=block + http-response set-header X-Content-Type-Options nosniff + http-response set-header Referrer-Policy no-referrer-when-downgrade + http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload +{% for domains in services.haproxy.public %} + +backend backend-{{ domains.service }} + server-template {{ domains.service }} 1 _{{ domains.service }}._tcp.redxen.localhost +{% if domains.httpchk %} + option httpchk HEAD / HTTP/1.1\r\nHost:\ {{ domains.domain }}.redxen.eu +{% endif %} +{% endfor %} diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..80fea28 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,4 @@ +apt_packages: + - { package: "haproxy", state: present } +systemd: + - { name: "haproxy", enabled: true, action: reloaded, daemon_reload: true}