First commit

roles/haproxy/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart haproxy
+  service:
+    name: haproxy
+    state: restarted

roles/haproxy/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: install haproxy package
+  package:
+    name: haproxy
+    state: present
+
+- name: haproxy config
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+  notify:
+    - restart haproxy

roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,97 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	# An alternative list with additional directives can be obtained from
+	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+
+defaults
+	log	global
+	option	httplog
+	option	dontlognull
+	timeout connect 5000
+	timeout client  50000
+	timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+frontend http
+	mode http
+	bind *:80 name frontend-http
+	tcp-request inspect-delay 3s
+	acl letsencrypt path_beg /.well-known/acme-challenge
+	redirect scheme https code 301 if !letsencrypt
+{% for server in groups['webservers'] %}
+{% for hostname in hostvars[server]['web_hostname'] %}
+	## {{ hostname }} configuration
+	acl host_{{ hostname }} hdr(host) -i {{ hostname }}
+	use_backend http_{{ server }} if letsencrypt host_{{ hostname }}
+	
+{% endfor %}
+{% endfor %}
+	use_backend http_default
+
+frontend https
+	mode tcp
+	option tcplog
+	bind *:443 name frontend-https
+	tcp-request inspect-delay 3s
+	tcp-request content accept if { req.ssl_hello_type 1 }
+{% for server in groups['webservers'] %}
+{% for hostname in hostvars[server]['web_hostname'] %}
+	## {{ hostname }} configuration
+	acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
+	use_backend https_{{ server }} if host_{{ hostname }}
+{% endfor %}
+{% endfor %}
+	use_backend https_default
+
+
+{% for server in groups['webservers'] %}
+## {{ server }} configuration
+backend http_{{ server }}
+	mode http
+	server host_{{ server }} {{ server }}:80
+
+backend https_{{ server }}
+	mode tcp
+	server host_{{ server }} {{ server }}:443
+
+{% endfor %}
+
+backend http_default
+	mode http
+	server host_n0box2	{{ lookup('dig', 'n0box2.mateu.be.', 'qtype=AAAA') }}:80
+
+backend https_default
+	mode tcp
+	server host_n0box2	{{ lookup('dig', 'n0box2.mateu.be.', 'qtype=AAAA') }}:443
+
+## Stats
+listen stats
+	bind *:8080
+	mode http
+	log global
+	stats enable
+	stats uri /
+	stats hide-version