slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ansible/roles/haproxy/templates/haproxy.cfg.j2
VC 57ccf013c4 : add authorized ip
2025-05-01 11:39:39 +02:00

115 lines
3.5 KiB
Django/Jinja
Raw Permalink Blame History

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
mode http
bind *:80 name frontend-http
tcp-request inspect-delay 3s
acl letsencrypt path_beg /.well-known/acme-challenge
redirect scheme https code 301 if !letsencrypt
{% for server in haproxy_backend_servers %}
{% for hostname in (
(hostvars[server].web_hostname
| map(attribute='host'))
+
(hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} hdr(host) -i {{ hostname }}
use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname }}
{% endfor %}
{% endfor %}
frontend https
mode tcp
option tcplog
bind *:443 name frontend-https
tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 }
{% for server in haproxy_backend_servers %}
{% for hostname in (
(hostvars[server].web_hostname
| map(attribute='host'))
+
(hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
{% set host = (hostvars[server].web_hostname | selectattr('host', '==', hostname))[0] %}
{% if host.allowlistv4 is defined %}
acl network_allowed_{{ hostname }} src {% for addrv4 in host.allowlistv4 %} {{ addrv4 }}{% endfor %}
{% endif %}
use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname }}{% if host.allowlistv4 is defined %} network_allowed_{{ hostname }}{% endif %}
{% endfor %}
{% endfor %}
{% for server in haproxy_backend_servers %}
## {{ hostvars[server].ansible_host }} configuration
backend http_{{ hostvars[server].ansible_host }}
mode http
{% set hostname_slug = hostvars[server].ansible_host.split('.')|join('_') %}
{% set hostname_ipaddr = hostvars[server]['ansible_default_ipv4']['address'] | default(hostvars[server].proxmox_net0.ip | ansible.utils.ipaddr('address')) %}
server host_{{ hostname_slug }} {{ hostname_ipaddr }}:80
backend https_{{ hostvars[server].ansible_host }}
mode tcp
server host_{{ hostname_slug }} {{ hostname_ipaddr }}:443
{% endfor %}
## Stats
listen stats
bind localhost:80
mode http
log global
stats enable
stats show-legends
stats uri /haproxy-status
stats hide-version
Reference in New Issue View Git Blame Copy Permalink