Merge with upstream

2015-08-30 03:50:10 +02:00 · 2015-08-30 03:50:10 +02:00 · 29c60df042
commit 29c60df042
parent 7def329f6d d229d41703
4 changed files with 117 additions and 15 deletions
--- a/haproxy/init.sls
+++ b/haproxy/init.sls
@ -3,6 +3,11 @@
 # Meta-state to fully setup haproxy on debian. (or any other distro that has haproxy in their repo)

 include:
+{% if salt['pillar.get']('haproxy:include') %}
+{% for item in salt['pillar.get']('haproxy:include') %}
+  - {{ item }}
+{% endfor %}
+{% endif %}
  - haproxy.install
  - haproxy.service
-  - haproxy.config
+  - haproxy.config
--- a/haproxy/install.sls
+++ b/haproxy/install.sls
@ -12,3 +12,9 @@ haproxy_ppa_repo:
 haproxy.install:
  pkg.installed:
    - name: haproxy
+{% if salt['pillar.get']('haproxy:require') %}
+    - require:
+{% for item in salt['pillar.get']('haproxy:require') %}
+      - {{ item }}
+{% endfor %}
+{% endif %}
--- a/haproxy/service.sls
+++ b/haproxy/service.sls
@ -1,17 +1,26 @@
 haproxy.service:
+{% if salt['pillar.get']('haproxy:enable', True) %}
  service.running:
    - name: haproxy
    - enable: True
    - reload: True
    - require:
      - pkg: haproxy
+        file: haproxy.service
    - watch:
      - file: haproxy.config
-  file.managed:
+{% else %}
+  service.dead:
+    - name: haproxy
+    - enable: False
+{% endif %}
+  file.replace:
    - name: /etc/default/haproxy
-#TODO: Add switch to turn the service on and off based on pillar configuration.
-    - source: salt://haproxy/files/haproxy-init-enable
-    - create: True
-    - user: "root"
-    - group: "root"
-    - mode: "0644"
+{% if salt['pillar.get']('haproxy:enabled', True) %}
+    - pattern: ENABLED=0$
+    - repl: ENABLED=1
+{% else %}
+    - pattern: ENABLED=1$
+    - repl: ENABLED=0
+{% endif %}
+    - show_changes: True
--- a/pillar.example
+++ b/pillar.example
@ -3,11 +3,14 @@
 #

 haproxy:
+  enabled: True
  config_file_path: /etc/haproxy/haproxy.cfg
  global:
    stats:
      enable: True
      socketpath: /var/lib/haproxy/stats
+    ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
+    ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"

    user: haproxy
    group: haproxy
@ -34,6 +37,11 @@ haproxy:
      - server          1m
      - http-keep-alive 10s
      - check           10s
+    stats:
+      - enable
+      - uri: '/admin?stats'
+      - realm: 'Haproxy\ Statistics'
+      - auth: 'admin1:AdMiN123'

    errorfiles:
      400: /etc/haproxy/errors/400.http
@ -44,6 +52,46 @@ haproxy:
      503: /etc/haproxy/errors/503.http
      504: /etc/haproxy/errors/504.http

+  {# Suported by HAProxy 1.6 #}
+  resolvers:
+    local_dns:
+      options:
+        - nameserver resolvconf 127.0.0.1:53
+        - resolve_retries 3
+        - timeout retry 1s
+        - hold valid 10s
+
+
+  listens:
+    stats:
+      bind:
+        - "0.0.0.0:8998"
+      mode: http
+      stats:
+        enable: True
+        uri: "/admin?stats"
+        refresh: "20s"
+    myservice:
+      bind:
+        - "*:8888"
+      options:
+        - forwardfor
+        - http-server-close
+      defaultserver:
+        slowstart: 60s
+        maxconn: 256
+        maxqueue: 128
+        weight: 100
+      servers:
+        web1:
+          host: web1.example.com
+          port: 80
+          check: check
+        web2:
+          host: web2.example.com
+          port: 18888
+          check: check
+
  frontends:
    frontend1:
      name: www-http
@ -53,8 +101,7 @@ haproxy:
        - "X-Forwarded-Proto:\\ http"
      default_backend: www-backend

-    frontend2:
-      name: www-https
+    www-https:
      bind: "*:443 ssl crt /etc/ssl/private/certificate-chain-and-key-combined.pem"
      reqadd:
        - "X-Forwarded-Proto:\\ https"
@ -63,7 +110,12 @@ haproxy:
        - url_static       path_beg       -i /static /images /javascript /stylesheets
        - url_static       path_end       -i .jpg .gif .png .css .js
      use_backends:
-        - static  if url_static
+        - static-backend  if url_static
+    some-services:
+      bind:
+        - "*:8080"
+        - "*:8088"
+      default_backend: api-backend

  backends:
    backend1:
@ -76,8 +128,7 @@ haproxy:
          host: 192.168.1.213
          port: 80
          check: check
-    backend2:
-      name: static
+    static-backend:
      balance: roundrobin
      redirect: scheme https if !{ ssl_fc }
      options:
@ -92,8 +143,39 @@ haproxy:
        realm: LoadBalancer
        auth: "user:password"
      servers:
-        server1:
-          name: some-server
+        some-server:
          host: 123.156.189.111
          port: 8080
          check: check
+    api-backend:
+      options:
+        - http-server-close
+        - forwardfor
+      servers:
+        apiserver1:
+          host: apiserver1.example.com
+          port: 80
+          check: check
+        server2:
+          name: apiserver2
+          host: apiserver2.example.com
+          port: 80
+          check: check
+          extra: resolvers local_dns resolve-prefer ipv4
+    another_www:
+      mode: tcp
+      balance: source
+      sticktable: "type binary len 32 size 30k expire 30m"
+      acls:
+        - clienthello req_ssl_hello_type 1
+        - serverhello rep_ssl_hello_type 2
+      tcprequests:
+        - "inspect-delay 5s"
+        - "content accept if clienthello"
+      tcpresponses:
+        - "content accept if serverhello"
+      stickons:
+        - "payload_lv(43,1) if clienthello"
+      reqrep:
+        - "^([^\ :]*)\ /static/(.*)	\1\ \2"
+      options: "ssl-hello-chk"