216 lines
5.6 KiB
Plaintext
216 lines
5.6 KiB
Plaintext
#
|
|
# Example pillar configuration
|
|
#
|
|
|
|
haproxy:
|
|
# use lookup section to override 'map.jinja' values
|
|
#lookup:
|
|
#user: 'custom-user'
|
|
#group: 'custom-group'
|
|
# new setting to override configuration file path
|
|
#config_file: /etc/haproxy/haproxy.cfg
|
|
enabled: True
|
|
overwrite: True # Overwrite an existing config file if present (default behaviour unless set to false)
|
|
# old setting to override configuration file path, kept for compatibility
|
|
#config_file_path: /etc/haproxy/haproxy.cfg
|
|
global:
|
|
log:
|
|
- 127.0.0.1 local2
|
|
- 127.0.0.1 local1 notice
|
|
stats:
|
|
enable: True
|
|
socketpath: /var/lib/haproxy/stats
|
|
mode: 660
|
|
level: admin
|
|
ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
|
|
ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"
|
|
|
|
user: haproxy
|
|
group: haproxy
|
|
chroot:
|
|
enable: True
|
|
path: /var/lib/haproxy
|
|
|
|
daemon: True
|
|
|
|
|
|
userlists:
|
|
userlist1:
|
|
users:
|
|
john: insecure-password doe
|
|
sam: insecure-password frodo
|
|
# groups:
|
|
# admins: users john sam
|
|
# guests: users jekyll hyde jane
|
|
|
|
defaults:
|
|
log: global
|
|
mode: http
|
|
retries: 3
|
|
options:
|
|
- httplog
|
|
- dontlognull
|
|
- forwardfor
|
|
- http-server-close
|
|
logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r"
|
|
timeouts:
|
|
- http-request 10s
|
|
- queue 1m
|
|
- connect 10s
|
|
- client 1m
|
|
- server 1m
|
|
- http-keep-alive 10s
|
|
- check 10s
|
|
stats:
|
|
- enable
|
|
- uri: '/admin?stats'
|
|
- realm: 'Haproxy\ Statistics'
|
|
- auth: 'admin1:AdMiN123'
|
|
|
|
errorfiles:
|
|
400: /etc/haproxy/errors/400.http
|
|
403: /etc/haproxy/errors/403.http
|
|
408: /etc/haproxy/errors/408.http
|
|
500: /etc/haproxy/errors/500.http
|
|
502: /etc/haproxy/errors/502.http
|
|
503: /etc/haproxy/errors/503.http
|
|
504: /etc/haproxy/errors/504.http
|
|
|
|
{# Suported by HAProxy 1.6 #}
|
|
resolvers:
|
|
local_dns:
|
|
options:
|
|
- nameserver resolvconf 127.0.0.1:53
|
|
- resolve_retries 3
|
|
- timeout retry 1s
|
|
- hold valid 10s
|
|
|
|
|
|
listens:
|
|
stats:
|
|
bind:
|
|
- "0.0.0.0:8998"
|
|
mode: http
|
|
stats:
|
|
enable: True
|
|
uri: "/admin?stats"
|
|
refresh: "20s"
|
|
myservice:
|
|
bind:
|
|
- "*:8888"
|
|
options:
|
|
- forwardfor
|
|
- http-server-close
|
|
defaultserver:
|
|
slowstart: 60s
|
|
maxconn: 256
|
|
maxqueue: 128
|
|
weight: 100
|
|
servers:
|
|
web1:
|
|
host: web1.example.com
|
|
port: 80
|
|
check: check
|
|
web2:
|
|
host: web2.example.com
|
|
port: 18888
|
|
check: check
|
|
web3:
|
|
host: web3.example.com
|
|
|
|
frontends:
|
|
frontend1:
|
|
name: www-http
|
|
bind: "*:80"
|
|
redirects:
|
|
- scheme https if !{ ssl_fc }
|
|
reqadds:
|
|
- "X-Forwarded-Proto:\\ http"
|
|
default_backend: www-backend
|
|
|
|
www-https:
|
|
bind: "*:443 ssl crt /etc/ssl/private/certificate-chain-and-key-combined.pem"
|
|
logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r\\ ssl_version:%sslv\\ ssl_cipher:%sslc"
|
|
reqadds:
|
|
- "X-Forwarded-Proto:\\ https"
|
|
default_backend: www-backend
|
|
acls:
|
|
- url_static path_beg -i /static /images /javascript /stylesheets
|
|
- url_static path_end -i .jpg .gif .png .css .js
|
|
use_backends:
|
|
- static-backend if url_static
|
|
extra: "rspadd Strict-Transport-Security:\ max-age=15768000"
|
|
some-services:
|
|
bind:
|
|
- "*:8080"
|
|
- "*:8088"
|
|
default_backend: api-backend
|
|
|
|
backends:
|
|
backend1:
|
|
name: www-backend
|
|
balance: roundrobin
|
|
redirects:
|
|
- scheme https if !{ ssl_fc }
|
|
extra: "reqidel ^X-Forwarded-For:"
|
|
servers:
|
|
server1:
|
|
name: server1-its-name
|
|
host: 192.168.1.213
|
|
port: 80
|
|
check: check
|
|
static-backend:
|
|
balance: roundrobin
|
|
redirects:
|
|
- scheme https if !{ ssl_fc }
|
|
options:
|
|
- http-server-close
|
|
- httpclose
|
|
- forwardfor except 127.0.0.0/8
|
|
- httplog
|
|
cookie: "pm insert indirect"
|
|
stats:
|
|
enable: True
|
|
uri: /url/to/stats
|
|
realm: LoadBalancer
|
|
auth: "user:password"
|
|
servers:
|
|
some-server:
|
|
host: 123.156.189.111
|
|
port: 8080
|
|
check: check
|
|
another-server:
|
|
host: 123.156.189.112
|
|
api-backend:
|
|
options:
|
|
- http-server-close
|
|
- forwardfor
|
|
servers:
|
|
apiserver1:
|
|
host: apiserver1.example.com
|
|
port: 80
|
|
check: check
|
|
server2:
|
|
name: apiserver2
|
|
host: apiserver2.example.com
|
|
port: 80
|
|
check: check
|
|
extra: resolvers local_dns resolve-prefer ipv4
|
|
another_www:
|
|
mode: tcp
|
|
balance: source
|
|
sticktable: "type binary len 32 size 30k expire 30m"
|
|
acls:
|
|
- clienthello req_ssl_hello_type 1
|
|
- serverhello rep_ssl_hello_type 2
|
|
tcprequests:
|
|
- "inspect-delay 5s"
|
|
- "content accept if clienthello"
|
|
tcpresponses:
|
|
- "content accept if serverhello"
|
|
stickons:
|
|
- "payload_lv(43,1) if clienthello"
|
|
reqreps:
|
|
- '^([^\ :]*)\ /static/(.*) \1\ \2'
|
|
options: "ssl-hello-chk"
|