SHARE
TWEET

Untitled

a guest Jan 17th, 2018 128 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Installs and configures HAProxy, SSL Cert is acquired from letsencrypt
  2. #
  3. # @param stats_port Port the HAProxy Stats interface listens
  4. class beryjuorg::loadbalancer (
  5.   $stats_port = '9393'
  6. ) {
  7.  
  8.   include firehol
  9.   include ::beryjuorg::telegraf
  10.   include ::beryjuorg::telegraf::haproxy
  11.  
  12.   firehol::service { 'haproxy_admin':
  13.     server => "tcp/${stats_port}",
  14.   }
  15.  
  16.   firehol::rule { 'allow haproxy admin':
  17.     service => ['haproxy_admin'],
  18.   }
  19.  
  20.   firehol::rule { 'allow http(s)':
  21.     service => ['http', 'https'],
  22.   }
  23.  
  24.   @@firehol::rule { "allow http from ${::fqdn}":
  25.     service => ['http'],
  26.     src     => $::ipaddress,
  27.     tag     => 'beryjuorg::loadbalancer',
  28.   }
  29.  
  30.   [400, 403, 408, 500, 502, 503, 504].each |Integer $error| {
  31.     file { "/etc/haproxy/errors/${error}.http":
  32.       content => template('beryjuorg/error_haproxy.erb')
  33.     }
  34.   }
  35.  
  36.   class { 'haproxy':
  37.     global_options   => {
  38.       'chroot'                     => '/var/lib/haproxy',
  39.       'user'                       => 'haproxy',
  40.       'group'                      => 'haproxy',
  41.       'daemon'                     => '',
  42.       'stats'                      => 'socket /var/lib/haproxy/stats',
  43.       'tune.ssl.default-dh-param'  => 2048,
  44.       'ssl-default-bind-options'   => 'no-sslv3 no-tls-tickets',
  45.       'ssl-default-bind-ciphers'   => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
  46.       'ssl-default-server-options' => 'no-sslv3 no-tls-tickets',
  47.       'ssl-default-server-ciphers' => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
  48.     },
  49.     defaults_options => {
  50.       'log'         => 'global',
  51.       'log-format'  => '%Ci:%Cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r',
  52.       'stats'       => 'enable',
  53.       'option'      => [
  54.         'redispatch',
  55.         'httplog',
  56.       ],
  57.       'retries'     => '5',
  58.       'timeout'     => [
  59.         'http-request 300s',
  60.         'queue 300s',
  61.         'connect 300s',
  62.         'client 300s',
  63.         'server 300s',
  64.         'check 300s',
  65.       ],
  66.       'compression' => [
  67.         'algo gzip',
  68.         'type text/html text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint'
  69.       ],
  70.       'errorfile'   => [
  71.         '400 /etc/haproxy/errors/400.http',
  72.         '403 /etc/haproxy/errors/403.http',
  73.         '408 /etc/haproxy/errors/408.http',
  74.         '500 /etc/haproxy/errors/500.http',
  75.         '502 /etc/haproxy/errors/502.http',
  76.         '503 /etc/haproxy/errors/503.http',
  77.         '504 /etc/haproxy/errors/504.http',
  78.       ]
  79.     },
  80.   }
  81.  
  82.   haproxy::frontend { 'web':
  83.     bind    => {
  84.       ':80'    => [],
  85.       ':443'   => ['ssl', 'crt', '/etc/letsencrypt/fullchain.pem'],
  86.       ':::80'  => [],
  87.       ':::443' => ['ssl', 'crt', '/etc/letsencrypt/fullchain.pem'],
  88.     },
  89.     mode    => 'http',
  90.     options => {
  91.       'capture'         => 'request header origin len 128',
  92.       'log-format'      => '%Ci:%Cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r',
  93.       'log'             => [
  94.         '172.16.1.30:11002 local1 debug',
  95.       ],
  96.       'http-response'   => [
  97.         'add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }'
  98.       ],
  99.       'rspadd'          => [
  100.         'Access-Control-Allow-Headers:\ Origin,\ X-Requested-With,\ Content-Type,\ Accept  if { capture.req.hdr(0) -m found }'
  101.       ],
  102.       'http-request'    => [
  103.         'set-header X-Forwarded-Port %[dst_port]',
  104.         'add-header X-Forwarded-Proto https if { ssl_fc }',
  105.       ],
  106.       'acl'             => [
  107.         'speed_one hdr(host) -i speed1.beryju.org',
  108.         'speed_two hdr(host) -i speed2.beryju.org',
  109.         'api hdr(host) -i api.beryju.org',
  110.         'apt hdr(host) -i apt.beryju.org',
  111.         'lec path_beg /.well-known'
  112.       ],
  113.       'redirect'        => 'scheme https if !speed_one !speed_two !api !lec !apt !{ ssl_fc }',
  114.       'default_backend' => 'http',
  115.       'option'          => [
  116.         'forwardfor',
  117.         'httplog'
  118.       ]
  119.     }
  120.   }
  121.  
  122.   haproxy::frontend { 'ws':
  123.     bind    => {
  124.       ':5910-5930'  => ['ssl', 'crt', '/etc/letsencrypt/fullchain.pem', 'alpn', 'h2,http/1.1']
  125.     },
  126.     mode    => 'http',
  127.     options => {
  128.       'capture'         => 'request header Host len 128',
  129.       'log-format'      => '%Ci:%Cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r',
  130.       'log'             => [
  131.         '172.16.1.30:11002 local1 debug',
  132.       ],
  133.       'option'          => [
  134.         'forwardfor',
  135.         'httplog'
  136.       ],
  137.       'default_backend' => 'foreman',
  138.     }
  139.   }
  140.  
  141.   haproxy::backend { 'http':
  142.     collect_exported => false,
  143.     options          => {
  144.       'log'            => [
  145.         '172.16.1.30:11002 local1 debug',
  146.       ],
  147.       'mode'           => 'http',
  148.       'balance'        => 'roundrobin',
  149.       'cookie'         => 'SERVERID insert indirect nocache',
  150.       'option'         => 'httpchk HEAD /_haproxy_check.php HTTP/1.1\r\nHost:\ api.beryju.org',
  151.       'http-check'     => [
  152.         'expect rstatus 200',
  153.         'disable-on-404'
  154.       ],
  155.       'default-server' => 'inter 3s fall 3 rise 2',
  156.       'http-response'  => [
  157.         'set-header Access-Control-Allow-Origin %[capture.req.hdr(0)]',
  158.         'set-header Access-Control-Allow-Credentials true',
  159.         'set-header Strict-Transport-Security max-age=16000000;\ preload;',
  160.         'set-header X-Frame-Options "SAMEORIGIN"',
  161.         'set-header X-Xss-Protection "1; mode=block"',
  162.         'set-header X-Content-Type-Options "nosniff"',
  163.         'set-header Referrer-Policy "origin-when-cross-origin"',
  164.       ]
  165.     }
  166.   }
  167.  
  168.   Haproxy::Balancermember <<| listening_service == 'http' and tag == $::beryjuorg_site |>>
  169.   Haproxy::Balancermember <<| listening_service == 'http' and tag != $::beryjuorg_site |>> {
  170.     weight => 1,
  171.   }
  172.  
  173.   haproxy::backend { 'foreman':
  174.     options => {
  175.       'log'     => [
  176.         '172.16.1.30:11002 local1 debug',
  177.       ],
  178.       'mode'    => 'http',
  179.       'balance' => 'roundrobin',
  180.       'option'  => [
  181.         'persist',
  182.       ]
  183.     }
  184.   }
  185.  
  186.   haproxy::listen { 'stats':
  187.     ipaddress => $::ipaddress,
  188.     ports     => $stats_port,
  189.     mode      => 'http',
  190.     options   => {
  191.       'stats' => [
  192.         'enable',
  193.         'uri /',
  194.       ]
  195.     }
  196.   }
  197.  
  198. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top