ansible-role-haproxy/README.md

# Ansible role: Haproxy

[![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/releases)
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/src/branch/master/LICENSE)

Install and configure haproxy

## Requirements

- Ansible >= 2.10
- Debian
  - Bullseye
  - Bookworm

## Role variables

- `haproxy_apt_release` - set the apt release to use (default: `ansible_distribution_release`)
- `haproxy_global` - hash with the global configuration

```
  log-send-hostname: true
  chroot: /var/lib/haproxy
  pidfile: /var/run/haproxy.pid
  maxconn: 4096
  user: haproxy
  group: haproxy
  daemon: true
  stats: socket /var/lib/haproxy/stats
```

- `haproxy_defaults` - hash with the defaults configurations

```
  mode: http
  log: global
  option:
    - httplog
    - dontlognull
    - http-server-close
    - forwardfor except 127.0.0.0/8
    - redispatch
  retries: 3
  timeout:
    - http-request 10s
    - queue 1m
    - connect 10s
    - client 1m
    - server 1m
    - http-keep-alive 10s
    - check 10s
  maxconn: 4096
```

- `haproxy_stats_username` - set the username to access stats interface (default: `admin`)
- `haproxy_stats_password`- set the password to access stats interface (default: `secret`)
- `haproxy_listen_stats` - hash with options for stats interface

```
  bind:
    ip: 127.0.0.1
    port: 9000
  mode: http
  maxconn: 10
  timeout:
    - client 30s
    - server 30s
    - connect 30s
    - queue 30s
  stats:
    - 'refresh 5s'
    - 'show-node'
    - 'realm Haproxy\ Statistics'
    - 'auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}'
    - 'uri /haproxy_stats'
```

- `haproxy_resolvers` - hash with the resolvers configuration

```
  dns:
    local:
      - dns1 127.0.0.1:53
```

- `haproxy_frontends` - hash with the frontends configuration

```
  fontend-https:
    bind:
      ip: '*'
      port: 443
      ssl:
        cert:
          - /etc/haproxy/ssl1.pem
          - /etc/haproxy/ssl2.pem
    default_backend: backend-app
  frontend-http:
    bind:
      ip: '*'
      port: 80
    mode: http
    option:
      - 'forwardfor except 127.0.0.0/8'
      - 'httplog'
      - 'http-server-close'
    acl:
      - acl_test1-https hdr(host) test1.example.net
      - acl_test2-https hdr(host) test2.example.net
      - acl_blacklist src -f /etc/haproxy/blacklist.list
    use_backend:
      - backend-app if acl_test1-https
      - backend-app if acl_test2-https
      - backend-app if acl_test1-https acl_blacklist
```

- `haproxy_backends` - hash with the backend configuration

```
  backend-app:
    mode: http
    balance: roundrobin
    stick-table: type ip size 512k expire 30m
    stick: on src
    option:
      - 'ssl-hello-chk'
      - 'tcp-check'
      - 'log-health-checks'
      - 'forwardfor header X-Forwarded-For'
    server:
      - host1 127.0.0.1:80 check maxconn 1000 inter 15s
      - host2 127.0.0.1:80 check maxconn 1000 inter 15s
```

- `haproxy_ips_lists` - hash with the ips list to use in haproxy

```
  blacklist:
    - 192.168.0.0/16
    - 172.10.10.0/24
  public_withlist:
    - 8.8.8.8
```

- `haproxy_userlists` - hash with the userlist for basic auth

```
  restricted:
    group:
      - admin
    user:
      - admin password 84375611a53741f7e94b09eb49127f41 groups admin
```

- `haproxy_ssl_certificates` - hash with ssl certificates to copy

```
  example-com: |
		-----BEGIN CERTIFICATE-----
		MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDJZs7pOmgIjXqa
		/rZx2CL4pXTo4kKv+Itj3xfrq46r4DZKQJoCHqcs/bFjtCP89xJlvbrZVmxizFOF
		mfKiNat39GNgeUaTH23+N/FOAyphayOcFk+s4X6GbdxrkHqt9IBrfK0B88bYjL/m
		.....
```

- `haproxy_http_errors` - hash with http error groups

```
  test:
    503: test-503
```

- `haproxy_http_errors_file` - hash with http error files

```
  test-503: |
    HTTP/1.1 503 Service Unavailable
    Cache-Control: no-cache
    Connection: close
    Content-Type: text/html

    <!DOCTYPE html>
    <html lang="en">
        <body>
            <main>
                This is my custom 503 page
            </main>
        </body>
    </html>
```

## How to use

```
- hosts: server
  roles:
    - haproxy
```

## Development

### Test with molecule and docker

- install [docker](https://docs.docker.com/engine/installation/)
- install `python3` and `python3-pip`
- install molecule and dependencies `pip3 install molecule 'molecule[docker]' docker ansible-lint testinfra yamllint`
- run `molecule test`

## License

```
Copyright (c) 2019 Adrien Waksberg

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
```
first version 2019-11-08 21:29:11 +00:00			`# Ansible role: Haproxy`

test: use personal docker registry 2024-05-07 06:45:36 +00:00			`[![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/releases)`
			`[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/src/branch/master/LICENSE)`
first version 2019-11-08 21:29:11 +00:00
			`Install and configure haproxy`

			`## Requirements`

test: use personal docker registry 2024-05-07 06:45:36 +00:00			`- Ansible >= 2.10`
			`- Debian`
			`- Bullseye`
			`- Bookworm`
first version 2019-11-08 21:29:11 +00:00
			`## Role variables`

feat: can install other haproxy release 2021-08-15 15:41:47 +00:00			- `haproxy_apt_release` - set the apt release to use (default: `ansible_distribution_release`)
first version 2019-11-08 21:29:11 +00:00			- `haproxy_global` - hash with the global configuration

			```
			`log-send-hostname: true`
			`chroot: /var/lib/haproxy`
			`pidfile: /var/run/haproxy.pid`
			`maxconn: 4096`
			`user: haproxy`
			`group: haproxy`
			`daemon: true`
			`stats: socket /var/lib/haproxy/stats`
			```

			- `haproxy_defaults` - hash with the defaults configurations

			```
			`mode: http`
			`log: global`
			`option:`
			`- httplog`
			`- dontlognull`
			`- http-server-close`
			`- forwardfor except 127.0.0.0/8`
			`- redispatch`
			`retries: 3`
			`timeout:`
			`- http-request 10s`
			`- queue 1m`
			`- connect 10s`
			`- client 1m`
			`- server 1m`
			`- http-keep-alive 10s`
			`- check 10s`
			`maxconn: 4096`
			```

			- `haproxy_stats_username` - set the username to access stats interface (default: `admin`)
			- `haproxy_stats_password`- set the password to access stats interface (default: `secret`)
			- `haproxy_listen_stats` - hash with options for stats interface

			```
			`bind:`
			`ip: 127.0.0.1`
			`port: 9000`
			`mode: http`
			`maxconn: 10`
			`timeout:`
			`- client 30s`
			`- server 30s`
			`- connect 30s`
			`- queue 30s`
			`stats:`
			`- 'refresh 5s'`
			`- 'show-node'`
			`- 'realm Haproxy\ Statistics'`
			`- 'auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}'`
			`- 'uri /haproxy_stats'`
			```

feat: add resolvers configuration 2021-08-15 11:00:28 +00:00			- `haproxy_resolvers` - hash with the resolvers configuration

			```
			`dns:`
			`local:`
			`- dns1 127.0.0.1:53`
			```

test: use personal docker registry 2024-05-07 06:45:36 +00:00			- `haproxy_frontends` - hash with the frontends configuration
first version 2019-11-08 21:29:11 +00:00
			```
			`fontend-https:`
			`bind:`
			`ip: '*'`
			`port: 443`
			`ssl:`
feat: use multiple ssl certificates on one frontend 2021-11-04 13:32:06 +00:00			`cert:`
			`- /etc/haproxy/ssl1.pem`
			`- /etc/haproxy/ssl2.pem`
first version 2019-11-08 21:29:11 +00:00			`default_backend: backend-app`
			`frontend-http:`
			`bind:`
			`ip: '*'`
			`port: 80`
			`mode: http`
			`option:`
			`- 'forwardfor except 127.0.0.0/8'`
			`- 'httplog'`
			`- 'http-server-close'`
			`acl:`
			`- acl_test1-https hdr(host) test1.example.net`
			`- acl_test2-https hdr(host) test2.example.net`
feat: add IPs lists 2020-04-11 13:34:20 +00:00			`- acl_blacklist src -f /etc/haproxy/blacklist.list`
first version 2019-11-08 21:29:11 +00:00			`use_backend:`
			`- backend-app if acl_test1-https`
			`- backend-app if acl_test2-https`
feat: add IPs lists 2020-04-11 13:34:20 +00:00			`- backend-app if acl_test1-https acl_blacklist`
first version 2019-11-08 21:29:11 +00:00			```

			- `haproxy_backends` - hash with the backend configuration

			```
			`backend-app:`
			`mode: http`
			`balance: roundrobin`
			`stick-table: type ip size 512k expire 30m`
			`stick: on src`
			`option:`
			`- 'ssl-hello-chk'`
			`- 'tcp-check'`
			`- 'log-health-checks'`
			`- 'forwardfor header X-Forwarded-For'`
			`server:`
			`- host1 127.0.0.1:80 check maxconn 1000 inter 15s`
			`- host2 127.0.0.1:80 check maxconn 1000 inter 15s`
			```

feat: add IPs lists 2020-04-11 13:34:20 +00:00			- `haproxy_ips_lists` - hash with the ips list to use in haproxy

			```
			`blacklist:`
			`- 192.168.0.0/16`
			`- 172.10.10.0/24`
			`public_withlist:`
			`- 8.8.8.8`
			```

feat: add userlist 2021-08-15 15:44:40 +00:00			- `haproxy_userlists` - hash with the userlist for basic auth

			```
			`restricted:`
			`group:`
			`- admin`
			`user:`
			`- admin password 84375611a53741f7e94b09eb49127f41 groups admin`
			```

first version 2019-11-08 21:29:11 +00:00			- `haproxy_ssl_certificates` - hash with ssl certificates to copy

			```
			`example-com: \|`
			`-----BEGIN CERTIFICATE-----`
			`MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDJZs7pOmgIjXqa`
			`/rZx2CL4pXTo4kKv+Itj3xfrq46r4DZKQJoCHqcs/bFjtCP89xJlvbrZVmxizFOF`
			`mfKiNat39GNgeUaTH23+N/FOAyphayOcFk+s4X6GbdxrkHqt9IBrfK0B88bYjL/m`
			`.....`
			```

feat: add error files 2021-12-06 09:30:21 +00:00			- `haproxy_http_errors` - hash with http error groups

			```
			`test:`
			`503: test-503`
			```

			- `haproxy_http_errors_file` - hash with http error files

			```
			`test-503: \|`
			`HTTP/1.1 503 Service Unavailable`
			`Cache-Control: no-cache`
			`Connection: close`
			`Content-Type: text/html`

			`<!DOCTYPE html>`
			`<html lang="en">`
			`<body>`
			`<main>`
			`This is my custom 503 page`
			`</main>`
			`</body>`
			`</html>`
			```

first version 2019-11-08 21:29:11 +00:00			`## How to use`

			```
			`- hosts: server`
			`roles:`
			`- haproxy`
			```

			`## Development`

test: replace kitchen to molecule 2020-03-28 17:31:46 +00:00			`### Test with molecule and docker`
first version 2019-11-08 21:29:11 +00:00
test: use personal docker registry 2024-05-07 06:45:36 +00:00			`- install [docker](https://docs.docker.com/engine/installation/)`
			- install `python3` and `python3-pip`
			- install molecule and dependencies `pip3 install molecule 'molecule[docker]' docker ansible-lint testinfra yamllint`
			- run `molecule test`
first version 2019-11-08 21:29:11 +00:00
			`## License`

			```
			`Copyright (c) 2019 Adrien Waksberg`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			```