2019-11-08 21:29:11 +00:00
|
|
|
# Ansible role: Haproxy
|
|
|
|
|
2021-08-15 15:47:39 +00:00
|
|
|
[![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/releases)
|
2019-11-08 21:29:11 +00:00
|
|
|
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/src/branch/master/LICENSE)
|
|
|
|
|
|
|
|
Install and configure haproxy
|
|
|
|
|
|
|
|
## Requirements
|
|
|
|
|
2021-08-15 10:36:58 +00:00
|
|
|
* Ansible >= 2.9
|
|
|
|
* Debian
|
|
|
|
* Buster
|
|
|
|
* Bullseye
|
2019-11-08 21:29:11 +00:00
|
|
|
|
|
|
|
## Role variables
|
|
|
|
|
2021-08-15 15:41:47 +00:00
|
|
|
- `haproxy_apt_release` - set the apt release to use (default: `ansible_distribution_release`)
|
2019-11-08 21:29:11 +00:00
|
|
|
- `haproxy_global` - hash with the global configuration
|
|
|
|
|
|
|
|
```
|
|
|
|
log-send-hostname: true
|
|
|
|
chroot: /var/lib/haproxy
|
|
|
|
pidfile: /var/run/haproxy.pid
|
|
|
|
maxconn: 4096
|
|
|
|
user: haproxy
|
|
|
|
group: haproxy
|
|
|
|
daemon: true
|
|
|
|
stats: socket /var/lib/haproxy/stats
|
|
|
|
```
|
|
|
|
|
|
|
|
- `haproxy_defaults` - hash with the defaults configurations
|
|
|
|
|
|
|
|
```
|
|
|
|
mode: http
|
|
|
|
log: global
|
|
|
|
option:
|
|
|
|
- httplog
|
|
|
|
- dontlognull
|
|
|
|
- http-server-close
|
|
|
|
- forwardfor except 127.0.0.0/8
|
|
|
|
- redispatch
|
|
|
|
retries: 3
|
|
|
|
timeout:
|
|
|
|
- http-request 10s
|
|
|
|
- queue 1m
|
|
|
|
- connect 10s
|
|
|
|
- client 1m
|
|
|
|
- server 1m
|
|
|
|
- http-keep-alive 10s
|
|
|
|
- check 10s
|
|
|
|
maxconn: 4096
|
|
|
|
```
|
|
|
|
|
|
|
|
- `haproxy_stats_username` - set the username to access stats interface (default: `admin`)
|
|
|
|
- `haproxy_stats_password`- set the password to access stats interface (default: `secret`)
|
|
|
|
- `haproxy_listen_stats` - hash with options for stats interface
|
|
|
|
|
|
|
|
```
|
|
|
|
bind:
|
|
|
|
ip: 127.0.0.1
|
|
|
|
port: 9000
|
|
|
|
mode: http
|
|
|
|
maxconn: 10
|
|
|
|
timeout:
|
|
|
|
- client 30s
|
|
|
|
- server 30s
|
|
|
|
- connect 30s
|
|
|
|
- queue 30s
|
|
|
|
stats:
|
|
|
|
- 'refresh 5s'
|
|
|
|
- 'show-node'
|
|
|
|
- 'realm Haproxy\ Statistics'
|
|
|
|
- 'auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}'
|
|
|
|
- 'uri /haproxy_stats'
|
|
|
|
```
|
|
|
|
|
2021-08-15 11:00:28 +00:00
|
|
|
- `haproxy_resolvers` - hash with the resolvers configuration
|
|
|
|
|
|
|
|
```
|
|
|
|
dns:
|
|
|
|
local:
|
|
|
|
- dns1 127.0.0.1:53
|
|
|
|
```
|
|
|
|
|
2019-11-08 21:29:11 +00:00
|
|
|
- `haproxy_frontends` - hash with the frontends configuration
|
|
|
|
|
|
|
|
```
|
|
|
|
fontend-https:
|
|
|
|
bind:
|
|
|
|
ip: '*'
|
|
|
|
port: 443
|
|
|
|
ssl:
|
|
|
|
default_backend: backend-app
|
|
|
|
frontend-http:
|
|
|
|
bind:
|
|
|
|
ip: '*'
|
|
|
|
port: 80
|
|
|
|
mode: http
|
|
|
|
option:
|
|
|
|
- 'forwardfor except 127.0.0.0/8'
|
|
|
|
- 'httplog'
|
|
|
|
- 'http-server-close'
|
|
|
|
acl:
|
|
|
|
- acl_test1-https hdr(host) test1.example.net
|
|
|
|
- acl_test2-https hdr(host) test2.example.net
|
2020-04-11 13:34:20 +00:00
|
|
|
- acl_blacklist src -f /etc/haproxy/blacklist.list
|
2019-11-08 21:29:11 +00:00
|
|
|
use_backend:
|
|
|
|
- backend-app if acl_test1-https
|
|
|
|
- backend-app if acl_test2-https
|
2020-04-11 13:34:20 +00:00
|
|
|
- backend-app if acl_test1-https acl_blacklist
|
2019-11-08 21:29:11 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
- `haproxy_backends` - hash with the backend configuration
|
|
|
|
|
|
|
|
```
|
|
|
|
backend-app:
|
|
|
|
mode: http
|
|
|
|
balance: roundrobin
|
|
|
|
stick-table: type ip size 512k expire 30m
|
|
|
|
stick: on src
|
|
|
|
option:
|
|
|
|
- 'ssl-hello-chk'
|
|
|
|
- 'tcp-check'
|
|
|
|
- 'log-health-checks'
|
|
|
|
- 'forwardfor header X-Forwarded-For'
|
|
|
|
server:
|
|
|
|
- host1 127.0.0.1:80 check maxconn 1000 inter 15s
|
|
|
|
- host2 127.0.0.1:80 check maxconn 1000 inter 15s
|
|
|
|
```
|
|
|
|
|
2020-04-11 13:34:20 +00:00
|
|
|
- `haproxy_ips_lists` - hash with the ips list to use in haproxy
|
|
|
|
|
|
|
|
```
|
|
|
|
blacklist:
|
|
|
|
- 192.168.0.0/16
|
|
|
|
- 172.10.10.0/24
|
|
|
|
public_withlist:
|
|
|
|
- 8.8.8.8
|
|
|
|
```
|
|
|
|
|
2021-08-15 15:44:40 +00:00
|
|
|
- `haproxy_userlists` - hash with the userlist for basic auth
|
|
|
|
|
|
|
|
```
|
|
|
|
restricted:
|
|
|
|
group:
|
|
|
|
- admin
|
|
|
|
user:
|
|
|
|
- admin password 84375611a53741f7e94b09eb49127f41 groups admin
|
|
|
|
```
|
|
|
|
|
2019-11-08 21:29:11 +00:00
|
|
|
- `haproxy_ssl_certificates` - hash with ssl certificates to copy
|
|
|
|
|
|
|
|
```
|
|
|
|
example-com: |
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDJZs7pOmgIjXqa
|
|
|
|
/rZx2CL4pXTo4kKv+Itj3xfrq46r4DZKQJoCHqcs/bFjtCP89xJlvbrZVmxizFOF
|
|
|
|
mfKiNat39GNgeUaTH23+N/FOAyphayOcFk+s4X6GbdxrkHqt9IBrfK0B88bYjL/m
|
|
|
|
.....
|
|
|
|
```
|
|
|
|
|
|
|
|
## How to use
|
|
|
|
|
|
|
|
```
|
|
|
|
- hosts: server
|
|
|
|
roles:
|
|
|
|
- haproxy
|
|
|
|
```
|
|
|
|
|
|
|
|
## Development
|
|
|
|
|
2020-03-28 17:31:46 +00:00
|
|
|
### Test with molecule and docker
|
2019-11-08 21:29:11 +00:00
|
|
|
|
|
|
|
* install [docker](https://docs.docker.com/engine/installation/)
|
2020-03-28 17:31:46 +00:00
|
|
|
* install `python3` and `python3-pip`
|
|
|
|
* install molecule and dependencies `pip3 install molecule 'molecule[docker]' docker ansible-lint testinfra yamllint`
|
|
|
|
* run `molecule test`
|
2019-11-08 21:29:11 +00:00
|
|
|
|
|
|
|
## License
|
|
|
|
|
|
|
|
```
|
|
|
|
Copyright (c) 2019 Adrien Waksberg
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
```
|