nishiki/ansible-role-haproxy
1
0
Fork 0
Code Issues Pull requests Releases 2 Wiki Activity Actions

Compare commits

base: nishiki:main
Branches Tags
nishiki:main
nishiki:v1.1.0
nishiki:v1.0.0
..
compare: nishiki:v1.0.0
Branches Tags
nishiki:main
nishiki:v1.1.0
nishiki:v1.0.0

No commits in common. "main" and "v1.0.0" have entirely different histories.
main ... v1.0.0

20 changed files with 342 additions and 452 deletions
Show stats Expand all files Collapse all files

18
.forgejo/workflows/molecule.yml
View file

@ -1,18 +0,0 @@
---
on: [push]
jobs:
lint:
runs-on: docker
container:
image: code.waks.be/nishiki/molecule:docker
steps:
- uses: actions/checkout@v3
- run: ansible-lint .
- run: yamllint .
molecule:
runs-on: docker
container:
image: code.waks.be/nishiki/molecule:docker
steps:
- uses: actions/checkout@v3
- run: molecule test

1
.gitignore vendored
View file

@ -1,2 +1 @@
.kitchen/*
*.pyc

10
.gitlab-ci.yml
View file

@ -1,10 +0,0 @@
---
image: nishiki/molecule:docker
before_script:
- molecule --version
molecule:
stage: test
script:
- molecule test

27
.kitchen.yml Normal file
View file

@ -0,0 +1,27 @@
---
driver:
name: docker_cli
transport:
name: docker_cli
provisioner:
name: ansible_playbook
hosts: localhost
require_ansible_repo: false
require_ansible_omnibus: false
require_chef_for_busser: true
ansible_verbose: false
ansible_inventory: ./test/integration/inventory
platforms:
- name: debian-10
driver_config:
image: "nishiki/debian10:ansible-<%= ENV['ANSIBLE_VERSION'] ? ENV['ANSIBLE_VERSION'] : '2.8' %>"
command: /bin/systemd
volume:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
security_opt: seccomp=unconfined
suites:
- name: default

4
.yamllint
View file

@ -2,11 +2,11 @@
extends: default
ignore: |
.kitchen*
.kitchen/*
vendor/
.forgejo/
rules:
line-length:
max: 120
level: warning
truthy: false

32
CHANGELOG.md
View file

@ -5,38 +5,6 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
## [Unreleased]
### Added
- add support alpn in bind option
- add error files
- use multiple ssl certificates on one frontend
- test: add support debian 12
### Changed
- test: use personal docker registry
### Removed
- test: remove support debian 10
## v1.1.0 - 2021-08-15
### Added
- add userlist
- can specify the haproxy repository
- add resolvers configuration
- add debian11 support
- add IPs lists
### Changed
- change default group for stat socket
- reload haproxy after certificate change
- chore: use FQCN for module name
- test: replace kitchen to molecule
## v1.0.0 - 2019-11-09
### Added

8
Gemfile Normal file
View file

@ -0,0 +1,8 @@
source 'https://rubygems.org'
group :development do
gem 'kitchen-ansible'
gem 'kitchen-docker_cli'
gem 'rubocop', '0.50.0'
gem 'test-kitchen'
end

130
Gemfile.lock Normal file
View file

@ -0,0 +1,130 @@
GEM
remote: https://rubygems.org/
specs:
ast (2.4.0)
bcrypt_pbkdf (1.0.1)
builder (3.2.3)
ed25519 (1.2.4)
equatable (0.6.1)
erubis (2.7.0)
ffi (1.11.1)
gssapi (1.3.0)
ffi (>= 1.0.1)
gyoku (1.3.1)
builder (>= 2.1.2)
httpclient (2.8.3)
kitchen-ansible (0.50.1)
net-ssh (>= 3)
test-kitchen (>= 1.4)
kitchen-docker_cli (0.19.0)
test-kitchen (>= 1.3)
license-acceptance (1.0.13)
pastel (~> 0.7)
tomlrb (~> 1.2)
tty-box (~> 0.3)
tty-prompt (~> 0.18)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
mixlib-install (3.11.21)
mixlib-shellout
mixlib-versioning
thor
mixlib-shellout (3.0.7)
mixlib-versioning (1.2.7)
multi_json (1.14.1)
necromancer (0.5.0)
net-scp (2.0.0)
net-ssh (>= 2.6.5, < 6.0.0)
net-ssh (5.2.0)
net-ssh-gateway (2.0.0)
net-ssh (>= 4.0.0)
nori (2.6.0)
parallel (1.18.0)
parser (2.6.5.0)
ast (~> 2.4.0)
pastel (0.7.3)
equatable (~> 0.6)
tty-color (~> 0.5)
powerpack (0.1.2)
rainbow (2.2.2)
rake
rake (13.0.0)
rubocop (0.50.0)
parallel (~> 1.10)
parser (>= 2.3.3.1, < 3.0)
powerpack (~> 0.1)
rainbow (>= 2.2.2, < 3.0)
ruby-progressbar (~> 1.7)
unicode-display_width (~> 1.0, >= 1.0.1)
ruby-progressbar (1.10.1)
rubyntlm (0.6.2)
rubyzip (1.3.0)
strings (0.1.6)
strings-ansi (~> 0.1)
unicode-display_width (~> 1.5)
unicode_utils (~> 1.4)
strings-ansi (0.1.0)
test-kitchen (2.3.3)
bcrypt_pbkdf (~> 1.0)
ed25519 (~> 1.2)
license-acceptance (~> 1.0, >= 1.0.11)
mixlib-install (~> 3.6)
mixlib-shellout (>= 1.2, < 4.0)
net-scp (>= 1.1, < 3.0)
net-ssh (>= 2.9, < 6.0)
net-ssh-gateway (>= 1.2, < 3.0)
thor (~> 0.19)
winrm (~> 2.0)
winrm-elevated (~> 1.0)
winrm-fs (~> 1.1)
thor (0.20.3)
tomlrb (1.2.8)
tty-box (0.5.0)
pastel (~> 0.7.2)
strings (~> 0.1.6)
tty-cursor (~> 0.7)
tty-color (0.5.0)
tty-cursor (0.7.0)
tty-prompt (0.19.0)
necromancer (~> 0.5.0)
pastel (~> 0.7.0)
tty-reader (~> 0.6.0)
tty-reader (0.6.0)
tty-cursor (~> 0.7)
tty-screen (~> 0.7)
wisper (~> 2.0.0)
tty-screen (0.7.0)
unicode-display_width (1.6.0)
unicode_utils (1.4.0)
winrm (2.3.2)
builder (>= 2.1.2)
erubis (~> 2.7)
gssapi (~> 1.2)
gyoku (~> 1.0)
httpclient (~> 2.2, >= 2.2.0.2)
logging (>= 1.6.1, < 3.0)
nori (~> 2.0)
rubyntlm (~> 0.6.0, >= 0.6.1)
winrm-elevated (1.1.1)
winrm (~> 2.0)
winrm-fs (~> 1.0)
winrm-fs (1.3.2)
erubis (~> 2.7)
logging (>= 1.6.1, < 3.0)
rubyzip (~> 1.1)
winrm (~> 2.0)
wisper (2.0.1)
PLATFORMS
ruby
DEPENDENCIES
kitchen-ansible
kitchen-docker_cli
rubocop (= 0.50.0)
test-kitchen
BUNDLED WITH
2.0.2

94
README.md
View file

@ -1,21 +1,17 @@
# Ansible role: Haproxy
[![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/releases)
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/src/branch/main/LICENSE)
[![Build](https://code.waks.be/nishiki/ansible-role-haproxy/actions/workflows/molecule.yml/badge.svg?branch=main)](https://code.waks.be/nishiki/ansible-role-haproxy/actions?workflow=molecule.yml)
[![Version](https://img.shields.io/badge/latest_version-1.0.0-green.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/releases)
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/src/branch/master/LICENSE)
Install and configure haproxy
## Requirements
- Ansible >= 2.10
- Debian
- Bullseye
- Bookworm
* Ansible >= 2.8
* Debian Buster
## Role variables
- `haproxy_apt_release` - set the apt release to use (default: `ansible_distribution_release`)
- `haproxy_global` - hash with the global configuration
```
@ -75,14 +71,6 @@ Install and configure haproxy
- 'uri /haproxy_stats'
```
- `haproxy_resolvers` - hash with the resolvers configuration
```
dns:
local:
- dns1 127.0.0.1:53
```
- `haproxy_frontends` - hash with the frontends configuration
```
@ -91,9 +79,6 @@ Install and configure haproxy
ip: '*'
port: 443
ssl:
cert:
- /etc/haproxy/ssl1.pem
- /etc/haproxy/ssl2.pem
default_backend: backend-app
frontend-http:
bind:
@ -107,11 +92,9 @@ Install and configure haproxy
acl:
- acl_test1-https hdr(host) test1.example.net
- acl_test2-https hdr(host) test2.example.net
- acl_blacklist src -f /etc/haproxy/blacklist.list
use_backend:
- backend-app if acl_test1-https
- backend-app if acl_test2-https
- backend-app if acl_test1-https acl_blacklist
```
- `haproxy_backends` - hash with the backend configuration
@ -132,26 +115,6 @@ Install and configure haproxy
- host2 127.0.0.1:80 check maxconn 1000 inter 15s
```
- `haproxy_ips_lists` - hash with the ips list to use in haproxy
```
blacklist:
- 192.168.0.0/16
- 172.10.10.0/24
public_withlist:
- 8.8.8.8
```
- `haproxy_userlists` - hash with the userlist for basic auth
```
restricted:
group:
- admin
user:
- admin password 84375611a53741f7e94b09eb49127f41 groups admin
```
- `haproxy_ssl_certificates` - hash with ssl certificates to copy
```
@ -163,32 +126,6 @@ Install and configure haproxy
.....
```
- `haproxy_http_errors` - hash with http error groups
```
test:
503: test-503
```
- `haproxy_http_errors_file` - hash with http error files
```
test-503: |
HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<!DOCTYPE html>
<html lang="en">
<body>
<main>
This is my custom 503 page
</main>
</body>
</html>
```
## How to use
```
@ -199,12 +136,25 @@ Install and configure haproxy
## Development
### Test with molecule and docker
### Test syntax with yamllint
- install [docker](https://docs.docker.com/engine/installation/)
- install `python3` and `python3-pip`
- install molecule and dependencies `pip3 install molecule 'molecule[docker]' docker ansible-lint testinfra yamllint`
- run `molecule test`
* install `python` and `python-pip`
* install yamllint `pip install yamllint`
* run `yamllint .`
### Test syntax with ansible-lint
* install `python` and `python-pip`
* install yamllint `pip install ansible-lint`
* run `ansible-lint .`
### Tests with docker
* install [docker](https://docs.docker.com/engine/installation/)
* install ruby
* install bundler `gem install bundler`
* install dependencies `bundle install`
* run the tests `kitchen test`
## License

25
defaults/main.yml
View file

@ -1,7 +1,7 @@
---
haproxy_apt_release: "{{ ansible_distribution_release }}"
haproxy_stats_username: admin
haproxy_stats_password: secret
haproxy_global: {}
haproxy_default_global:
log-send-hostname: true
@ -11,8 +11,8 @@ haproxy_default_global:
user: haproxy
group: haproxy
daemon: true
stats: socket /var/lib/haproxy/stats group haproxy mode 660
haproxy_full_global: "{{ haproxy_default_global | combine(haproxy_global) }}"
stats: socket /var/lib/haproxy/stats
haproxy_full_global: '{{ haproxy_default_global|combine(haproxy_global) }}'
haproxy_defaults: {}
haproxy_default_defaults:
@ -34,7 +34,7 @@ haproxy_default_defaults:
- http-keep-alive 10s
- check 10s
maxconn: 4096
haproxy_full_defaults: "{{ haproxy_default_defaults | combine(haproxy_defaults) }}"
haproxy_full_defaults: '{{ haproxy_default_defaults|combine(haproxy_defaults) }}'
haproxy_listen_stats: {}
haproxy_default_listen_stats:
@ -49,18 +49,13 @@ haproxy_default_listen_stats:
- connect 30s
- queue 30s
stats:
- "refresh 5s"
- "show-node"
- "realm Haproxy\ Statistics"
- "auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}"
- "uri /haproxy_stats"
haproxy_full_listen_stats: "{{ haproxy_default_listen_stats | combine(haproxy_listen_stats, recursive=True) }}"
- 'refresh 5s'
- 'show-node'
- 'realm Haproxy\ Statistics'
- 'auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}'
- 'uri /haproxy_stats'
haproxy_full_listen_stats: '{{ haproxy_default_listen_stats|combine(haproxy_listen_stats, recursive=True) }}'
haproxy_frontends: {}
haproxy_backends: {}
haproxy_ssl_certificates: {}
haproxy_ips_lists: {}
haproxy_resolvers: {}
haproxy_userlists: {}
haproxy_http_errors: {}
haproxy_http_error_files: {}

4
handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: Reload haproxy
ansible.builtin.service:
- name: reload haproxy
service:
name: haproxy
state: reloaded

7
meta/main.yml
View file

@ -1,19 +1,16 @@
---
galaxy_info:
role_name: haproxy
namespace: nishiki
author: Adrien Waksberg
description: Install and configure Haproxy
company: Adrien Waksberg
license: Apache2
min_ansible_version: "2.10"
min_ansible_version: 2.8
platforms:
- name: Debian
versions:
- bullseye
- bookworm
- 10
galaxy_tags:
- haproxy

106
molecule/default/converge.yml
View file

@ -1,106 +0,0 @@
---
- name: Converge
hosts: all
roles:
- ansible-role-haproxy
vars:
haproxy_http_errors:
test:
503: test
haproxy_http_error_files:
test: |
HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<!DOCTYPE html>
<html lang="en">
<body>
<main>
This is my custom 503 page
</main>
</body>
</html>
haproxy_ssl_certificates:
www-example-com: |
-----BEGIN CERTIFICATE-----
test
haproxy_ips_lists:
blacklist:
- 172.10.0.0/16
- 192.168.1.1
haproxy_resolvers:
dns:
nameserver: dns1 127.0.0.1:53
haproxy_userlists:
restricted:
group:
- admin
user:
- admin insecure-password password groups admin
haproxy_frontends:
main:
bind:
ip: '*'
port: 5000
alpn: h2,http/1.1
acl:
- url_static path_beg -i /static /images /javascript /stylesheets
- url_static path_end -i .jpg .gif .png .css .js
frontend-test-https:
bind:
ip: '*'
port: 80
mode: http
default_backend: backend-test-https
option:
- 'forwardfor except 127.0.0.0/8'
- 'httplog'
- 'http-server-close'
acl:
- acl_test1-https hdr(host) test1.example.net
- acl_test2-https hdr(host) test2.example.net
- acl_blacklist src -f /etc/haproxy/blacklist.list
- acl_auth_path path -i /auth/
- acl_auth http_auth(restricted)
errorfiles: test
http-request:
- auth realm restricted if acl_auth_path !acl_auth
- return status 200 content-type "text/plain" string "Good" if acl_auth_path
use_backend:
- backend-test-https if acl_test1-https
- backend-test-resolver if acl_test2-https
- backend-test-https if acl_test1-https acl_blacklist
haproxy_backends:
backend-test-https:
mode: http
balance: roundrobin
stick-table: type ip size 512k expire 30m
stick: on src
option:
- 'ssl-hello-chk'
- 'tcp-check'
- 'log-health-checks'
- 'forwardfor header X-Forwarded-For'
server:
- host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
- host2 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
backend-test-resolver:
mode: http
balance: roundrobin
stick-table: type ip size 512k expire 30m
stick: on src
option:
- 'ssl-hello-chk'
server:
- google.fr google.com:443 ssl verify none check resolvers dns init-addr none
pre_tasks:
- name: add backports repository
ansible.builtin.apt_repository:
repo: 'deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main'
- name: update apt cache
ansible.builtin.apt:
update_cache: true

28
molecule/default/molecule.yml
View file

@ -1,28 +0,0 @@
---
driver:
name: docker
platforms:
- name: debian12
image: code.waks.be/nishiki/molecule:debian12
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
cgroupns_mode: host
command: /bin/systemd
capabilities:
- SYS_ADMIN
- name: debian11
image: code.waks.be/nishiki/molecule:debian11
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
cgroupns_mode: host
command: /bin/systemd
capabilities:
- SYS_ADMIN
lint: |
set -e
yamllint .
ansible-lint .
verifier:
name: testinfra

57
molecule/default/tests/test_default.py
View file

@ -1,57 +0,0 @@
import testinfra.utils.ansible_runner
def test_packages(host):
package = host.package('haproxy')
assert package.is_installed
def test_config_file(host):
path = host.file('/etc/haproxy/haproxy.cfg')
assert path.exists
assert path.is_file
assert path.user == 'root'
assert path.group == 'root'
assert path.mode == 0o640
assert path.contains('bind \\*:5000 alpn h2,http/1.1')
assert path.contains('server host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s')
assert path.contains('resolvers dns')
def test_certificate_file(host):
path = host.file('/etc/haproxy/www-example-com.pem')
assert path.exists
assert path.is_file
assert path.user == 'root'
assert path.group == 'root'
assert path.mode == 0o600
assert path.contains('test')
def test_ips_list_file(host):
path = host.file('/etc/haproxy/blacklist.list')
assert path.exists
assert path.is_file
assert path.user == 'root'
assert path.group == 'root'
assert path.mode == 0o644
assert path.contains('172.10.0.0/16\n192.168.1.1')
def test_service(host):
service = host.service('haproxy')
assert service.is_running
assert service.is_enabled
def test_sockets(host):
for port in [80, 5000]:
socket = host.socket('tcp://0.0.0.0:%d' % (port))
assert socket.is_listening
def test_auth(host):
cmd = host.run('curl -v -u admin:password http://127.0.0.1/auth/')
assert cmd.succeeded
assert cmd.stdout == 'Good'
cmd = host.run('curl -v -u admin:badpassword http://127.0.0.1/auth/')
assert cmd.succeeded
assert '401 Unauthorized' in cmd.stdout
def test_error_file(host):
cmd = host.run('curl -v http://127.0.0.1/')
assert cmd.succeeded
assert 'This is my custom 503 page' in cmd.stdout

71
tasks/main.yml
View file

@ -1,71 +1,36 @@
---
- name: Install package
ansible.builtin.apt:
name:
- haproxy
default_release: "{{ haproxy_apt_release }}"
- name: install Haproxy
package:
name: haproxy
retries: 2
register: result
until: result is succeeded
tags: haproxy
- name: Copy ssl certificates
ansible.builtin.copy:
content: "{{ item.value }}"
dest: "/etc/haproxy/{{ item.key }}.pem"
- name: copy ssl certificates
copy:
content: '{{ item.value }}'
dest: /etc/haproxy/{{ item.key }}.pem
owner: root
group: root
mode: "0600"
loop: "{{ haproxy_ssl_certificates | dict2items }}"
mode: 0600
loop: '{{ haproxy_ssl_certificates|dict2items }}'
no_log: true
notify: Reload haproxy
tags: haproxy
- name: Copy IPs lists
ansible.builtin.copy:
content: "{{ item.value | join('\n') }}"
dest: "/etc/haproxy/{{ item.key }}.list"
owner: root
group: root
mode: "0644"
loop: "{{ haproxy_ips_lists | dict2items }}"
loop_control:
label: "{{ item.key }}"
notify: Reload haproxy
tags: haproxy
- name: Create http errors directory
ansible.builtin.file:
path: "/etc/haproxy/errors"
owner: root
group: root
mode: "0755"
state: directory
tags: haproxy
- name: Copy http errors file
ansible.builtin.copy:
content: "{{ item.value }}"
dest: "/etc/haproxy/errors/{{ item.key }}.http"
owner: root
group: root
mode: 0644
loop: "{{ haproxy_http_error_files | dict2items }}"
loop_control:
label: "{{ item.key }}"
notify: Reload haproxy
tags: haproxy
- name: Copy config file
ansible.builtin.template:
- name: copy config file
template:
src: haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
owner: root
group: root
mode: "0640"
mode: 0640
validate: haproxy -c -f %s
notify: Reload haproxy
notify: reload haproxy
tags: haproxy
- name: Enable ans start service
ansible.builtin.service:
- name: enable ans start service
service:
name: haproxy
enabled: true
state: started

47
templates/haproxy.cfg.j2
View file

@ -41,44 +41,11 @@ listen stats
{% endif %}
{% endfor %}
{% for resolver, config in haproxy_resolvers.items() %}
resolvers {{ resolver }}
{% for key, value in config.items() %}
{% if value is iterable and value is not string %}
{% for option in value %}
{{ key }} {{ option }}
{% endfor %}
{% else %}
{{ key }} {{ value }}
{% endif %}
{% endfor %}
{% endfor %}
{% for http_error_name, config in haproxy_http_errors.items() %}
http-errors {{ http_error_name }}
{% for status_code, file in config.items() %}
errorfile {{ status_code }} /etc/haproxy/errors/{{ file }}.http
{% endfor %}
{% endfor %}
{% for userlist, config in haproxy_userlists.items() %}
userlist {{ userlist }}
{% for key, value in config.items() %}
{% if value is iterable and value is not string %}
{% for option in value %}
{{ key }} {{ option }}
{% endfor %}
{% else %}
{{ key }} {{ value }}
{% endif %}
{% endfor %}
{% endfor %}
{% for frontend, config in haproxy_frontends.items() %}
frontend {{ frontend }}
{% for key, value in config.items() %}
{% for key, value in config.items()|sort if key != 'acl' and key != 'use_backend' %}
{% if key == "bind" %}
bind {{ value["ip"] }}:{{ value["port"] }}{% if value["alpn"] is defined %} alpn {{ value["alpn"] }}{% endif %}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {% if value["ssl"]["crt"] is string %}{{ value["ssl"]["crt"] }}{% else %}{{ value["ssl"]["crt"]|join(' crt ') }}{% endif %}{% endif %}
bind {{ value["ip"] }}:{{ value["port"] }}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {{ value["ssl"]["crt"] }}{% endif %}
{% endif %}
{% elif value is iterable and value is not string %}
@ -89,6 +56,16 @@ frontend {{ frontend }}
{{ key }} {{ value }}
{% endif %}
{% endfor %}
{% if 'acl' in config %}
{% for option in config['acl'] %}
acl {{ option }}
{% endfor %}
{% endif %}
{% if 'use_backend' in config %}
{% for option in config['use_backend'] %}
use_backend {{ option }}
{% endfor %}
{% endif %}
{% endfor %}

49
test/integration/default/default.yml Normal file
View file

@ -0,0 +1,49 @@
---
- hosts: localhost
connection: local
vars:
haproxy_ssl_certificates:
www-example-com: |
-----BEGIN CERTIFICATE-----
test
haproxy_frontends:
main:
bind:
ip: '*'
port: 5000
acl:
- url_static path_beg -i /static /images /javascript /stylesheets
- url_static path_end -i .jpg .gif .png .css .js
frontend-test-https:
bind:
ip: 127.0.0.1
port: 80
mode: http
default_backend: backend-test-https
option:
- 'forwardfor except 127.0.0.0/8'
- 'httplog'
- 'http-server-close'
acl:
- acl_test1-https hdr(host) test1.example.net
- acl_test2-https hdr(host) test2.example.net
use_backend:
- backend-test-https if acl_test1-https
- backend-test-https if acl_test2-https
haproxy_backends:
backend-test-https:
mode: http
balance: roundrobin
stick-table: type ip size 512k expire 30m
stick: on src
option:
- 'ssl-hello-chk'
- 'tcp-check'
- 'log-health-checks'
- 'forwardfor header X-Forwarded-For'
server:
- host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
- host2 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
roles:
- ansible-role-haproxy

43
test/integration/default/serverspec/default_spec.rb Normal file
View file

@ -0,0 +1,43 @@
require 'serverspec'
set :backend, :exec
puts
puts '================================'
puts %x(ansible --version)
puts '================================'
describe package('haproxy') do
it { should be_installed }
end
describe file('/etc/haproxy/haproxy.cfg') do
it { should be_file }
it { should be_mode 640 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
it { should contain 'server host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s' }
end
describe file('/etc/haproxy/www-example-com.pem') do
it { should be_file }
it { should be_mode 600 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
it { should contain 'test' }
end
describe service('haproxy') do
it { should be_enabled }
it { should be_running.under('systemd') }
end
[80, 5000].each do |port|
describe port(port) do
it { should be_listening.with('tcp') }
end
end
describe command('haproxy -c -f /etc/haproxy/haproxy.cfg') do
its(:exit_status) { should eq 0 }
end

1
test/integration/inventory Normal file
View file

@ -0,0 +1 @@
localhost