# Ansible role: Haproxy [![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/src/branch/main/LICENSE) [![Build](https://code.waks.be/nishiki/ansible-role-haproxy/actions/workflows/molecule.yml/badge.svg?branch=main)](https://code.waks.be/nishiki/ansible-role-haproxy/actions?workflow=molecule.yml) Install and configure haproxy ## Requirements - Ansible >= 2.10 - Debian - Bullseye - Bookworm ## Role variables - `haproxy_apt_release` - set the apt release to use (default: `ansible_distribution_release`) - `haproxy_global` - hash with the global configuration ``` log-send-hostname: true chroot: /var/lib/haproxy pidfile: /var/run/haproxy.pid maxconn: 4096 user: haproxy group: haproxy daemon: true stats: socket /var/lib/haproxy/stats ``` - `haproxy_defaults` - hash with the defaults configurations ``` mode: http log: global option: - httplog - dontlognull - http-server-close - forwardfor except 127.0.0.0/8 - redispatch retries: 3 timeout: - http-request 10s - queue 1m - connect 10s - client 1m - server 1m - http-keep-alive 10s - check 10s maxconn: 4096 ``` - `haproxy_stats_username` - set the username to access stats interface (default: `admin`) - `haproxy_stats_password`- set the password to access stats interface (default: `secret`) - `haproxy_listen_stats` - hash with options for stats interface ``` bind: ip: 127.0.0.1 port: 9000 mode: http maxconn: 10 timeout: - client 30s - server 30s - connect 30s - queue 30s stats: - 'refresh 5s' - 'show-node' - 'realm Haproxy\ Statistics' - 'auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}' - 'uri /haproxy_stats' ``` - `haproxy_resolvers` - hash with the resolvers configuration ``` dns: local: - dns1 127.0.0.1:53 ``` - `haproxy_frontends` - hash with the frontends configuration ``` fontend-https: bind: ip: '*' port: 443 ssl: cert: - /etc/haproxy/ssl1.pem - /etc/haproxy/ssl2.pem default_backend: backend-app frontend-http: bind: ip: '*' port: 80 mode: http option: - 'forwardfor except 127.0.0.0/8' - 'httplog' - 'http-server-close' acl: - acl_test1-https hdr(host) test1.example.net - acl_test2-https hdr(host) test2.example.net - acl_blacklist src -f /etc/haproxy/blacklist.list use_backend: - backend-app if acl_test1-https - backend-app if acl_test2-https - backend-app if acl_test1-https acl_blacklist ``` - `haproxy_backends` - hash with the backend configuration ``` backend-app: mode: http balance: roundrobin stick-table: type ip size 512k expire 30m stick: on src option: - 'ssl-hello-chk' - 'tcp-check' - 'log-health-checks' - 'forwardfor header X-Forwarded-For' server: - host1 127.0.0.1:80 check maxconn 1000 inter 15s - host2 127.0.0.1:80 check maxconn 1000 inter 15s ``` - `haproxy_ips_lists` - hash with the ips list to use in haproxy ``` blacklist: - 192.168.0.0/16 - 172.10.10.0/24 public_withlist: - 8.8.8.8 ``` - `haproxy_userlists` - hash with the userlist for basic auth ``` restricted: group: - admin user: - admin password 84375611a53741f7e94b09eb49127f41 groups admin ``` - `haproxy_ssl_certificates` - hash with ssl certificates to copy ``` example-com: | -----BEGIN CERTIFICATE----- MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDJZs7pOmgIjXqa /rZx2CL4pXTo4kKv+Itj3xfrq46r4DZKQJoCHqcs/bFjtCP89xJlvbrZVmxizFOF mfKiNat39GNgeUaTH23+N/FOAyphayOcFk+s4X6GbdxrkHqt9IBrfK0B88bYjL/m ..... ``` - `haproxy_http_errors` - hash with http error groups ``` test: 503: test-503 ``` - `haproxy_http_errors_file` - hash with http error files ``` test-503: | HTTP/1.1 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html