ansible-role-haproxy/molecule/default/converge.yml

---
- name: Converge
  hosts: all
  roles:
    - ansible-role-haproxy
  vars:
    haproxy_http_errors:
      test:
        503: test
    haproxy_http_error_files:
      test: |
        HTTP/1.1 503 Service Unavailable
        Cache-Control: no-cache
        Connection: close
        Content-Type: text/html

        <!DOCTYPE html>
        <html lang="en">
            <body>
                <main>
                    This is my custom 503 page
                </main>
            </body>
        </html>        
    haproxy_ssl_certificates:
      www-example-com: |
        -----BEGIN CERTIFICATE-----
        test        
    haproxy_ips_lists:
      blacklist:
        - 172.10.0.0/16
        - 192.168.1.1
    haproxy_resolvers:
      dns:
        nameserver: dns1 127.0.0.1:53
    haproxy_userlists:
      restricted:
        group:
          - admin
        user:
          - admin insecure-password password groups admin
    haproxy_frontends:
      main:
        bind:
          ip: '*'
          port: 5000
          alpn: h2,http/1.1
        acl:
          - url_static path_beg -i /static /images /javascript /stylesheets
          - url_static path_end -i .jpg .gif .png .css .js
      frontend-test-https:
        bind:
          ip: '*'
          port: 80
        mode: http
        default_backend: backend-test-https
        option:
          - 'forwardfor except 127.0.0.0/8'
          - 'httplog'
          - 'http-server-close'
        acl:
          - acl_test1-https hdr(host) test1.example.net
          - acl_test2-https hdr(host) test2.example.net
          - acl_blacklist src -f /etc/haproxy/blacklist.list
          - acl_auth_path path -i /auth/
          - acl_auth http_auth(restricted)
        errorfiles: test
        http-request:
          - auth realm restricted if acl_auth_path !acl_auth
          - return status 200 content-type "text/plain" string "Good" if acl_auth_path
        use_backend:
          - backend-test-https if acl_test1-https
          - backend-test-resolver if acl_test2-https
          - backend-test-https if acl_test1-https acl_blacklist
    haproxy_backends:
      backend-test-https:
        mode: http
        balance: roundrobin
        stick-table: type ip size 512k expire 30m
        stick: on src
        option:
          - 'ssl-hello-chk'
          - 'tcp-check'
          - 'log-health-checks'
          - 'forwardfor header X-Forwarded-For'
        server:
          - host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
          - host2 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
      backend-test-resolver:
        mode: http
        balance: roundrobin
        stick-table: type ip size 512k expire 30m
        stick: on src
        option:
          - 'ssl-hello-chk'
        server:
          - google.fr google.com:443 ssl verify none check resolvers dns init-addr none

  pre_tasks:
    - name: add backports repository
      ansible.builtin.apt_repository:
        repo: 'deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main'

    - name: update apt cache
      ansible.builtin.apt:
        update_cache: true