forked from saltstack-formulas/haproxy-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
144 lines (138 loc) · 4.1 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#
# Example pillar configuration
#
haproxy:
global:
stats: socket /var/lib/haproxy/stats mode 660 level admin
ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"
user: haproxy
group: haproxy
daemon:
chroot: /var/lib/haproxy
tune.ssl.lifetime: 600
defaults:
log: global
mode: http
retries: 3
option:
- httplog
- dontlognull
- forwardfor
- http-server-close
logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r"
timeout:
- http-request 10s
- queue 1m
- connect 10s
- client 1m
- server 1m
- http-keep-alive 10s
- check 10s
stats:
- enable
- uri: '/admin?stats'
- realm: 'Haproxy\ Statistics'
- auth: 'admin1:AdMiN123'
errorfile:
- 400 /etc/haproxy/errors/400.http
- 403 /etc/haproxy/errors/403.http
- 408 /etc/haproxy/errors/408.http
- 500 /etc/haproxy/errors/500.http
- 502 /etc/haproxy/errors/502.http
- 503 /etc/haproxy/errors/503.http
- 504 /etc/haproxy/errors/504.http
listens:
stats:
bind:
- "0.0.0.0:8998"
mode: http
stats:
- enable
- uri "/admin?stats"
- refresh "20s"
myservice:
bind:
- "*:8888"
option:
- forwardfor
- http-server-close
server:
- web1 web1.example.com check port 80
- web2 web2.example.com check port 18888
- web3 web3.example.com
frontend:
www-http:
bind: "*:80"
redirect:
- scheme https if !{ ssl_fc }
reqadd:
- "X-Forwarded-Proto:\\ http"
default_backend: www-backend
www-https:
bind: "*:443 ssl crt /etc/ssl/private/certificate-chain-and-key-combined.pem"
logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r\\ ssl_version:%sslv\\ ssl_cipher:%sslc"
reqadd:
- "X-Forwarded-Proto:\\ https"
default_backend: www-backend
acl:
- url_static path_beg -i /static /images /javascript /stylesheets
- url_static path_end -i .jpg .gif .png .css .js
use_backend:
- static-backend if url_static
extra: "rspadd Strict-Transport-Security:\ max-age=15768000"
some-services:
bind:
- "*:8080"
- "*:8088"
default_backend: api-backend
backend:
www-backend:
balance: roundrobin
redirect:
- scheme https if !{ ssl_fc }
extra: "reqidel ^X-Forwarded-For:"
server:
- server1-its-name 192.168.1.213 check port 80
static-backend:
balance: roundrobin
redirect:
- scheme https if !{ ssl_fc }
option:
- http-server-close
- httpclose
- forwardfor except 127.0.0.0/8
- httplog
cookie: "pm insert indirect"
stats:
- enable
- uri /url/to/stats
- realm LoadBalancer
- auth "user:password"
server:
- some-server 123.156.189.111 check port 8080
- another-server 123.156.189.112
api-backend:
option:
- http-server-close
- forwardfor
server:
- apiserver1 apiserver1.example.com check port 80
- apiserver2 apiserver2.example.com check port 80 resolvers local_dns resolve-prefer ipv4
another_www:
mode: tcp
balance: source
sticktable: "type binary len 32 size 30k expire 30m"
acl:
- clienthello req_ssl_hello_type 1
- serverhello rep_ssl_hello_type 2
tcprequest:
- "inspect-delay 5s"
- "content accept if clienthello"
tcpresponse:
- "content accept if serverhello"
stickon:
- "payload_lv(43,1) if clienthello"
reqrep:
- "^([^\ :]*)\ /static/(.*) \1\ \2"
option: "ssl-hello-chk"