1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
# Generated by ${vyos_conf_scripts_dir}/load-balancing-haproxy.py
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
{% if global_parameters is vyos_defined %}
{% if global_parameters.max_connections is vyos_defined %}
maxconn {{ global_parameters.max_connections }}
{% endif %}
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
{% if global_parameters.tls.ssl_bind_ciphers is vyos_defined %}
# https://ssl-config.mozilla.org/#server=haproxy&version=2.6.12-1&config=intermediate&openssl=3.0.8-1&guideline=5.6
ssl-default-bind-ciphers {{ global_parameters.tls.ssl_bind_ciphers | join(':') | upper }}
{% endif %}
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
{% if global_parameters.tls.tls_version_min is vyos_defined('1.3') %}
ssl-default-bind-options force-tlsv13
{% else %}
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
{% endif %}
{% endif %}
defaults
log global
mode http
option dontlognull
timeout connect 10s
timeout client 50s
timeout server 50s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Frontend
{% if server is vyos_defined %}
{% for front, front_config in server.items() %}
frontend {{ front }}
{% set ssl_front = 'ssl crt /run/haproxy/' ~ front_config.ssl.certificate ~ '.pem' if front_config.ssl.certificate is vyos_defined else '' %}
bind {{ front_config.listen_address if front_config.listen_address if vyos_defined else '*' }}:{{ front_config.port }} {{ ssl_front }}
{% if front_config.redirect_http_to_https is vyos_defined %}
http-request redirect scheme https unless { ssl_fc }
{% endif %}
{% if front_config.mode is vyos_defined %}
mode {{ front_config.mode }}
{% endif %}
{% if front_config.rule is vyos_defined %}
{% for rule, rule_config in front_config.rule.items() %}
# rule {{ rule }}
{% if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %}
{% set rule_options = 'hdr(host)' %}
{% if rule_config.ssl is vyos_defined %}
{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
{% set rule_options = ssl_rule_translate[rule_config.ssl] %}
{% endif %}
acl {{ rule }} {{ rule_options }} -i {{ rule_config.domain_name }}
use_backend {{ rule_config.set.server }} if {{ rule }}
{% endif %}
{# path url #}
{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
{% for path, path_config in rule_config.url_path.items() %}
{% for url in path_config %}
acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
{% endfor %}
{% endfor %}
http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
{% endif %}
{# endpath #}
{% endfor %}
{% endif %}
{% if front_config.backend is vyos_defined %}
{% for backend in front_config.backend %}
default_backend {{ backend }}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
# Backend
{% if backend is vyos_defined %}
{% for back, back_config in backend.items() %}
backend {{ back }}
{% if back_config.balance is vyos_defined %}
{% set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %}
balance {{ balance_translate[back_config.balance] }}
{% endif %}
{# If mode is not TCP skip Forwarded #}
{% if back_config.mode is not vyos_defined('tcp') %}
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
{% endif %}
{% if back_config.mode is vyos_defined %}
mode {{ back_config.mode }}
{% endif %}
{% if back_config.rule is vyos_defined %}
{% for rule, rule_config in back_config.rule.items() %}
{% if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %}
{% set rule_options = 'hdr(host)' %}
{% if rule_config.ssl is vyos_defined %}
{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
{% set rule_options = ssl_rule_translate[rule_config.ssl] %}
{% endif %}
acl {{ rule }} {{ rule_options }} -i {{ rule_config.domain_name }}
use-server {{ rule_config.set.server }} if {{ rule }}
{% endif %}
{# path url #}
{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
{% for path, path_config in rule_config.url_path.items() %}
{% for url in path_config %}
acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
{% endfor %}
{% endfor %}
http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
{% endif %}
{# endpath #}
{% endfor %}
{% endif %}
{% if back_config.server is vyos_defined %}
{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
{% for server, server_config in back_config.server.items() %}
server {{ server }} {{ server_config.address }}:{{ server_config.port }} {{ 'check' if server_config.check is vyos_defined }} {{ ssl_back }}
{% endfor %}
{% endif %}
{% if back_config.timeout.check is vyos_defined %}
timeout check {{ back_config.timeout.check }}
{% endif %}
{% if back_config.timeout.connect is vyos_defined %}
timeout connect {{ back_config.timeout.connect }}
{% endif %}
{% if back_config.timeout.server is vyos_defined %}
timeout server {{ back_config.timeout.server }}
{% endif %}
{% endfor %}
{% endif %}
|