diff options
| author | kumvijaya <kumvijaya@gmail.com> | 2024-05-21 16:41:14 +0530 |
|---|---|---|
| committer | kumvijaya <kumvijaya@gmail.com> | 2024-05-21 16:41:14 +0530 |
| commit | cc86483fdf7a6bd988f485c06402fd07368dd26e (patch) | |
| tree | 9d892a9715106cc67bf1e57b15b999aa7e564057 /data/templates/load-balancing | |
| parent | 704ca2322d0bebcb923f5136f0f69fb23651a484 (diff) | |
| download | vyos-workflow-test-temp-cc86483fdf7a6bd988f485c06402fd07368dd26e.tar.gz vyos-workflow-test-temp-cc86483fdf7a6bd988f485c06402fd07368dd26e.zip | |
T6357: create test repository to validate setup
Diffstat (limited to 'data/templates/load-balancing')
| -rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 205 | ||||
| -rw-r--r-- | data/templates/load-balancing/override_haproxy.conf.j2 | 14 | ||||
| -rw-r--r-- | data/templates/load-balancing/wlb.conf.j2 | 134 |
3 files changed, 353 insertions, 0 deletions
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 new file mode 100644 index 0000000..7917c82 --- /dev/null +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -0,0 +1,205 @@ +### Autogenerated by load-balancing_reverse-proxy.py ### + +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + +{% if global_parameters is vyos_defined %} +{% if global_parameters.max_connections is vyos_defined %} + maxconn {{ global_parameters.max_connections }} +{% endif %} + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + +{% if global_parameters.ssl_bind_ciphers is vyos_defined %} + # https://ssl-config.mozilla.org/#server=haproxy&version=2.6.12-1&config=intermediate&openssl=3.0.8-1&guideline=5.6 + ssl-default-bind-ciphers {{ global_parameters.ssl_bind_ciphers | join(':') | upper }} +{% endif %} + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 +{% if global_parameters.tls_version_min is vyos_defined('1.3') %} + ssl-default-bind-options force-tlsv13 +{% else %} + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets +{% endif %} +{% endif %} + +defaults + log global + mode http + option dontlognull + timeout connect 10s + timeout client 50s + timeout server 50s + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +# Frontend +{% if service is vyos_defined %} +{% for front, front_config in service.items() %} +frontend {{ front }} +{% set ssl_front = [] %} +{% if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %} +{% for cert in front_config.ssl.certificate %} +{% set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %} +{% endfor %} +{% endif %} +{% set ssl_directive = 'ssl' if ssl_front else '' %} +{% if front_config.listen_address is vyos_defined %} +{% for address in front_config.listen_address %} + bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }} +{% endfor %} +{% else %} + bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }} +{% endif %} +{% if front_config.redirect_http_to_https is vyos_defined %} + http-request redirect scheme https unless { ssl_fc } +{% endif %} +{% if front_config.mode is vyos_defined %} + mode {{ front_config.mode }} +{% if front_config.tcp_request.inspect_delay is vyos_defined %} + tcp-request inspect-delay {{ front_config.tcp_request.inspect_delay }} +{% endif %} +{# add tcp-request related directive if ssl is configed #} +{% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} +{% if rule_config.ssl is vyos_defined %} + tcp-request content accept if { req_ssl_hello_type 1 } +{% break %} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} +{% if front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} + # rule {{ rule }} +{% if rule_config.domain_name is vyos_defined %} +{% set rule_options = 'hdr(host)' %} +{% if rule_config.ssl is vyos_defined %} +{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %} +{% set rule_options = ssl_rule_translate[rule_config.ssl] %} +{% endif %} +{% for domain in rule_config.domain_name %} + acl {{ rule }} {{ rule_options }} -i {{ domain }} +{% endfor %} +{% endif %} +{# path url #} +{% if rule_config.url_path is vyos_defined %} +{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %} +{% for path, path_config in rule_config.url_path.items() %} +{% for url in path_config %} + acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }} +{% endfor %} +{% endfor %} +{% endif %} +{% if rule_config.set.backend is vyos_defined %} + use_backend {{ rule_config.set.backend }} if {{ rule }} +{% endif %} +{% if rule_config.set.redirect_location is vyos_defined %} + http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }} +{% endif %} +{# endpath #} +{% endfor %} +{% endif %} +{% if front_config.backend is vyos_defined %} +{% for backend in front_config.backend %} + default_backend {{ backend }} +{% endfor %} +{% endif %} + +{% endfor %} +{% endif %} + +# Backend +{% if backend is vyos_defined %} +{% for back, back_config in backend.items() %} +backend {{ back }} +{% if back_config.http_check is vyos_defined %} + option httpchk +{% endif %} +{% set send = '' %} +{% if back_config.http_check.method is vyos_defined %} +{% set send = send + ' meth ' + back_config.http_check.method | upper %} +{% endif %} +{% if back_config.http_check.uri is vyos_defined %} +{% set send = send + ' uri ' + back_config.http_check.uri %} +{% endif %} +{% if send != '' %} + http-check send{{ send }} +{% endif %} +{% if back_config.http_check.expect is vyos_defined %} +{% if back_config.http_check.expect.status is vyos_defined %} + http-check expect status {{ back_config.http_check.expect.status }} +{% elif back_config.http_check.expect.string is vyos_defined %} + http-check expect string {{ back_config.http_check.expect.string }} +{% endif %} +{% endif %} +{% if back_config.balance is vyos_defined %} +{% set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %} + balance {{ balance_translate[back_config.balance] }} +{% endif %} +{# If mode is not TCP skip Forwarded #} +{% if back_config.mode is not vyos_defined('tcp') %} + option forwardfor + http-request set-header X-Forwarded-Port %[dst_port] + http-request add-header X-Forwarded-Proto https if { ssl_fc } +{% endif %} +{% if back_config.mode is vyos_defined %} + mode {{ back_config.mode }} +{% endif %} +{% if back_config.rule is vyos_defined %} +{% for rule, rule_config in back_config.rule.items() %} +{% if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %} +{% set rule_options = 'hdr(host)' %} +{% if rule_config.ssl is vyos_defined %} +{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %} +{% set rule_options = ssl_rule_translate[rule_config.ssl] %} +{% endif %} +{% for domain in rule_config.domain_name %} + acl {{ rule }} {{ rule_options }} -i {{ domain }} +{% endfor %} + use-server {{ rule_config.set.server }} if {{ rule }} +{% endif %} +{# path url #} +{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %} +{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %} +{% for path, path_config in rule_config.url_path.items() %} +{% for url in path_config %} + acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }} +{% endfor %} +{% endfor %} + http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }} +{% endif %} +{# endpath #} +{% endfor %} +{% endif %} +{% if back_config.server is vyos_defined %} +{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else ('ssl verify none' if back_config.ssl.no_verify is vyos_defined else '') %} +{% for server, server_config in back_config.server.items() %} + server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }} +{% endfor %} +{% endif %} +{% if back_config.timeout.check is vyos_defined %} + timeout check {{ back_config.timeout.check }}s +{% endif %} +{% if back_config.timeout.connect is vyos_defined %} + timeout connect {{ back_config.timeout.connect }}s +{% endif %} +{% if back_config.timeout.server is vyos_defined %} + timeout server {{ back_config.timeout.server }}s +{% endif %} + +{% endfor %} +{% endif %} diff --git a/data/templates/load-balancing/override_haproxy.conf.j2 b/data/templates/load-balancing/override_haproxy.conf.j2 new file mode 100644 index 0000000..395b5d2 --- /dev/null +++ b/data/templates/load-balancing/override_haproxy.conf.j2 @@ -0,0 +1,14 @@ +{% set haproxy_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service +ConditionPathExists=/run/haproxy/haproxy.cfg + +[Service] +EnvironmentFile= +Environment= +Environment="CONFIG=/run/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock" +ExecStart= +ExecStart={{ haproxy_command }}/usr/sbin/haproxy -Ws -f /run/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock +Restart=always +RestartSec=10 diff --git a/data/templates/load-balancing/wlb.conf.j2 b/data/templates/load-balancing/wlb.conf.j2 new file mode 100644 index 0000000..7f04d79 --- /dev/null +++ b/data/templates/load-balancing/wlb.conf.j2 @@ -0,0 +1,134 @@ +### Autogenerated by load-balancing_wan.py ### + +{% if disable_source_nat is vyos_defined %} +disable-source-nat +{% endif %} +{% if enable_local_traffic is vyos_defined %} +enable-local-traffic +{% endif %} +{% if sticky_connections is vyos_defined %} +sticky-connections inbound +{% endif %} +{% if flush_connections is vyos_defined %} +flush-conntrack +{% endif %} +{% if hook is vyos_defined %} +hook "{{ hook }}" +{% endif %} +{% if interface_health is vyos_defined %} +health { +{% for interface, interface_config in interface_health.items() %} + interface {{ interface }} { +{% if interface_config.failure_count is vyos_defined %} + failure-ct {{ interface_config.failure_count }} +{% endif %} +{% if interface_config.success_count is vyos_defined %} + success-ct {{ interface_config.success_count }} +{% endif %} +{% if interface_config.nexthop is vyos_defined %} + nexthop {{ interface_config.nexthop }} +{% endif %} +{% if interface_config.test is vyos_defined %} +{% for test_rule, test_config in interface_config.test.items() %} + rule {{ test_rule }} { +{% if test_config.type is vyos_defined %} +{% set type_translate = {'ping': 'ping', 'ttl': 'udp', 'user-defined': 'user-defined'} %} + type {{ type_translate[test_config.type] }} { +{% if test_config.ttl_limit is vyos_defined and test_config.type == 'ttl' %} + ttl {{ test_config.ttl_limit }} +{% endif %} +{% if test_config.test_script is vyos_defined and test_config.type == 'user-defined' %} + test-script {{ test_config.test_script }} +{% endif %} +{% if test_config.target is vyos_defined %} + target {{ test_config.target }} +{% endif %} + resp-time {{ test_config.resp_time | int * 1000 }} + } +{% endif %} + } +{% endfor %} +{% endif %} + } +{% endfor %} +} +{% endif %} + +{% if rule is vyos_defined %} +{% for rule, rule_config in rule.items() %} +rule {{ rule }} { +{% if rule_config.exclude is vyos_defined %} + exclude +{% endif %} +{% if rule_config.failover is vyos_defined %} + failover +{% endif %} +{% if rule_config.limit is vyos_defined %} + limit { +{% if rule_config.limit.burst is vyos_defined %} + burst {{ rule_config.limit.burst }} +{% endif %} +{% if rule_config.limit.rate is vyos_defined %} + rate {{ rule_config.limit.rate }} +{% endif %} +{% if rule_config.limit.period is vyos_defined %} + period {{ rule_config.limit.period }} +{% endif %} +{% if rule_config.limit.threshold is vyos_defined %} + thresh {{ rule_config.limit.threshold }} +{% endif %} + } +{% endif %} +{% if rule_config.per_packet_balancing is vyos_defined %} + per-packet-balancing +{% endif %} +{% if rule_config.protocol is vyos_defined %} + protocol {{ rule_config.protocol }} +{% endif %} +{% if rule_config.destination is vyos_defined %} + destination { +{% if rule_config.destination.address is vyos_defined %} + address "{{ rule_config.destination.address }}" +{% endif %} +{% if rule_config.destination.port is vyos_defined %} +{% if '-' in rule_config.destination.port %} + port-ipt "-m multiport --dports {{ rule_config.destination.port | replace('-', ':') }}" +{% elif ',' in rule_config.destination.port %} + port-ipt "-m multiport --dports {{ rule_config.destination.port }}" +{% else %} + port-ipt " --dport {{ rule_config.destination.port }}" +{% endif %} +{% endif %} + } +{% endif %} +{% if rule_config.source is vyos_defined %} + source { +{% if rule_config.source.address is vyos_defined %} + address "{{ rule_config.source.address }}" +{% endif %} +{% if rule_config.source.port is vyos_defined %} +{% if '-' in rule_config.source.port %} + port-ipt "-m multiport --sports {{ rule_config.source.port | replace('-', ':') }}" +{% elif ',' in rule_config.destination.port %} + port-ipt "-m multiport --sports {{ rule_config.source.port }}" +{% else %} + port.ipt " --sport {{ rule_config.source.port }}" +{% endif %} +{% endif %} + } +{% endif %} +{% if rule_config.inbound_interface is vyos_defined %} + inbound-interface {{ rule_config.inbound_interface }} +{% endif %} +{% if rule_config.interface is vyos_defined %} +{% for interface, interface_config in rule_config.interface.items() %} + interface {{ interface }} { +{% if interface_config.weight is vyos_defined %} + weight {{ interface_config.weight }} +{% endif %} + } +{% endfor %} +{% endif %} +} +{% endfor %} +{% endif %} |