summaryrefslogtreecommitdiff
path: root/data/templates/load-balancing/haproxy.cfg.j2
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/load-balancing/haproxy.cfg.j2')
-rw-r--r--data/templates/load-balancing/haproxy.cfg.j2205
1 files changed, 205 insertions, 0 deletions
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
new file mode 100644
index 0000000..7917c82
--- /dev/null
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -0,0 +1,205 @@
+### Autogenerated by load-balancing_reverse-proxy.py ###
+
+global
+ log /dev/log local0
+ log /dev/log local1 notice
+ chroot /var/lib/haproxy
+ stats socket /run/haproxy/admin.sock mode 660 level admin
+ stats timeout 30s
+ user haproxy
+ group haproxy
+ daemon
+
+{% if global_parameters is vyos_defined %}
+{% if global_parameters.max_connections is vyos_defined %}
+ maxconn {{ global_parameters.max_connections }}
+{% endif %}
+
+ # Default SSL material locations
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+{% if global_parameters.ssl_bind_ciphers is vyos_defined %}
+ # https://ssl-config.mozilla.org/#server=haproxy&version=2.6.12-1&config=intermediate&openssl=3.0.8-1&guideline=5.6
+ ssl-default-bind-ciphers {{ global_parameters.ssl_bind_ciphers | join(':') | upper }}
+{% endif %}
+ ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+{% if global_parameters.tls_version_min is vyos_defined('1.3') %}
+ ssl-default-bind-options force-tlsv13
+{% else %}
+ ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+{% endif %}
+{% endif %}
+
+defaults
+ log global
+ mode http
+ option dontlognull
+ timeout connect 10s
+ timeout client 50s
+ timeout server 50s
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+
+# Frontend
+{% if service is vyos_defined %}
+{% for front, front_config in service.items() %}
+frontend {{ front }}
+{% set ssl_front = [] %}
+{% if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
+{% for cert in front_config.ssl.certificate %}
+{% set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %}
+{% endfor %}
+{% endif %}
+{% set ssl_directive = 'ssl' if ssl_front else '' %}
+{% if front_config.listen_address is vyos_defined %}
+{% for address in front_config.listen_address %}
+ bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }}
+{% endfor %}
+{% else %}
+ bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
+{% endif %}
+{% if front_config.redirect_http_to_https is vyos_defined %}
+ http-request redirect scheme https unless { ssl_fc }
+{% endif %}
+{% if front_config.mode is vyos_defined %}
+ mode {{ front_config.mode }}
+{% if front_config.tcp_request.inspect_delay is vyos_defined %}
+ tcp-request inspect-delay {{ front_config.tcp_request.inspect_delay }}
+{% endif %}
+{# add tcp-request related directive if ssl is configed #}
+{% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %}
+{% for rule, rule_config in front_config.rule.items() %}
+{% if rule_config.ssl is vyos_defined %}
+ tcp-request content accept if { req_ssl_hello_type 1 }
+{% break %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if front_config.rule is vyos_defined %}
+{% for rule, rule_config in front_config.rule.items() %}
+ # rule {{ rule }}
+{% if rule_config.domain_name is vyos_defined %}
+{% set rule_options = 'hdr(host)' %}
+{% if rule_config.ssl is vyos_defined %}
+{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
+{% set rule_options = ssl_rule_translate[rule_config.ssl] %}
+{% endif %}
+{% for domain in rule_config.domain_name %}
+ acl {{ rule }} {{ rule_options }} -i {{ domain }}
+{% endfor %}
+{% endif %}
+{# path url #}
+{% if rule_config.url_path is vyos_defined %}
+{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
+{% for path, path_config in rule_config.url_path.items() %}
+{% for url in path_config %}
+ acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% if rule_config.set.backend is vyos_defined %}
+ use_backend {{ rule_config.set.backend }} if {{ rule }}
+{% endif %}
+{% if rule_config.set.redirect_location is vyos_defined %}
+ http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
+{% endif %}
+{# endpath #}
+{% endfor %}
+{% endif %}
+{% if front_config.backend is vyos_defined %}
+{% for backend in front_config.backend %}
+ default_backend {{ backend }}
+{% endfor %}
+{% endif %}
+
+{% endfor %}
+{% endif %}
+
+# Backend
+{% if backend is vyos_defined %}
+{% for back, back_config in backend.items() %}
+backend {{ back }}
+{% if back_config.http_check is vyos_defined %}
+ option httpchk
+{% endif %}
+{% set send = '' %}
+{% if back_config.http_check.method is vyos_defined %}
+{% set send = send + ' meth ' + back_config.http_check.method | upper %}
+{% endif %}
+{% if back_config.http_check.uri is vyos_defined %}
+{% set send = send + ' uri ' + back_config.http_check.uri %}
+{% endif %}
+{% if send != '' %}
+ http-check send{{ send }}
+{% endif %}
+{% if back_config.http_check.expect is vyos_defined %}
+{% if back_config.http_check.expect.status is vyos_defined %}
+ http-check expect status {{ back_config.http_check.expect.status }}
+{% elif back_config.http_check.expect.string is vyos_defined %}
+ http-check expect string {{ back_config.http_check.expect.string }}
+{% endif %}
+{% endif %}
+{% if back_config.balance is vyos_defined %}
+{% set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %}
+ balance {{ balance_translate[back_config.balance] }}
+{% endif %}
+{# If mode is not TCP skip Forwarded #}
+{% if back_config.mode is not vyos_defined('tcp') %}
+ option forwardfor
+ http-request set-header X-Forwarded-Port %[dst_port]
+ http-request add-header X-Forwarded-Proto https if { ssl_fc }
+{% endif %}
+{% if back_config.mode is vyos_defined %}
+ mode {{ back_config.mode }}
+{% endif %}
+{% if back_config.rule is vyos_defined %}
+{% for rule, rule_config in back_config.rule.items() %}
+{% if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %}
+{% set rule_options = 'hdr(host)' %}
+{% if rule_config.ssl is vyos_defined %}
+{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
+{% set rule_options = ssl_rule_translate[rule_config.ssl] %}
+{% endif %}
+{% for domain in rule_config.domain_name %}
+ acl {{ rule }} {{ rule_options }} -i {{ domain }}
+{% endfor %}
+ use-server {{ rule_config.set.server }} if {{ rule }}
+{% endif %}
+{# path url #}
+{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
+{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
+{% for path, path_config in rule_config.url_path.items() %}
+{% for url in path_config %}
+ acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
+{% endfor %}
+{% endfor %}
+ http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
+{% endif %}
+{# endpath #}
+{% endfor %}
+{% endif %}
+{% if back_config.server is vyos_defined %}
+{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else ('ssl verify none' if back_config.ssl.no_verify is vyos_defined else '') %}
+{% for server, server_config in back_config.server.items() %}
+ server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
+{% endfor %}
+{% endif %}
+{% if back_config.timeout.check is vyos_defined %}
+ timeout check {{ back_config.timeout.check }}s
+{% endif %}
+{% if back_config.timeout.connect is vyos_defined %}
+ timeout connect {{ back_config.timeout.connect }}s
+{% endif %}
+{% if back_config.timeout.server is vyos_defined %}
+ timeout server {{ back_config.timeout.server }}s
+{% endif %}
+
+{% endfor %}
+{% endif %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 01:20:46 +0000