home-stack-ansible/roles/haproxy/templates/haproxy.cfg

global
    daemon
    maxconn 1024
    log 127.0.0.1 local0
    stats timeout 30s

defaults
    timeout connect 5s
    timeout client 30s
    timeout server 30s
    log global

    option forwardfor
    option http-server-close

    default-server init-addr last,none resolvers dns

resolvers dns
    parse-resolv-conf

## FRONTENDS ##

# haproxy stuff
frontend http_management
    bind *:8080
    mode http

    # redirects /status to haproxy monitor
    monitor-uri /status

    # redirects /stats to stats backend
    acl prefixed-with-stats path_beg -i /stats
    use_backend haproxy_stats if prefixed-with-stats

    # redirects /metrics to metrics backend
    acl prefixed-with-metrics path_beg -i /metrics
    use_backend haproxy_metrics if prefixed-with-metrics

frontend http_in
    bind *:80
    mode http

    http-request redirect scheme https code 302

frontend https_in
    # backend is assumed to be http, perform ssl termination here
    bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem
    # mode tcp

    # request is ssl
    # tcp-request inspect-delay 5s
    # tcp-request content accept if { req.ssl_hello_type 1  }

{% for route in https_routing %}
    # use_backend https_{{ route.src[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in route.src %}{{ src }} {% endfor %}}
    use_backend https_{{ route.src[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in route.src %}{{ src }} {% endfor %}}
{% endfor %}

## BACKENDS ##

backend haproxy_stats
    mode http
    stats uri /stats
    stats enable
    stats refresh 10s
    stats auth admin:admin

backend haproxy_metrics
    mode http
    http-request use-service prometheus-exporter

{% for route in https_routing %}
backend https_{{ route.src[0]|replace('.','_') }}
    # mode tcp
    balance roundrobin
{% for dst in route.dst %}
    # server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check
    server {{ dst }} {{ dst }}{% if ':' not in dst %}:80{% endif %} check
{% endfor %}
{% endfor %}
initial commit 2021-08-25 04:33:56 +00:00			`global`
			`daemon`
			`maxconn 1024`
			`log 127.0.0.1 local0`
			`stats timeout 30s`

			`defaults`
			`timeout connect 5s`
			`timeout client 30s`
			`timeout server 30s`
			`log global`

			`option forwardfor`
			`option http-server-close`

			`default-server init-addr last,none resolvers dns`

			`resolvers dns`
			`parse-resolv-conf`

			`## FRONTENDS ##`

			`# haproxy stuff`
			`frontend http_management`
			`bind *:8080`
			`mode http`

			`# redirects /status to haproxy monitor`
			`monitor-uri /status`

			`# redirects /stats to stats backend`
			`acl prefixed-with-stats path_beg -i /stats`
			`use_backend haproxy_stats if prefixed-with-stats`

			`# redirects /metrics to metrics backend`
			`acl prefixed-with-metrics path_beg -i /metrics`
			`use_backend haproxy_metrics if prefixed-with-metrics`

			`frontend http_in`
			`bind *:80`
			`mode http`

			`http-request redirect scheme https code 302`

			`frontend https_in`
			`# backend is assumed to be http, perform ssl termination here`
			`bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem`
			`# mode tcp`

			`# request is ssl`
			`# tcp-request inspect-delay 5s`
			`# tcp-request content accept if { req.ssl_hello_type 1 }`

			`{% for route in https_routing %}`
			`# use_backend https_{{ route.src[0]\|replace('.','_') }} if { req.ssl_sni -i {% for src in route.src %}{{ src }} {% endfor %}}`
			`use_backend https_{{ route.src[0]\|replace('.','_') }} if { hdr_end(host) -i {% for src in route.src %}{{ src }} {% endfor %}}`
			`{% endfor %}`

			`## BACKENDS ##`

			`backend haproxy_stats`
			`mode http`
			`stats uri /stats`
			`stats enable`
			`stats refresh 10s`
			`stats auth admin:admin`

			`backend haproxy_metrics`
			`mode http`
			`http-request use-service prometheus-exporter`

			`{% for route in https_routing %}`
			`backend https_{{ route.src[0]\|replace('.','_') }}`
			`# mode tcp`
			`balance roundrobin`
			`{% for dst in route.dst %}`
			`# server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check`
			`server {{ dst }} {{ dst }}{% if ':' not in dst %}:80{% endif %} check`
			`{% endfor %}`
			`{% endfor %}`