Haproxy Ansible Example

From iDempiere en

author: Norbert Bede

haproxy version: 2.x

the context were used: staging server building by KVM

note:

  • this example use the jinja2 template for ansible templating language. simple replace variables with exact values.
  • you need to create lib folder with referred files. (links explain how)
      1global
  2    maxconn 2000
  3    user haproxy
  4    group haproxy
  5
  6    log 127.0.0.1:514 local0 info
  7    #log 127.0.0.1:9001 local1 debug
  8
  9
 10    ssl-default-bind-options ssl-min-ver TLSv1.2
 11    ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
 12    tune.ssl.default-dh-param 2048
 13
 14
 15    lua-load /etc/haproxy/lib/cors.lua
 16    lua-load /etc/haproxy/lib/cors-restapi.lua
 17
 18
 19defaults
 20    log     global
 21    log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
 22    mode    http
 23    option  httplog
 24
 25    timeout connect 3s ## oldvalue 3s
 26    timeout client  120m ## oldvalue 7200000
 27    timeout server  120m ## oldvalue 120000
 28
 29frontend public
 30    bind *:80
 31    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 ## we switch to http2 2021-05-10
 32
 33    ## ACL DEFINITIONS
 34    {% for item in haproxy_backends %}
 35    
 36    acl is_{{ item['backend_name'] }}_back hdr(host) -i {{ item['domain']  }}
 37    acl is_{{ item['backend_name'] }}_rest hdr(host) -i {{ item['domain']  }}
 38    acl is_{{ item['backend_name'] }}_auth hdr(host) -i {{ item['domain']  }}
 39
 40    {% endfor %}
 41
 42    acl url_rest path_beg /api/v1/
 43    acl url_auth path_beg /auth
 44
 45    ## USE BACKEND DEFINITIONS
 46    {% for item in haproxy_backends %}
 47
 48    use_backend {{ item['backend_name'] }}_back if is_{{ item['backend_name'] }}_back
 49    use_backend {{ item['backend_name'] }}_rest if is_{{ item['backend_name'] }}_rest  || url_rest
 50    use_backend {{ item['backend_name'] }}_auth if is_{{ item['backend_name'] }}_auth  || url_auth
 51    {% endfor %}
 52
 53
 54    capture request header origin len 128
 55
 56## CLDE WEBUI BACKENDS
 57{% for item in haproxy_backends %}
 58backend {{ item['backend_name'] }}_back
 59    server srv_{{ item['backend_name'] }} {{ item['backend_server_ip'] }}:{{ item['backend_server_port'] }}
 60
 61{% endfor %}
 62
 63## CLDE REST API BACKENDS
 64{% for item in haproxy_backends %}
 65backend {{ item['backend_name'] }}_rest
 66    mode http
 67    balance roundrobin
 68    option httpchk GET /api
 69    redirect scheme https code 301 if !{ ssl_fc }
 70
 71    compression algo gzip
 72    compression type application/json
 73
 74    #https://stackoverflow.com/questions/32749520/haproxy-cors-options-header-intercept-setup
 75    # CORS configuration
 76    # if a preflight request is made, use CORS preflight backend
 77
 78    # capture origin HTTP header
 79    capture request header origin len 128
 80
 81    http-after-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if !METH_OPTIONS { capture.req.hdr(0) -m reg -f /etc/haproxy/lib/cors-origins.lst }
 82    http-after-response add-header Access-Control-Expose-Headers X-Page-Count,X-Records-Size,X-Skip-Records,X-Row-Count if !METH_OPTIONS { capture.req.hdr(0) -m reg -f /etc/haproxy/lib/cors-origins.lst }
 83    http-request use-service lua.cors-response-rest if METH_OPTIONS { capture.req.hdr(0) -m reg -f /etc/haproxy/lib/cors-origins.lst }
 84
 85    #errorfiles json # https://www.haproxy.com/blog/serve-dynamic-custom-error-pages-with-haproxy/ #}
 86    http-response return status 401 default-errorfiles if { status 401 } 
 87    http-response return status 404 default-errorfiles if { status 404 }
 88    http-response return status 429 default-errorfiles if { status 429 }
 89    http-response return status 503 default-errorfiles if { status 503 }
 90    http-response return status 504 default-errorfiles if { status 504 }
 91
 92    server srv_{{ item['backend_name'] }} {{ item['backend_server_ip'] }}:{{ item['backend_server_port'] }}
 93
 94{% endfor %}
 95
 96## CLDE SERVER OAUTH BACKENDS
 97{% for item in haproxy_backends %}
 98backend {{ item['backend_name'] }}_auth
 99
100    # mode http
101    balance roundrobin
102    option httpchk GET /api
103    redirect scheme https code 301 if !{ ssl_fc }
104
105    compression algo gzip
106    compression type application/json
107
108    # Invoke the CORS service on the request to capture the Origin header
109    http-request lua.cors
110    # Invoke the CORS service on the response to add CORS headers$
111    http-response lua.cors "GET,PUT,POST,OPTIONS" "localhost:80,localhost:8100,localhost:8126,localhost:8131,localhost:8136,localhost:8031,localhost:4200"
112    
113    ## mobpwa require ngsw-bypass only for options
114    ## session_id  added 7.6.2022 improved session transfer between
115    http-after-response add-header Access-Control-Allow-Headers ngsw-bypass,session_id if METH_OPTIONS { capture.req.hdr(0) -m reg -f /etc/haproxy/lib/cors-origins.lst }
116
117    #errorfiles json # https://www.haproxy.com/blog/serve-dynamic-custom-error-pages-with-haproxy/
118    http-response return status 401 default-errorfiles if { status 401 }
119    http-response return status 404 default-errorfiles if { status 404 }
120    http-response return status 429 default-errorfiles if { status 429 }
121    http-response return status 503 default-errorfiles if { status 503 }
122    http-response return status 504 default-errorfiles if { status 504 }
123
124    server srv_{{ item['backend_name'] }} {{ item['backend_server_ip'] }}:{{ item['backend_server_port'] }}
125
126{% endfor %}
Retrieved from "https://wiki.idempiere.org/w-en/index.php?title=Haproxy_Ansible_Example&oldid=20356"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
GNU-Lizenz für freie Dokumentation 1.3 oder höher
Powered by MediaWiki