roles/haproxy/templates/haproxy.cfg.j2


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

global
    log        127.0.0.1 local4
    chroot     /var/lib/haproxy
    stats      socket /run/haproxy/admin.sock mode 660 level admin
    stats      timeout 30s
    user       haproxy
    group      haproxy
    daemon

    ca-base    /etc/ssl/certs
    crt-base   /etc/ssl/private
    tune.ssl.default-dh-param 2048
    ssl-default-bind-options no-tls-tickets
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

defaults
    log        global
    mode       http
    option     httplog
    option     dontlognull
    timeout    connect 5000
    timeout    client 50000
    timeout    server 50000
    errorfile  400 /etc/haproxy/errors/400.http
    errorfile  403 /etc/haproxy/errors/403.http
    errorfile  408 /etc/haproxy/errors/408.http
    errorfile  500 /etc/haproxy/errors/500.http
    errorfile  502 /etc/haproxy/errors/502.http
    errorfile  503 /etc/haproxy/errors/503.http
    errorfile  504 /etc/haproxy/errors/504.http


frontend http-in
    bind *:80
    bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/haproxy.pem

    rspadd Strict-Transport-Security:\ max-age=15768000

    acl ickweb path_beg /web
    acl blobs path_beg /blobs
    acl token path_beg /token
    acl login path_beg /login
    acl auth path_beg /auth
    acl clients path_beg /clients
    acl users path_beg /users
    acl applications path_beg /applications
    acl notify path_beg /notify
    acl debian path_beg /debian
    acl any method GET HEAD POST PUT DELETE

    use_backend apache if debian
    use_backend ickweb if ickweb
    use_backend notification_service if notify
    use_backend artifact_store if blobs
    use_backend qvisqve if token
    use_backend qvisqve if login
    use_backend qvisqve if auth
    use_backend qvisqve if clients
    use_backend qvisqve if users
    use_backend qvisqve if applications
    use_backend controller if any

backend apache
    server apache_1 127.0.0.1:8080

backend ickweb
    server ickweb_1 127.0.0.1:{{ ickweb_port }}

backend controller
    server controller_1 127.0.0.1:{{ controller_port }}

backend artifact_store
    server artifact_store_1 127.0.0.1:{{ artifact_store_port }}

backend qvisqve
    server qvisqve_1 127.0.0.1:{{ qvisqve_port }}

backend notification_service
    server notify_1 127.0.0.1:{{ notify_port }}