backend-haproxy.cfg.in 8.61 KB
Newer Older
1 2 3 4 5
global
  pidfile {{ configuration['pid-file'] }}
  # master-worker is compatible with foreground with process management
  master-worker

6
log {{ configuration['log-socket'] }} local0
7 8 9 10 11 12 13 14 15 16
defaults
  log global
  mode http
  option httplog
  timeout queue 60s
  timeout server {{ configuration['request-timeout'] }}s
  timeout client {{ configuration['request-timeout'] }}s
  timeout connect {{ configuration['backend-connect-timeout'] }}s
  retries {{ configuration['backend-connect-retries'] }}

17
{%- set SCHEME_PREFIX_MAPPING = { 'http': 'http_backend', 'https': 'https_backend'} %}
18 19
{%- macro frontend_entry(slave_instance, scheme, wildcard) %}
{#-   wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #}
20 21
{%-   if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] %}
{%-     set matched = {'count': 0} %}
22
{%-     for host in slave_instance['host_list'] %}
23 24 25 26
{#-       Match up to the end or optional port (starting with ':') #}
{#-       Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #}
{%-       if wildcard and host.startswith('*.') %}
{%-         do matched.__setitem__('count', matched['count'] + 1) %}
27
# match wildcard {{ host }}
28
  acl is_{{ slave_instance['slave_reference'] }}_{{ scheme }} hdr_reg(host) -i {{ host[2:] }}($|:.*)
29 30
{%-       elif not wildcard and not host.startswith('*.') %}
{%-         do matched.__setitem__('count', matched['count'] + 1) %}
31
  acl is_{{ slave_instance['slave_reference'] }}_{{ scheme }} hdr_reg(host) -i ^{{ host }}($|:.*)
32 33 34
{%-       endif %}
{%-     endfor %}
{%-     if matched['count'] > 0 %}
35 36 37 38 39
{%-       if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['health-check-failover-hostname'] %}
  acl is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }} nbsrv({{ slave_instance['slave_reference'] }}-{{ scheme }}) eq 0
  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}_{{ scheme }} ! is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }}
  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }}-failover if is_{{ slave_instance['slave_reference'] }}_{{ scheme }} is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }}
{%-       else %}
40
  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}_{{ scheme }}
41
{%-       endif %}
42
{%-     endif %}
43
{%-   endif %}
44 45
{%- endmacro %}

46 47 48 49 50 51 52 53
# statistic
frontend statistic
  bind {{ configuration['global-ipv6']}}:{{ configuration['statistic-port'] }} ssl crt {{ configuration['statistic-certificate'] }}
  stats enable
  stats uri /
  stats show-desc {{ configuration['statistic-identification'] }}
  stats auth {{ configuration['statistic-username'] }}:{{ configuration['statistic-password'] }}
  stats realm {{ configuration['statistic-identification'] }}
54 55
  stats scope http-backend
  stats scope https-backend
56

57 58
frontend http-backend
  bind {{ configuration['local-ipv4'] }}:{{ configuration['http-port'] }}
59
{%- for slave_instance in backend_slave_list -%}
60 61
{{ frontend_entry(slave_instance, 'http', False) }}
{%- endfor %}
62
{%- for slave_instance in backend_slave_list -%}
63
{{ frontend_entry(slave_instance, 'http', True) }}
64 65 66 67
{%- endfor %}

frontend https-backend
  bind {{ configuration['local-ipv4'] }}:{{ configuration['https-port'] }}
68
{%- for slave_instance in backend_slave_list -%}
69 70
{{ frontend_entry(slave_instance, 'https', False) }}
{%- endfor %}
71
{%- for slave_instance in backend_slave_list -%}
72
{{ frontend_entry(slave_instance, 'https', True) }}
73 74 75
{%- endfor %}

{%- for slave_instance in backend_slave_list %}
76
{%-   for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() %}
77
{%-     set info_dict = slave_instance[prefix] %}
78 79 80 81 82 83 84 85
{%-     if info_dict['hostname'] and info_dict['port'] %}
{%-       set ssl_list = [] %}
{%-       if info_dict['scheme'] == 'https' %}
{%-         if slave_instance['authenticate-to-backend'] %}
{%-           do ssl_list.append('crt %s' % (configuration['certificate'],)) %}
{%-         endif %}
{%-         do ssl_list.append('ssl verify') %}
{%-         if slave_instance['ssl_proxy_verify'] %}
86 87
{%-           if slave_instance['path_to_ssl_proxy_ca_crt']  %}
{%-             do ssl_list.append('required ca-file %s' % (slave_instance['path_to_ssl_proxy_ca_crt'],)) %}
88 89 90 91 92
{%-           else %}
{#-           Backend SSL shall be verified, but not CA provided, disallow connection #}
{#-           Simply dropping hostname from the dict will result with ignoring it... #}
{%-           do info_dict.__setitem__('hostname', '') %}
{%-           endif %}
93
{%-         else %}
94
{%-           do ssl_list.append('none') %}
95 96 97 98
{%-         endif %}
{%-       endif %}

backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
99 100
{%-       set hostname = info_dict['hostname'] %}
{%-       set port = info_dict['port'] %}
101 102 103 104 105 106
{%-       set path_list = [info_dict['path'].rstrip('/')] %}
{%-       set query = info_dict['query'] %}
{%-       if query %}
{%-         do path_list.append(query) %}
{%-       endif %}
{%-       set path = '?'.join(path_list) %}
107
{%-       if hostname and port %}
108 109 110
  timeout server {{ slave_instance['request-timeout'] }}s
  timeout connect {{ slave_instance['backend-connect-timeout'] }}s
  retries {{ slave_instance['backend-connect-retries'] }}
111 112
{%-         set active_check_list = [] %}
{%-         set active_check_option_list = [] %}
113
{%-         if slave_instance['health-check'] %}
114
{%-           do active_check_list.append('check') %}
115 116 117 118 119
{%-           do active_check_list.append('inter %ss' % (slave_instance['health-check-interval'])) %}
{%-           do active_check_list.append('rise %s' % (slave_instance['health-check-rise'])) %}
{%-           do active_check_list.append('fall %s' % (slave_instance['health-check-fall'])) %}
{%-           if slave_instance['health-check-http-method'] != 'CONNECT' %}
{%-             do active_check_option_list.append('option httpchk %s %s %s' % (slave_instance['health-check-http-method'], slave_instance['health-check-http-path'] | urlencode, slave_instance['health-check-http-version'])) %}
120
{%-           endif %}
121
{%-           do active_check_option_list.append('timeout check %ss' % (slave_instance['health-check-timeout'])) %}
122 123 124 125 126
{%-         endif %}
  server {{ slave_instance['slave_reference'] }}-backend {{ hostname }}:{{ port }} {{ ' '.join(ssl_list) }} {{ ' ' + ' '.join(active_check_list)}}
{%-         for active_check_option in active_check_option_list %}
  {{ active_check_option }}
{%-         endfor %}
127
{%-         if path %}
128
  http-request set-path {{ path }}%[path]
129
{%-         endif %}
130 131
{%-       endif %}
{%-     endif %}
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170
{%-     if info_dict['health-check-failover-hostname'] and info_dict['health-check-failover-port'] %}
{%-       set ssl_list = [] %}
{%-       if info_dict['health-check-failover-scheme'] == 'https' %}
{%-         if slave_instance['health-check-authenticate-to-failover-backend'] %}
{%-           do ssl_list.append('crt %s' % (configuration['certificate'],)) %}
{%-         endif %}
{%-         do ssl_list.append('ssl verify') %}
{%-         if slave_instance['health-check-failover-ssl-proxy-verify'] %}
{%-           if slave_instance['path_to_health-check-failover-ssl-proxy-ca-crt']  %}
{%-             do ssl_list.append('required ca-file %s' % (slave_instance['path_to_health-check-failover-ssl-proxy-ca-crt'],)) %}
{%-           else %}
{#-           Backend SSL shall be verified, but not CA provided, disallow connection #}
{#-           Simply dropping hostname from the dict will result with ignoring it... #}
{%-           do info_dict.__setitem__('health-check-failover-hostname', '') %}
{%-           endif %}
{%-         else %}
{%-           do ssl_list.append('none') %}
{%-         endif %}
{%-       endif %}

backend {{ slave_instance['slave_reference'] }}-{{ scheme }}-failover
{%-       set hostname = info_dict['health-check-failover-hostname'] %}
{%-       set port = info_dict['health-check-failover-port'] %}
{%-       set path_list = [info_dict['health-check-failover-path'].rstrip('/')] %}
{%-       set query = info_dict['health-check-failover-query'] %}
{%-       if query %}
{%-         do path_list.append(query) %}
{%-       endif %}
{%-       set path = '?'.join(path_list) %}
{%-       if hostname and port %}
  timeout server {{ slave_instance['request-timeout'] }}s
  timeout connect {{ slave_instance['backend-connect-timeout'] }}s
  retries {{ slave_instance['backend-connect-retries'] }}
  server {{ slave_instance['slave_reference'] }}-backend {{ hostname }}:{{ port }} {{ ' '.join(ssl_list) }}
{%-         if path %}
  http-request set-path {{ path }}%[path]
{%-         endif %}
{%-       endif %}
{%-     endif %}
171 172
{%-   endfor %}
{%- endfor %}