stack/erp5: make haproxy listening on both old apache + old proxy ports

8d952c8c · Jérome Perrin · 123d5ccf · 8d952c8c · 8d952c8c · 8d952c8c
Commit 8d952c8c authored Dec 03, 2020 by Jérome Perrin
Showing with 17 additions and 8 deletions

stack/erp5/buildout.hash.cfg stack/erp5/buildout.hash.cfg +2 -2

stack/erp5/haproxy.cfg.in stack/erp5/haproxy.cfg.in +11 -1

stack/erp5/instance-balancer.cfg.in stack/erp5/instance-balancer.cfg.in +4 -5

No files found.
--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -90,11 +90,11 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 4a119083eab1eadbaf44468eb4f3381f
+md5sum = abbf7a437e582c994c9f3a5b4edfc6f0

 [template-haproxy-cfg]
 filename = haproxy.cfg.in
-md5sum = 8de18a61607bd66341a44b95640d293f
+md5sum = 7149e973ab1f6c1cb31b1ca33638c145

 [template-rsyslogd-cfg]
 filename = rsyslogd.cfg.in

--- a/stack/erp5/haproxy.cfg.in
+++ b/stack/erp5/haproxy.cfg.in
@@ -46,6 +46,7 @@
 #       "backend-dict": {
 #          "family-secure": {
 #            ( 8000, # port int
+ #              18000, # legacy_port int
 #              'https', # proto str
 #               True, # ssl_required bool
 #               [  # backends
@@ -57,6 +58,7 @@
 #          },
 #          "family-default": {
 #            ( 8002, # port int
+ #              18002, # legacy_port int
 #              'https', # proto str
 #               False, # ssl_required bool
 #               [  # backends
@@ -88,10 +90,16 @@
 #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
 #  only accepting requests from clients providing a verified TLS certificate
 #  emitted by a CA from `ca-cert` and not revoked in `crl`.
+ #  For historical reasons, they will also listen on the legacy port:
+ #   - 0.0.0.0:18000 redirecting internaly to http://10.0.0.10:8001 and
+ #   - [::1]:18000 redirecting internaly to http://10.0.0.10:8001
 #  For "family-default":
 #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
 #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
 #  accepting requests from any client.
+ #  For historical reasons, they will also listen on the legacy port:
+ #   - 0.0.0.0:18002 redirecting internaly to http://10.0.0.10:8003
+ #   - [::1]:18002 redirecting internaly to http://10.0.0.10:8003
 #
 #  For both families, X-Forwarded-For header will be stripped unless
 #  client presents a certificate that can be verified with `ca-cert` and `crl`.
@@ -148,7 +156,7 @@ defaults

 {% set bind_ssl_crt = 'ssl crt ' ~ parameter_dict['cert'] ~  ' alpn h2,http/1.1' %}

-{% for name, (port, _, certificate_authentication, backend_list) in sorted(parameter_dict['backend-dict'].iteritems()) -%}
+{% for name, (port, legacy_port, _, certificate_authentication, backend_list) in sorted(parameter_dict['backend-dict'].iteritems()) -%}
 listen family_{{ name }}
 {%-  if parameter_dict.get('ca-cert') -%}
 {%-    set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
@@ -157,6 +165,8 @@ listen family_{{ name }}
 {%-  endif %}
  bind {{ parameter_dict['ipv4'] }}:{{ port }} {{ bind_ssl_crt }} {{ ssl_auth }}
  bind {{ parameter_dict['ipv6'] }}:{{ port }} {{ bind_ssl_crt }} {{ ssl_auth }}
+  bind {{ parameter_dict['ipv4'] }}:{{ legacy_port }} {{ bind_ssl_crt }} {{ ssl_auth }}
+  bind {{ parameter_dict['ipv6'] }}:{{ legacy_port }} {{ bind_ssl_crt }} {{ ssl_auth }}
  cookie SERVERID rewrite
  http-request set-header X-Balancer-Current-Cookie SERVERID


--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -166,11 +166,10 @@ update-command = ${:command}

 {#
 # We use to have haproxy then apache, now haproxy is playing apache's role
- # To keep port stable, we consume one port so that haproxy use the same port
- # that apache was using before.
+ # To keep port stables, we make haproxy listen on both ports (the one
+ # apache was using + the one haproxy was using).
 -#}
-{%   set _ = next_port() -%}
-
+{%   set legacy_haproxy_port = next_port() -%}
 {%   set haproxy_port = next_port() -%}
 {%   set backend_path = slapparameter_dict['backend-path-dict'][family_name] -%}
 {%   if has_webdav -%}
@@ -178,7 +177,7 @@ update-command = ${:command}
 {%   else %}
 {%     set external_scheme = 'https' -%}
 {%   endif -%}
-{%   do haproxy_dict.__setitem__(family_name, (haproxy_port, external_scheme, slapparameter_dict['ssl-authentication-dict'].get(family_name, False), zope_family_address_list)) -%}
+{%   do haproxy_dict.__setitem__(family_name, (haproxy_port, legacy_haproxy_port, external_scheme, slapparameter_dict['ssl-authentication-dict'].get(family_name, False), zope_family_address_list)) -%}
 {% endfor -%}

 [haproxy-cfg-parameter-dict]