From 6cfcd61f3409ee3cbe697cb09da8316b96a79916 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Wed, 25 Nov 2015 18:08:14 +0100 Subject: [PATCH 1/6] Add support for nbproc (> 1) --- README.md | 18 +++++++++--- defaults/main.yml | 1 + templates/etc/haproxy/backend.cfg.j2 | 28 +++++++------------ templates/etc/haproxy/frontend.cfg.j2 | 25 ++++++++--------- templates/etc/haproxy/global.cfg.j2 | 7 +++++ templates/etc/haproxy/listen.cfg.j2 | 40 +++++++++++++-------------- 6 files changed, 64 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 72438caf..edc3b4d2 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_global_chroot`: [default: `/var/lib/haproxy`]: Changes current directory to `` and performs a `chroot()` there before dropping privileges * `haproxy_global_stats`: [default: See `defaults/main.yml`]: Stats declarations * `haproxy_global_stats.socket`: [default: `"{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}"`]: Binds a UNIX socket to `` or a TCPv4/v6 address to ``. Connections to this socket will return various statistics outputs and even allow some commands to be issued to change some runtime settings +* `haproxy_global_stats.bind_process`: [optional]: Limits the stats socket to a certain set of processes numbers (e.g. `[all]`, `[1]`, `[2 ,3, 4]`) * `haproxy_global_stats.timeout`: [default: `30s`]: The default timeout on the stats socket * `haproxy_global_user`: [default: `haproxy`]: Similar to `"uid"` but uses the UID of user name `` from `/etc/passwd` * `haproxy_global_group`: [default: `haproxy`]: Similar to `"gid"` but uses the GID of group name `` from `/etc/group`. @@ -30,6 +31,7 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_global_crt_base`: [default: `/etc/ssl/private`]: Assigns a default directory to fetch SSL certificates from when a relative path is used with `"crtfile"` directives * `haproxy_global_ssl_default_bind_ciphers`: [default: `kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL`]: This setting is only available when support for OpenSSL was built in. It sets the default string describing the list of cipher algorithms (`"cipher suite"`) that are negotiated during the SSL/TLS handshake for all `"bind"` lines which do not explicitly define theirs * `haproxy_global_ssl_default_bind_options`: [default: `no-sslv3`]: This setting is only available when support for OpenSSL was built in. It sets default ssl-options to force on all `"bind"` lines +* `haproxy_global_nbproc`: [default: `1`]: Number of processes to create when going daemon. This requires the `daemon` mode. By default, only one process is created, which is the recommended mode of operation * `haproxy_defaults_log`: [default: `global`]: Enable per-instance logging of events and traffic. `global` should be used when the instance's logging parameters are the same as the global ones. This is the most common usage * `haproxy_defaults_mode`: [default: `http`]: Set the running mode or protocol of the instance @@ -51,7 +53,10 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_listen`: [default: `[]`]: Listen declarations * `haproxy_listen.{n}.name`: [required]: The name of the section (e.g. `stats`) * `haproxy_listen.{n}.description`: [optional]: A description of the section (e.g. `Global statistics`) -* `haproxy_listen.{n}.bind`: [required]: Defines a listening address and/or port (e.g. `0.0.0.0:1936`) +* `haproxy_listen.{n}.bind`: [required]: Bind declarations +* `haproxy_listen.{n}.bind.{n}.listen`: [required]: Defines one or several listening addresses and/or ports (e.g. `0.0.0.0:1936`) +* `haproxy_listen.{n}.bind.{n}.param`: [optional]: A list of parameters common to this bind declarations +* `haproxy_listen.{n}.bind_process`: [optional]: Limits the declaration to a certain set of processes numbers (e.g. `[all]`, `[1]`, `[2 ,3, 4]`) * `haproxy_listen.{n}.mode`: [required]: Set the running mode or protocol of the section (e.g. `http`) * `haproxy_listen.{n}.balance`: [required]: The load balancing algorithm to be used (e.g. `roundrobin`) * `haproxy_listen.{n}.maxconn`: [optional]: Fix the maximum number of concurrent connections @@ -75,13 +80,17 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_listen.{n}.server.{n}.port`: [optional]: A port specification * `haproxy_listen.{n}.server.{n}.maxconn`: [optional]: The `"maxconn"` parameter specifies the maximal number of concurrent connections that will be sent to this server * `haproxy_listen.{n}.server.{n}.param`: [optional]: A list of parameters for this server -* `haproxy_listen.{n}.ssl`: [optional]: SSL declarations -* `haproxy_listen.{n}.ssl.{n}.crt`: [required]: Designates a PEM file containing both the required certificates and any associated private keys (e.g. `star-example0-com.pem`) +* `haproxy_listen.{n}.rspadd`: [optional]: Adds headers at the end of the HTTP response +* `haproxy_listen.{n}.rspadd.{n}.string`: [required]: The complete line to be added. Any space or known delimiter must be escaped using a backslash (`'\'`) +* `haproxy_listen.{n}.rspadd.{n}.cond`: [optional]: A matching condition built from ACLs * `haproxy_frontend`: [default: `[]`]: Front-end declarations * `haproxy_frontend.{n}.name`: [required]: The name of the section (e.g. `https`) * `haproxy_frontend.{n}.description`: [optional]: A description of the section (e.g. `Front-end for all HTTPS traffic`) -* `haproxy_frontend.{n}.bind`: [required]: Defines a listening address and/or port (e.g. `0.0.0.0:443`) +* `haproxy_frontend.{n}.bind`: [required]: Bind declarations +* `haproxy_frontend.{n}.bind.{n}.listen`: [required]: Defines one or several listening addresses and/or ports (e.g. `0.0.0.0:443`) +* `haproxy_frontend.{n}.bind.{n}.param`: [optional]: A list of parameters common to this bind declarations +* `haproxy_frontend.{n}.bind_process`: [optional]: Limits the declaration to a certain set of processes numbers (e.g. `[all]`, `[1]`, `[2 ,3, 4]`) * `haproxy_frontend.{n}.mode`: [required]: Set the running mode or protocol of the section (e.g. `http`) * `haproxy_frontend.{n}.maxconn`: [optional]: Fix the maximum number of concurrent connections * `haproxy_frontend.{n}.option`: [optional]: Options to set (e.g. `[tcplog]`) @@ -97,6 +106,7 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_backend`: [default: `[]`]: Back-end declarations * `haproxy_backend.{n}.name`: [required]: The name of the section (e.g. `webservers`) * `haproxy_backend.{n}.description`: [optional]: A description of the section (e.g. `Back-end with all (Apache) webservers`) +* `haproxy_backend.{n}.bind_process`: [optional]: Limits the declaration to a certain set of processes numbers (e.g. `[all]`, `[1]`, `[2 ,3, 4]`) * `haproxy_backend.{n}.mode`: [required]: Set the running mode or protocol of the section (e.g. `http`) * `haproxy_backend.{n}.balance`: [required]: The load balancing algorithm to be used (e.g. `roundrobin`) * `haproxy_backend.{n}.option`: [optional]: Options to set (e.g. `[forwardfor]`) diff --git a/defaults/main.yml b/defaults/main.yml index 03c1bf3a..40ee85bc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,6 +20,7 @@ haproxy_global_ca_base: /etc/ssl/certs haproxy_global_crt_base: /etc/ssl/private haproxy_global_ssl_default_bind_ciphers: 'kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL' haproxy_global_ssl_default_bind_options: 'no-sslv3' +haproxy_global_nbproc: 1 # defaults section haproxy_defaults_log: global diff --git a/templates/etc/haproxy/backend.cfg.j2 b/templates/etc/haproxy/backend.cfg.j2 index 3be409b1..7e61ba39 100644 --- a/templates/etc/haproxy/backend.cfg.j2 +++ b/templates/etc/haproxy/backend.cfg.j2 @@ -4,46 +4,38 @@ backend {{ backend.name }} description {{ backend.description }} {% endif %} +{% if backend.bind_process is defined %} + bind-process {{ backend.bind_process | join(' ') }} +{% endif %} + mode {{ backend.mode }} balance {{ backend.balance }} -{% if backend.option is defined %} -{% for option in backend.option %} +{% for option in backend.option | default([])%} option {{ option }} {% endfor %} -{% endif %} -{% if backend.no_option is defined %} -{% for option in backend.no_option %} +{% for option in backend.no_option | default([]) %} no option {{ option }} {% endfor %} -{% endif %} -{% if backend.tcp_check is defined %} -{% for tcp_check in backend.tcp_check %} +{% for tcp_check in backend.tcp_check | default([]) %} tcp-check {{ tcp_check }} {% endfor %} -{% endif %} -{% if backend.timeout is defined %} -{% for timeout in backend.timeout %} +{% for timeout in backend.timeout | default([]) %} timeout {{ timeout.type }} {{ timeout.timeout }} {% endfor %} -{% endif %} -{% if backend.http_request is defined %} -{% for http_request in backend.http_request %} +{% for http_request in backend.http_request | default([]) %} http-request {{ http_request.action }}{% if http_request.param is defined %} {{ http_request.param }}{% endif %}{% if http_request.cond is defined %} {{ http_request.cond }}{% endif %} {% endfor %} -{% endif %} -{% if backend.server is defined %} -{% for server in backend.server %} +{% for server in backend.server | default([]) %} server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% if server.param is defined %}{% for param in server.param %}{{ param }} {% endfor %}{% endif %} {% endfor %} -{% endif %} {% endfor %} diff --git a/templates/etc/haproxy/frontend.cfg.j2 b/templates/etc/haproxy/frontend.cfg.j2 index e9ee66e9..89ac4778 100644 --- a/templates/etc/haproxy/frontend.cfg.j2 +++ b/templates/etc/haproxy/frontend.cfg.j2 @@ -4,7 +4,14 @@ frontend {{ frontend.name }} description {{ frontend.description }} {% endif %} - bind {{ frontend.bind }}{% if frontend.ssl is defined %} ssl{% for ssl in frontend.ssl %} crt {{ ssl.crt }}{% endfor %}{% endif %} +{% for bind in frontend.bind %} + bind {{ bind.listen }}{% for param in bind.param | default([]) %} {{ param }}{% endfor %} + +{% endfor %} + +{% if frontend.bind_process is defined %} + bind-process {{ frontend.bind_process | join(' ') }} +{% endif %} mode {{ frontend.mode }} @@ -12,31 +19,23 @@ frontend {{ frontend.name }} maxconn {{ frontend.maxconn }} {% endif %} -{% if frontend.option is defined %} -{% for option in frontend.option %} +{% for option in frontend.option | default([]) %} option {{ option }} {% endfor %} -{% endif %} -{% if frontend.no_option is defined %} -{% for option in frontend.no_option %} +{% for option in frontend.no_option | default([]) %} no option {{ option }} {% endfor %} -{% endif %} -{% if frontend.timeout is defined %} -{% for timeout in frontend.timeout %} +{% for timeout in frontend.timeout | default([]) %} timeout {{ timeout.type }} {{ timeout.timeout }} {% endfor %} -{% endif %} default_backend {{ frontend.default_backend }} -{% if frontend.rspadd is defined %} -{% for rspadd in frontend.rspadd %} +{% for rspadd in frontend.rspadd | default([]) %} rspadd {{ rspadd.string }}{% if rspadd.cond is defined %} {{ rspadd.cond }}{% endif %} {% endfor %} -{% endif %} {% endfor %} diff --git a/templates/etc/haproxy/global.cfg.j2 b/templates/etc/haproxy/global.cfg.j2 index 26a53a0d..20e76ea3 100644 --- a/templates/etc/haproxy/global.cfg.j2 +++ b/templates/etc/haproxy/global.cfg.j2 @@ -16,6 +16,9 @@ {% if haproxy_global_stats.socket is defined %} stats socket {{ haproxy_global_stats.socket }} {% endif -%} +{% if haproxy_global_stats.bind_process is defined %} + stats bind-process {{ haproxy_global_stats.bind_process | join(' ') }} +{% endif -%} {% if haproxy_global_stats.timeout is defined %} stats timeout {{ haproxy_global_stats.timeout }} {% endif -%} @@ -56,3 +59,7 @@ {% if haproxy_global_ssl_default_bind_options != false %} ssl-default-bind-options {{ haproxy_global_ssl_default_bind_options }} {% endif %} + +{% if haproxy_global_nbproc > 1 %} + nbproc {{ haproxy_global_nbproc }} +{% endif %} diff --git a/templates/etc/haproxy/listen.cfg.j2 b/templates/etc/haproxy/listen.cfg.j2 index 600dcf8a..f306c796 100644 --- a/templates/etc/haproxy/listen.cfg.j2 +++ b/templates/etc/haproxy/listen.cfg.j2 @@ -4,7 +4,14 @@ listen {{ listen.name }} description {{ listen.description }} {% endif %} - bind {{ listen.bind }}{% if listen.ssl is defined %} ssl{% for ssl in listen.ssl %} crt {{ ssl.crt }}{% endfor %}{% endif %} +{% for bind in listen.bind %} + bind {{ bind.listen }}{% for param in bind.param | default([]) %} {{ param }}{% endfor %} + +{% endfor %} + +{% if listen.bind_process is defined %} + bind-process {{ listen.bind_process | join(' ') }} +{% endif %} mode {{ listen.mode }} @@ -16,29 +23,21 @@ listen {{ listen.name }} maxconn {{ listen.maxconn }} {% endif %} -{% if listen.option is defined %} -{% for option in listen.option %} +{% for option in listen.option | default([]) %} option {{ option }} {% endfor %} -{% endif %} -{% if listen.no_option is defined %} -{% for option in listen.no_option %} +{% for option in listen.no_option | default([]) %} no option {{ option }} {% endfor %} -{% endif %} -{% if listen.tcp_check is defined %} -{% for tcp_check in listen.tcp_check %} +{% for tcp_check in listen.tcp_check | default([]) %} tcp-check {{ tcp_check }} {% endfor %} -{% endif %} -{% if listen.timeout is defined %} -{% for timeout in listen.timeout %} +{% for timeout in listen.timeout | default([]) %} timeout {{ timeout.type }} {{ timeout.timeout }} {% endfor %} -{% endif %} {% if listen.stats is defined %} {% if listen.stats.enable is defined and listen.stats.enable | bool == true %} @@ -50,20 +49,21 @@ listen {{ listen.name }} {% if listen.stats.refresh is defined %} stats refresh {{ listen.stats.refresh }} {% endif %} -{% if listen.stats.auth is defined %} -{% for auth in listen.stats.auth %} +{% for auth in listen.stats.auth | default([]) %} stats auth {{ auth.user }}:{{ auth.passwd }} {% endfor %} {% endif %} {% endif %} -{% endif %} -{% if listen.server is defined %} -{% for server in listen.server %} - server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% if server.param is defined %}{% for param in server.param %}{{ param }} {% endfor %}{% endif %} +{% for server in listen.server | default([]) %} + server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% for param in server.param | default([]) %}{{ param }} {% endfor %} + +{% endfor %} + +{% for rspadd in listen.rspadd | default([]) %} + rspadd {{ rspadd.string }}{% if rspadd.cond is defined %} {{ rspadd.cond }}{% endif %} {% endfor %} -{% endif %} {% endfor %} From 3be46110d9493c9633848b12c5cbc52d9c816870 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 26 Nov 2015 09:37:53 +0100 Subject: [PATCH 2/6] Fix for failing build --- README.md | 24 +++++++++++++++--------- tests/test.yml | 3 ++- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index edc3b4d2..654b4d0a 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,11 @@ None haproxy_listen: - name: stats description: Global statistics - bind: '0.0.0.0:1936' + bind: + - listen: '0.0.0.0:1936' + param: + - ssl + - 'crt star-example0-com.pem' mode: http stats: enable: true @@ -159,21 +163,22 @@ None auth: - user: admin passwd: 'NqXgKWQ9f9Et' - ssl: - - crt: star-example0-com.pem haproxy_frontend: - name: http description: Front-end for all HTTP traffic - bind: '0.0.0.0:80' + bind: + - listen: '0.0.0.0:80' mode: http default_backend: webservers - name: https description: Front-end for all HTTPS traffic - bind: '0.0.0.0:443' - ssl: - - crt: star-example1-com.pem - - crt: star-example2-com.pem + bind: + - listen: '0.0.0.0:443' + param: + - ssl + - 'crt star-example1-com.pem' + - 'crt star-example2-com.pem' mode: http default_backend: webservers rspadd: @@ -224,7 +229,8 @@ None vars: haproxy_frontend: - name: memcached - bind: '127.0.0.1:11211' + bind: + - listen: '127.0.0.1:11211' mode: tcp option: - dontlog-normal diff --git a/tests/test.yml b/tests/test.yml index 6a432724..2236e166 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -8,7 +8,8 @@ # front-end section haproxy_frontend: - name: http - bind: '0.0.0.0:80' + bind: + - listen: '0.0.0.0:80' mode: http default_backend: webservers From 08cbf9a63c3e64c36de4fb19f012f1722d9168ec Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 26 Nov 2015 13:46:01 +0100 Subject: [PATCH 3/6] Improved server configuration --- README.md | 38 ++++++++++------------------ templates/etc/haproxy/backend.cfg.j2 | 2 +- templates/etc/haproxy/listen.cfg.j2 | 2 +- 3 files changed, 16 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 654b4d0a..d3d818b3 100644 --- a/README.md +++ b/README.md @@ -76,9 +76,7 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_listen.{n}.stats.auth.{n}.passwd`: [required]: The cleartext password associated to this user * `haproxy_listen.{n}.server`: [optional]: Server declarations * `haproxy_listen.{n}.server.{n}.name`: [required]: The internal name assigned to this server -* `haproxy_listen.{n}.server.{n}.ip`: [required]: The IPv4 or IPv6 address of the server -* `haproxy_listen.{n}.server.{n}.port`: [optional]: A port specification -* `haproxy_listen.{n}.server.{n}.maxconn`: [optional]: The `"maxconn"` parameter specifies the maximal number of concurrent connections that will be sent to this server +* `haproxy_listen.{n}.server.{n}.listen`: [required]: Defines a listening address and/or ports * `haproxy_listen.{n}.server.{n}.param`: [optional]: A list of parameters for this server * `haproxy_listen.{n}.rspadd`: [optional]: Adds headers at the end of the HTTP response * `haproxy_listen.{n}.rspadd.{n}.string`: [required]: The complete line to be added. Any space or known delimiter must be escaped using a backslash (`'\'`) @@ -121,9 +119,7 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_backend.{n}.http_request.{n}.cond`: [optional]: A matching condition built from ACLs (e.g. `if { ssl_fc }`) * `haproxy_backend.{n}.server`: [optional]: Server declarations * `haproxy_backend.{n}.server.{n}.name`: [required]: The internal name assigned to this server -* `haproxy_backend.{n}.server.{n}.ip`: [required]: The IPv4 or IPv6 address of the server -* `haproxy_backend.{n}.server.{n}.port`: [optional]: A port specification -* `haproxy_backend.{n}.server.{n}.maxconn`: [optional]: The `"maxconn"` parameter specifies the maximal number of concurrent connections that will be sent to this server +* `haproxy_backend.{n}.server.{n}.listen`: [required]: Defines a listening address and/or ports * `haproxy_backend.{n}.server.{n}.param`: [optional]: A list of parameters for this server ## Dependencies @@ -200,22 +196,19 @@ None cond: 'if { ssl_fc }' server: - name: web01 - ip: 127.0.0.1 - port: 8001 - maxconn: 501 + listen: '127.0.0.1:8001' param: + - 'maxconn 501' - check - name: web02 - ip: 127.0.0.1 - port: 8002 - maxconn: 502 + listen: '127.0.0.1:8002' param: + - 'maxconn 502' - check - name: web03 - ip: 127.0.0.1 - port: 8003 - maxconn: 503 + listen: '127.0.0.1:8003' param: + - 'maxconn 503' - check ``` @@ -244,13 +237,11 @@ None balance: roundrobin server: - name: memcached-01 - ip: 127.0.1.1 - port: 11211 + listen: '127.0.1.1:11211' param: - check - name: memcached-02 - ip: 127.0.2.1 - port: 11211 + listen: '127.0.2.1:11211' param: - check - backup @@ -258,7 +249,6 @@ None #### Redis (listen) - ```yaml --- - hosts: all @@ -268,7 +258,8 @@ None haproxy_listen: - name: redis description: Redis servers - bind: '127.0.0.1:6379' + bind: + - listen: '127.0.0.1:6379' mode: tcp option: - dontlog-normal @@ -282,12 +273,11 @@ None balance: roundrobin server: - name: redis-01 - ip: 127.0.1.1 - port: 6379 + listen: '127.0.1.1:6379' param: - check - name: redis-02 - ip: 127.0.2.1 + listen: '127.0.2.1:6379' port: 6379 param: - check diff --git a/templates/etc/haproxy/backend.cfg.j2 b/templates/etc/haproxy/backend.cfg.j2 index 7e61ba39..bca94355 100644 --- a/templates/etc/haproxy/backend.cfg.j2 +++ b/templates/etc/haproxy/backend.cfg.j2 @@ -34,7 +34,7 @@ backend {{ backend.name }} {% endfor %} {% for server in backend.server | default([]) %} - server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% if server.param is defined %}{% for param in server.param %}{{ param }} {% endfor %}{% endif %} + server {{ server.name }} {{ server.listen }}{% for param in server.param | default([]) %} {{ param }}{% endfor %} {% endfor %} diff --git a/templates/etc/haproxy/listen.cfg.j2 b/templates/etc/haproxy/listen.cfg.j2 index f306c796..624779fb 100644 --- a/templates/etc/haproxy/listen.cfg.j2 +++ b/templates/etc/haproxy/listen.cfg.j2 @@ -57,7 +57,7 @@ listen {{ listen.name }} {% endif %} {% for server in listen.server | default([]) %} - server {{ server.name }} {{ server.ip }}{% if server.port is defined %}:{{server.port }}{% endif %} {% if server.maxconn is defined %}maxconn {{server.maxconn }} {% endif %}{% for param in server.param | default([]) %}{{ param }} {% endfor %} + server {{ server.name }} {{ server.listen }}{% for param in server.param | default([]) %} {{ param }}{% endfor %} {% endfor %} From c536d9a99786a045c24760d5b55698aef55d23e9 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Thu, 26 Nov 2015 13:47:36 +0100 Subject: [PATCH 4/6] Fixed example [ci skip] --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index d3d818b3..eaadf721 100644 --- a/README.md +++ b/README.md @@ -278,7 +278,6 @@ None - check - name: redis-02 listen: '127.0.2.1:6379' - port: 6379 param: - check - backup From 8d86c94ee0a72dfbe360ed5baf2773dafb00ce29 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 27 Nov 2015 15:35:29 +0100 Subject: [PATCH 5/6] Improved stats.socket configuration --- README.md | 140 +++++++++++++++++++++++++++- defaults/main.yml | 3 +- templates/etc/haproxy/global.cfg.j2 | 10 +- 3 files changed, 142 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index eaadf721..c3165f8a 100644 --- a/README.md +++ b/README.md @@ -20,9 +20,10 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system * `haproxy_global_log.{n}.format`: [optional]: Specifies the log format string to use for traffic logs (e.g. `%{+Q}o\ %t\ %s\ %{-Q}r`) * `haproxy_global_chroot`: [default: `/var/lib/haproxy`]: Changes current directory to `` and performs a `chroot()` there before dropping privileges * `haproxy_global_stats`: [default: See `defaults/main.yml`]: Stats declarations -* `haproxy_global_stats.socket`: [default: `"{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}"`]: Binds a UNIX socket to `` or a TCPv4/v6 address to ``. Connections to this socket will return various statistics outputs and even allow some commands to be issued to change some runtime settings -* `haproxy_global_stats.bind_process`: [optional]: Limits the stats socket to a certain set of processes numbers (e.g. `[all]`, `[1]`, `[2 ,3, 4]`) -* `haproxy_global_stats.timeout`: [default: `30s`]: The default timeout on the stats socket +* `haproxy_global_stats.sockets`: [default: `[{listen: "{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}"}]`]: Sockets declarations +* `haproxy_global_stats.sockets.{n}.listen`: [required]: Defines a listening address and/or ports (e.g. `/run/haproxy/admin.sock`) +* `haproxy_global_stats.sockets.{n}.param`: [optional]: A list of parameters common to this bind declarations (e.g. `['mode 660', 'level admin', 'process 1']`) +* `haproxy_global_stats.timeout`: [optional]: The default timeout on the stats socket * `haproxy_global_user`: [default: `haproxy`]: Similar to `"uid"` but uses the UID of user name `` from `/etc/passwd` * `haproxy_global_group`: [default: `haproxy`]: Similar to `"gid"` but uses the GID of group name `` from `/etc/group`. * `haproxy_global_daemon`: [default: `true`]: Makes the process fork into background. This is the recommended mode of operation @@ -126,7 +127,12 @@ Set up the latest version of [HAProxy](http://www.haproxy.org/) in Ubuntu system None -#### SSL Termination (Multiple certificates (SNI), global monitoring, multiple web servers) +#### SSL Termination 1 + +* **Single core** +* Multiple certificates (SNI) +* Global monitoring +* Multiple web servers ```yaml --- @@ -212,6 +218,132 @@ None - check ``` +#### SSL Termination 2 + +* **Multi core** + * [How Stack Exchange gets the most out of HAProxy](http://brokenhaze.com/blog/2014/03/25/how-stack-exchange-gets-the-most-out-of-haproxy/) + * [HAproxy: mapping process to CPU core for maximum performance](http://blog.onefellow.com/post/82478335338/haproxy-mapping-process-to-cpu-core-for-maximum) +* Multiple certificates (SNI) +* Global monitoring +* Multiple web servers + +```yaml +- hosts: all + roles: + - haproxy + vars: + haproxy_global_stats_sockets_default_param: + - 'mode 660' + - 'level admin' + haproxy_global_stats: + sockets: + - listen: /run/haproxy/admin-1.sock + param: "{{ haproxy_global_stats_sockets_default_param + ['process 1'] }}" + - listen: /run/haproxy/admin-2.sock + param: "{{ haproxy_global_stats_sockets_default_param + ['process 2'] }}" + - listen: /run/haproxy/admin-3.sock + param: "{{ haproxy_global_stats_sockets_default_param + ['process 3'] }}" + - listen: /run/haproxy/admin-4.sock + param: "{{ haproxy_global_stats_sockets_default_param + ['process 4'] }}" + timeout: 30s + + haproxy_global_nbproc: 4 + + haproxy_ssl_map: + - src: ../../../files/haproxy/etc/haproxy/ssl/star-example0-com.pem + dest: /etc/ssl/private/star-example0-com.pem + - src: ../../../files/haproxy/etc/haproxy/ssl/star-example1-com.pem + dest: /etc/ssl/private/star-example1-com.pem + - src: ../../../files/haproxy/etc/haproxy/ssl/star-example2-com.pem + dest: /etc/ssl/private/star-example2-com.pem + + haproxy_listen: + - name: stats + description: Global statistics + bind: + - listen: "{{ ansible_eth0['ipv4']['address'] }}:1936" + param: + - ssl + - 'crt star-example0-com.pem' + bind_process: + - 1 + mode: http + stats: + enable: true + uri: / + hide_version: true + refresh: 5s + auth: + - user: admin + passwd: 'NqXgKWQ9f9Et' + - name: ssl-proxy + description: Proxy for all HTTPS traffic + bind: + - listen: "{{ ansible_eth0['ipv4']['address'] }}:443" + param: + - ssl + - 'crt star-example1-com.pem' + - 'crt star-example2-com.pem' + bind_process: + - 2 + - 3 + - 4 + mode: http + server: + - name: "{{ inventory_hostname }}" + listen: "{{ ansible_lo['ipv4']['address'] }}:80" + param: + - send-proxy + rspadd: + - string: 'Strict-Transport-Security:\ max-age=15768000' + + haproxy_frontend: + - name: http + description: Front-end for all HTTP traffic + bind: + - listen: "{{ ansible_eth0['ipv4']['address'] }}:80" + - listen: "{{ ansible_lo['ipv4']['address'] }}:80" + param: + - accept-proxy + bind_process: + - 1 + mode: http + default_backend: webservers + + haproxy_backend: + - name: webservers + description: Back-end with all (Apache) webservers + bind_process: + - 1 + mode: http + balance: roundrobin + option: + - forwardfor + - 'httpchk HEAD / HTTP/1.1\r\nHost:\ localhost' + http_request: + - action: 'set-header' + param: 'X-Forwarded-Port %[dst_port]' + - action: 'add-header' + param: 'X-Forwarded-Proto https' + cond: 'if { ssl_fc }' + server: + - name: web01 + listen: '127.0.0.1:8001' + param: + - 'maxconn 501' + - check + - name: web02 + listen: '127.0.0.1:8002' + param: + - 'maxconn 502' + - check + - name: web03 + listen: '127.0.0.1:8003' + param: + - 'maxconn 503' + - check +``` + #### Memcached (frontend / backend) ```yaml diff --git a/defaults/main.yml b/defaults/main.yml index 40ee85bc..20a7bfa0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,7 +11,8 @@ haproxy_global_log: level: notice haproxy_global_chroot: /var/lib/haproxy haproxy_global_stats: - socket: "{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}" + sockets: + - listen: "{{ '/run/haproxy/admin.sock' if ansible_distribution_version | version_compare('12.04', '>=') else '/var/run/haproxy/admin.sock' }}" timeout: 30s haproxy_global_user: haproxy haproxy_global_group: haproxy diff --git a/templates/etc/haproxy/global.cfg.j2 b/templates/etc/haproxy/global.cfg.j2 index 20e76ea3..78a84aec 100644 --- a/templates/etc/haproxy/global.cfg.j2 +++ b/templates/etc/haproxy/global.cfg.j2 @@ -13,12 +13,10 @@ {% endif %} {% if haproxy_global_stats != false %} -{% if haproxy_global_stats.socket is defined %} - stats socket {{ haproxy_global_stats.socket }} -{% endif -%} -{% if haproxy_global_stats.bind_process is defined %} - stats bind-process {{ haproxy_global_stats.bind_process | join(' ') }} -{% endif -%} +{% for socket in haproxy_global_stats.sockets | default([]) %} + stats socket {{ socket.listen }}{% for param in socket.param | default([]) %} {{ param }}{% endfor %} + +{% endfor %} {% if haproxy_global_stats.timeout is defined %} stats timeout {{ haproxy_global_stats.timeout }} {% endif -%} From d9ebca9187f7210f114683a1042f9de47469dbef Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 27 Nov 2015 16:06:13 +0100 Subject: [PATCH 6/6] Improved documentation [ci skip] --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index c3165f8a..d6326b55 100644 --- a/README.md +++ b/README.md @@ -170,13 +170,13 @@ None - name: http description: Front-end for all HTTP traffic bind: - - listen: '0.0.0.0:80' + - listen: "{{ ansible_eth0['ipv4']['address'] }}:80" mode: http default_backend: webservers - name: https description: Front-end for all HTTPS traffic bind: - - listen: '0.0.0.0:443' + - listen: "{{ ansible_eth0['ipv4']['address'] }}:443" param: - ssl - 'crt star-example1-com.pem' @@ -201,18 +201,18 @@ None param: 'X-Forwarded-Proto https' cond: 'if { ssl_fc }' server: - - name: web01 - listen: '127.0.0.1:8001' + - name: web-01 + listen: "{{ ansible_lo['ipv4']['address'] }}:8001" param: - 'maxconn 501' - check - - name: web02 - listen: '127.0.0.1:8002' + - name: web-02 + listen: "{{ ansible_lo['ipv4']['address'] }}:8002" param: - 'maxconn 502' - check - - name: web03 - listen: '127.0.0.1:8003' + - name: web-03 + listen: "{{ ansible_lo['ipv4']['address'] }}:8003" param: - 'maxconn 503' - check @@ -327,18 +327,18 @@ None param: 'X-Forwarded-Proto https' cond: 'if { ssl_fc }' server: - - name: web01 - listen: '127.0.0.1:8001' + - name: web-01 + listen: "{{ ansible_lo['ipv4']['address'] }}:8001" param: - 'maxconn 501' - check - - name: web02 - listen: '127.0.0.1:8002' + - name: web-02 + listen: "{{ ansible_lo['ipv4']['address'] }}:8002" param: - 'maxconn 502' - check - - name: web03 - listen: '127.0.0.1:8003' + - name: web-03 + listen: "{{ ansible_lo['ipv4']['address'] }}:8003" param: - 'maxconn 503' - check