forked from saltstack-formulas/haproxy-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
221 lines (208 loc) · 5.92 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
#
# Example pillar configuration
#
haproxy:
# use lookup section to override 'map.jinja' values
#lookup:
#user: 'custom-user'
#group: 'custom-group'
# new setting to override configuration file path
#config_file: /etc/haproxy/haproxy.cfg
enabled: True
overwrite: True # Overwrite an existing config file if present (default behaviour unless set to false)
# old setting to override configuration file path, kept for compatibility
#config_file_path: /etc/haproxy/haproxy.cfg
global:
log:
- 127.0.0.1 local2
- 127.0.0.1 local1 notice
# Option log-tag parameter, sets the tag field in the syslog header
log-tag: haproxy
# Optional log-send-hostname parameter, sets the hostname field in the syslog header
log-send-hostname: localhost
stats:
enable: True
socketpath: /var/lib/haproxy/stats
mode: 660
level: admin
# Optional extra bind parameter, for example to set the owner/group on the socket file
extra: user haproxy group haproxy
ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"
user: haproxy
group: haproxy
chroot:
enable: True
path: /var/lib/haproxy
daemon: True
userlists:
userlist1:
users:
john: insecure-password doe
sam: insecure-password frodo
# groups:
# admins: users john sam
# guests: users jekyll hyde jane
defaults:
log: global
mode: http
retries: 3
options:
- httplog
- dontlognull
- forwardfor
- http-server-close
logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r"
timeouts:
- http-request 10s
- queue 1m
- connect 10s
- client 1m
- server 1m
- http-keep-alive 10s
- check 10s
stats:
- enable
- uri: '/admin?stats'
- realm: 'Haproxy\ Statistics'
- auth: 'admin1:AdMiN123'
errorfiles:
400: /etc/haproxy/errors/400.http
403: /etc/haproxy/errors/403.http
408: /etc/haproxy/errors/408.http
500: /etc/haproxy/errors/500.http
502: /etc/haproxy/errors/502.http
503: /etc/haproxy/errors/503.http
504: /etc/haproxy/errors/504.http
{# Suported by HAProxy 1.6 #}
resolvers:
local_dns:
options:
- nameserver resolvconf 127.0.0.1:53
- resolve_retries 3
- timeout retry 1s
- hold valid 10s
listens:
stats:
bind:
- "0.0.0.0:8998"
mode: http
stats:
enable: True
uri: "/admin?stats"
refresh: "20s"
myservice:
bind:
- "*:8888"
options:
- forwardfor
- http-server-close
defaultserver:
slowstart: 60s
maxconn: 256
maxqueue: 128
weight: 100
servers:
web1:
host: web1.example.com
port: 80
check: check
web2:
host: web2.example.com
port: 18888
check: check
web3:
host: web3.example.com
frontends:
frontend1:
name: www-http
bind: "*:80"
redirects:
- scheme https if !{ ssl_fc }
reqadds:
- "X-Forwarded-Proto:\\ http"
default_backend: www-backend
# www-https:
# bind: "*:443 ssl crt /etc/ssl/private/certificate-chain-and-key-combined.pem"
# logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r\\ ssl_version:%sslv\\ ssl_cipher:%sslc"
# reqadds:
# - "X-Forwarded-Proto:\\ https"
# default_backend: www-backend
# acls:
# - url_static path_beg -i /static /images /javascript /stylesheets
# - url_static path_end -i .jpg .gif .png .css .js
# use_backends:
# - static-backend if url_static
# extra: "rspadd Strict-Transport-Security:\ max-age=15768000"
# some-services:
# bind:
# - "*:8080"
# - "*:8088"
# default_backend: api-backend
backends:
backend1:
name: www-backend
balance: roundrobin
redirects:
- scheme https if !{ ssl_fc }
extra: "reqidel ^X-Forwarded-For:"
servers:
server1:
name: server1-its-name
host: 192.168.1.213
port: 80
check: check
static-backend:
balance: roundrobin
redirects:
- scheme https if !{ ssl_fc }
options:
- http-server-close
- httpclose
- forwardfor except 127.0.0.0/8
- httplog
cookie: "pm insert indirect"
stats:
enable: True
uri: /url/to/stats
realm: LoadBalancer
auth: "user:password"
servers:
some-server:
host: 123.156.189.111
port: 8080
check: check
another-server:
host: 123.156.189.112
api-backend:
options:
- http-server-close
- forwardfor
servers:
apiserver1:
host: apiserver1.example.com
port: 80
check: check
server2:
name: apiserver2
host: apiserver2.example.com
port: 80
check: check
extra: resolvers local_dns resolve-prefer ipv4
another_www:
mode: tcp
balance: source
sticktable: "type binary len 32 size 30k expire 30m"
acls:
- clienthello req_ssl_hello_type 1
- serverhello rep_ssl_hello_type 2
tcprequests:
- "inspect-delay 5s"
- "content accept if clienthello"
tcpresponses:
- "content accept if serverhello"
stickons:
- "payload_lv(43,1) if clienthello"
reqreps:
- '^([^\ :]*)\ /static/(.*) \1\ \2'
options: "ssl-hello-chk"