X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Ftemplates%2Fsnapshot%2Fhaproxy.cfg.erb;fp=modules%2Froles%2Ftemplates%2Fsnapshot%2Fhaproxy.cfg.erb;h=79879bdd03b9e5ec685ea5827cc54c6219b079b0;hb=76ca91bce24ecbcbcc4e62a37aa06fd0fb9f96c7;hp=0000000000000000000000000000000000000000;hpb=46cee04ab06b23ab6e9e4baba655cf470d10cfc4;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/templates/snapshot/haproxy.cfg.erb b/modules/roles/templates/snapshot/haproxy.cfg.erb new file mode 100644 index 000000000..79879bdd0 --- /dev/null +++ b/modules/roles/templates/snapshot/haproxy.cfg.erb @@ -0,0 +1,64 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats socket /run/haproxy/user.sock mode 660 level user group munin + stats timeout 30s + user haproxy + group haproxy + daemon + nbproc 2 + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + + maxconn 8192 + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +#frontend front +# bind :::80 v4v6 tfo +# redirect scheme https code 301 if !{ ssl_fc } + +frontend front_ssl + bind :::443 v4v6 tfo ssl crt /etc/ssl/private/snapshot.debian.org.key-certchain + + default_backend backend + + option http-keep-alive + #option redispatch + +backend backend + # a http backend + mode http + option http-keep-alive + + timeout http-keep-alive 15s + + server varnish 127.0.0.1:6081 + + http-response set-header Strict-Transport-Security "max-age=15768000; preload" + #http-response del-header Server