ensure => 'installed',
})
- ssl::service { 'snapshot.debian.org':
- notify => Exec['service apache2 reload'],
- key => true,
- }
apache2::site { '020-snapshot.debian.org':
site => 'snapshot.debian.org',
content => template('roles/snapshot/snapshot.debian.org.conf.erb')
}
}
+ # varnish cache
+ ###############
@ferm::rule { 'dsa-snapshot-varnish-v4':
rule => '&SERVICE(tcp, 6081)',
}
content => template('roles/snapshot/snapshot.debian.org.vcl.erb'),
}
+ # the ipv6 port 80 is owned by varnish
file { '/etc/apache2/ports.conf':
content => @("EOF"),
Listen 0.0.0.0:80
require => Package['apache2'],
notify => Service['apache2'],
}
+
+ # haproxy ssl termination
+ #########################
+ include haproxy
+ file { '/etc/haproxy/haproxy.cfg':
+ content => template('roles/snapshot/haproxy.cfg.erb'),
+ require => Package['haproxy'],
+ notify => Service['haproxy'],
+ }
+ ssl::service { 'snapshot.debian.org':
+ notify => Service['haproxy'],
+ key => true,
+ }
}
--- /dev/null
+global
+ log /dev/log local0
+ log /dev/log local1 notice
+ chroot /var/lib/haproxy
+ stats socket /run/haproxy/admin.sock mode 660 level admin
+ stats socket /run/haproxy/user.sock mode 660 level user group munin
+ stats timeout 30s
+ user haproxy
+ group haproxy
+ daemon
+ nbproc 2
+
+ # Default SSL material locations
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+ # Default ciphers to use on SSL-enabled listening sockets.
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+ ssl-default-bind-options no-sslv3
+
+ maxconn 8192
+
+defaults
+ log global
+ mode http
+ option httplog
+ option dontlognull
+ timeout connect 5000
+ timeout client 50000
+ timeout server 50000
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+
+
+#frontend front
+# bind :::80 v4v6 tfo
+# redirect scheme https code 301 if !{ ssl_fc }
+
+frontend front_ssl
+ bind :::443 v4v6 tfo ssl crt /etc/ssl/private/snapshot.debian.org.key-certchain
+
+ default_backend backend
+
+ option http-keep-alive
+ #option redispatch
+
+backend backend
+ # a http backend
+ mode http
+ option http-keep-alive
+
+ timeout http-keep-alive 15s
+
+ server varnish 127.0.0.1:6081
+
+ #http-response set-header Strict-Transport-Security "max-age=15768000; preload"
+ #http-response del-header Server
projects / mirror / dsa-puppet.git / commitdiff