From 8d38f75440f0a903a4e2630b076a8d090a59b47e Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Wed, 30 May 2018 10:24:46 +0200 Subject: [PATCH] Try to put haproxy on snapshot hosts --- modules/roles/manifests/snapshot_web.pp | 20 ++++-- .../roles/templates/snapshot/haproxy.cfg.erb | 64 +++++++++++++++++++ 2 files changed, 80 insertions(+), 4 deletions(-) create mode 100644 modules/roles/templates/snapshot/haproxy.cfg.erb diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp index 306798191..ee9ab949f 100644 --- a/modules/roles/manifests/snapshot_web.pp +++ b/modules/roles/manifests/snapshot_web.pp @@ -8,10 +8,6 @@ class roles::snapshot_web { ensure => 'installed', }) - ssl::service { 'snapshot.debian.org': - notify => Exec['service apache2 reload'], - key => true, - } apache2::site { '020-snapshot.debian.org': site => 'snapshot.debian.org', content => template('roles/snapshot/snapshot.debian.org.conf.erb') @@ -33,6 +29,8 @@ class roles::snapshot_web { } } + # varnish cache + ############### @ferm::rule { 'dsa-snapshot-varnish-v4': rule => '&SERVICE(tcp, 6081)', } @@ -51,6 +49,7 @@ class roles::snapshot_web { content => template('roles/snapshot/snapshot.debian.org.vcl.erb'), } + # the ipv6 port 80 is owned by varnish file { '/etc/apache2/ports.conf': content => @("EOF"), Listen 0.0.0.0:80 @@ -59,4 +58,17 @@ class roles::snapshot_web { require => Package['apache2'], notify => Service['apache2'], } + + # haproxy ssl termination + ######################### + include haproxy + file { '/etc/haproxy/haproxy.cfg': + content => template('roles/snapshot/haproxy.cfg.erb'), + require => Package['haproxy'], + notify => Service['haproxy'], + } + ssl::service { 'snapshot.debian.org': + notify => Service['haproxy'], + key => true, + } } diff --git a/modules/roles/templates/snapshot/haproxy.cfg.erb b/modules/roles/templates/snapshot/haproxy.cfg.erb new file mode 100644 index 000000000..5534a4ee0 --- /dev/null +++ b/modules/roles/templates/snapshot/haproxy.cfg.erb @@ -0,0 +1,64 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats socket /run/haproxy/user.sock mode 660 level user group munin + stats timeout 30s + user haproxy + group haproxy + daemon + nbproc 2 + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + + maxconn 8192 + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +#frontend front +# bind :::80 v4v6 tfo +# redirect scheme https code 301 if !{ ssl_fc } + +frontend front_ssl + bind :::443 v4v6 tfo ssl crt /etc/ssl/private/snapshot.debian.org.key-certchain + + default_backend backend + + option http-keep-alive + #option redispatch + +backend backend + # a http backend + mode http + option http-keep-alive + + timeout http-keep-alive 15s + + server varnish 127.0.0.1:6081 + + #http-response set-header Strict-Transport-Security "max-age=15768000; preload" + #http-response del-header Server -- 2.20.1