Created
March 17, 2017 14:22
-
-
Save antaflos/52af693bbb65595939accf2898baae22 to your computer and use it in GitHub Desktop.
Reverse proxy Puppet frontend with HAProxy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This file managed by Puppet | |
| global | |
| chroot /var/lib/haproxy | |
| daemon | |
| group haproxy | |
| log 127.0.0.1 local1 info | |
| log-send-hostname | |
| maxconn 4096 | |
| stats socket /var/lib/haproxy/admin.sock mode 660 level admin | |
| stats socket /var/lib/haproxy/user.sock mode 666 level user | |
| stats timeout 30s | |
| tune.ssl.default-dh-param 2048 | |
| user haproxy | |
| defaults | |
| default-server init-addr last,libc,none | |
| log global | |
| mode http | |
| option redispatch | |
| option abortonclose | |
| option dontlognull | |
| option httplog | |
| option http-server-close | |
| option forwardfor except 127.0.0.1 | |
| option logasap | |
| retries 3 | |
| timeout http-request 10s | |
| timeout queue 1m | |
| timeout connect 5s | |
| timeout client 1m | |
| timeout server 1m | |
| frontend ft_puppet | |
| bind 0.0.0.0:8140 ssl crt /etc/ssl/certs/puppet-frontend.example.com_bundle.crt.pem ca-file /etc/puppetlabs/puppet/ssl/certs/ca.pem crl-file /etc/puppetlabs/puppet/ssl/crl.pem verify optional no-sslv3 no-tls-tickets force-tlsv12 ciphers AES128+EECDH:AES128+EDH | |
| mode http | |
| acl is_ca_request path_beg /puppet-ca/v1/ | |
| capture request header X-Forwarded-For len 50 | |
| default_backend bk_puppet | |
| http-request set-header X-Client-Verify SUCCESS if { ssl_c_verify 0 } | |
| http-request set-header X-Client-Verify NONE if ! { ssl_c_used } | |
| http-request set-header X-Client-Verify FAILED:expired if { ssl_c_verify 10 } | |
| http-request set-header X-Client-Verify FAILED:revoked if { ssl_c_verify 23 } | |
| http-request set-header X-Client-DN %{+Q}[ssl_c_s_dn] | |
| http-request set-header X-Client-Cert -----BEGIN\ CERTIFICATE-----%%0A%[ssl_c_der,base64]%%0A-----END\ CERTIFICATE----- if { ssl_c_used } | |
| use_backend bk_puppet_ca if is_ca_request | |
| backend bk_puppet | |
| mode http | |
| balance source | |
| http-request deny unless { ssl_c_verify 0 } | |
| option httpchk GET /puppet/v3/status/no_such_key?environment=production HTTP/1.1\r\nHost:\ localhost\r\nAccept:\ */*\r\nUser-Agent:\ HAProxy | |
| server puppet01 puppet01.example.com:18140 check inter 30s rise 2 fall 2 | |
| server puppet02 puppet02.example.com:18140 check inter 30s rise 2 fall 2 | |
| backend bk_puppet_ca | |
| mode http | |
| option httpchk GET /puppet/v3/status/no_such_key?environment=production HTTP/1.1\r\nHost:\ localhost\r\nAccept:\ */*\r\nUser-Agent:\ HAProxy | |
| server puppetca puppetca.example.com:18140 check inter 30s rise 2 fall 2 | |
| listen stats | |
| bind 0.0.0.0:8000 | |
| stats enable | |
| stats hide-version | |
| stats realm Haproxy\ Statistics | |
| stats uri / | |
| stats auth stats:changeme | |
| stats admin if TRUE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment