initial commit for ansible haproxy role

roles/haproxy/templates/domains.txt

@@ -0,0 +1,3 @@
+{% for domain in haproxy_backends %}
+{{ domain }}
+{% endfor %}

roles/haproxy/templates/haproxy.cfg

@@ -0,0 +1,109 @@
+global
+    log /dev/log    local0
+    log /dev/log    local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy_admin.sock mode 660 level admin expose-fd listeners
+    stats timeout 30s 
+    user haproxy
+    group haproxy
+    daemon
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20
+    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers AES128+ECDHE:AES256+ECDHE
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets 
+
+
+defaults
+    log     global
+    mode    http
+
+    option  httplog
+    option  dontlognull
+
+    option  tcp-smart-connect
+    option  tcp-smart-accept
+
+    # use kernel splice system call to lower latency
+    option  splice-auto
+
+    option  forwardfor
+    # option  forceclose
+    option  socket-stats
+
+    timeout http-request 20s 
+    timeout connect       5s
+    timeout client       50s
+    timeout server       50s
+
+    timeout check 800
+
+    errorfile 400 /etc/haproxy/errorfiles/400.http
+    errorfile 403 /etc/haproxy/errorfiles/403.http
+    errorfile 408 /etc/haproxy/errorfiles/408.http
+    errorfile 500 /etc/haproxy/errorfiles/500.http
+    errorfile 502 /etc/haproxy/errorfiles/502.http
+    errorfile 503 /etc/haproxy/errorfiles/503.http
+    errorfile 504 /etc/haproxy/errorfiles/504.http
+
+
+frontend http
+    bind *:80  name http
+    bind *:443 name https ssl crt /etc/haproxy/certs/default.pem crt /etc/haproxy/certs/ ecdhe secp384r1 alpn h2,http/1.1 npn h2,http/1.1
+
+    compression algo gzip
+    compression type text/html text/plain text/javascript application/javascript application/xml text/css
+
+    # HSTS (31536000 seconds = 1 year)
+    http-response set-header Strict-Transport-Security       max-age=31536000
+    http-response set-header X-Content-Type-Options          nosniff
+
+    # set protocoll headers to  https - works only if all https redirects happens in HAProxy
+    http-request set-header  HTTP_X_FORWARDED_PROTO         https
+    http-request set-header  X-Forwarded-Proto              https
+
+
+    # force https for known domains
+    acl hostname_has_backend hdr(Host),lower,map(/etc/haproxy/hostname2backend.map) -m found
+    http-request redirect scheme https code 301                                if !{ ssl_fc } hostname_has_backend
+
+    # Let's encrypt
+    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+    use_backend bk_letsencrypt                                                 if letsencrypt-acl
+
+    # stats backend
+    acl stats-acl  path_beg /haproxy
+    use_backend bk_stats                                                       if stats-acl
+
+    # routing for known domains
+    use_backend bk_%[hdr(Host),lower,map(/etc/haproxy/hostname2backend.map)]   if hostname_has_backend
+
+
+backend bk_letsencrypt
+    server letsencrypt 127.0.0.1:8888
+
+
+{% for backend in haproxy_backends %}
+backend bk_{{ backend }}
+{% if haproxy_backends[backend]["httpchk"] is defined %}
+        option httpchk {{ haproxy_backends[backend]["httpchk"] }}
+{% endif %}
+
+{% for server_def in haproxy_backends[backend]["server_defs"] %}
+        server {{ server_def }}
+{% endfor %}
+
+
+{% endfor %}
+backend bk_stats
+    # statistics backend
+    stats uri /
+    stats enable
+    stats show-node
+    stats refresh 30s
+

roles/haproxy/templates/hostname2backend.map

@@ -0,0 +1,3 @@
+{% for domain in haproxy_backends %}
+    {{- domain }}            {{ domain }}
+{% endfor %}