/
template.go
236 lines (199 loc) 路 8.71 KB
/
template.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
package template
const HAProxyTemplate = `# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!
global
daemon
stats socket /tmp/haproxy
server-state-file global
server-state-base /var/state/haproxy/
maxconn 4000
# log using a syslog socket
log /dev/log local0 info
log /dev/log local0 notice
{% if SSLCert %}
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
{% endif %}
defaults
log global
option http-server-close
# Disable logging of null connections (haproxy connections like checks).
# This avoids excessive logs from haproxy internals.
option dontlognull
# Timeout values
{% for key, value in TimeoutDefaults %}
timeout {{ key }} {{ value }}
{% endfor %}
# default traffic mode is http
# mode is overwritten in case of tcp services
mode http
{% for name, resolver in DNSResolvers %}
resolvers {{ name }}
{% for ns in resolver.nameserver %}
nameserver dns{{ forloop.Counter }} {{ ns }}
{% endfor %}
{% if resolver.retries|integer %}
resolve_retries {{ resolver.retries|integer }}
{% endif %}
{% for event, time in resolver.timeout %}
timeout {{ event }} {{ time }}
{% endfor %}
{% for status, period in resolver.hold %}
hold {{ status }} {{ period }}
{% endfor %}
{% endfor %}
{% if Stats %}
listen stats
bind *:{{ StatsPort|integer }}
mode http
stats enable
stats realm Haproxy\ Statistics
stats uri /
{% if StatsUserName %}stats auth {{ StatsUserName }}:{{ StatsPassWord }}{% endif %}
{% endif %}
{% if DefaultBackend %}
# default backend
backend default-backend
{% if Sticky %}cookie SERVERID insert indirect nocache{% endif %}
{% for rule in DefaultBackend.BackendRules %}
{{ rule }}
{% endfor %}
{% for rule in DefaultBackend.RewriteRules %}
reqrep {{ rule }}
{% endfor %}
{% for rule in DefaultBackend.HeaderRules %}
acl ___header_x_{{ forloop.Counter }}_exists req.hdr({{ rule|header_name }}) -m found
http-request add-header {{ rule }} unless ___header_x_{{ forloop.Counter }}_exists
{% endfor %}
{% for e in DefaultBackend.Endpoints %}
{% if e.ExternalName %}
{% if e.UseDNSResolver %}
server {{ e.Name }} {{ e.ExternalName }}:{{ e.Port }} {% if e.DNSResolver %} {% if e.CheckHealth %} check {% endif %} resolvers {{ e.DNSResolver }} resolve-prefer ipv4 {% endif %}
{% elif not svc.Backends.BackendRules %}
acl https ssl_fc
http-request redirect location https://{{e.ExternalName}}:{{ e.Port }} code 301 if https
http-request redirect location http://{{e.ExternalName}}:{{ e.Port }} code 301 unless https
{% endif %}
{% else %}
server {{ e.Name }} {{ e.IP }}:{{ e.Port }} {% if e.Weight %}weight {{ e.Weight|integer }} {% endif %} {% if Sticky %}cookie {{ e.Name }} {% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% if HttpsService %}
# https service
frontend https-frontend
bind *:443 {% if AcceptProxy %}accept-proxy{% endif %} ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/ssl/private/haproxy/ alpn http/1.1
# Mark all cookies as secure
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure
# Add the HSTS header with a 6 month max-age
rspadd Strict-Transport-Security:\ max-age=15768000
mode http
option httplog
option forwardfor
{% for svc in HttpsService %}
{% set both = 0 %}
{% if svc.AclMatch %}acl url_acl_{{ svc.Name }} path_beg {{ svc.AclMatch }} {% set both = both + 1 %}{% endif %}
{% if svc.Host %}acl host_acl_{{ svc.Name }} {{ svc.Host|host_name }} {% set both = both + 1 %}{% endif %}
use_backend https-{{ svc.Name }} {% if both != 0 %}if {% endif %}{% if svc.AclMatch %}url_acl_{{ svc.Name }}{% endif %} {% if svc.Host %}host_acl_{{ svc.Name }}{% endif %}
{% endfor %}
{% if DefaultBackend %}default_backend default-backend{% endif %}
{% endif %}
{% for svc in HttpsService %}
backend https-{{ svc.Name }}
{% if Sticky %}cookie SERVERID insert indirect nocache{% endif %}
{% for rule in svc.Backends.BackendRules %}
{{ rule }}
{% endfor %}
{% for rule in svc.Backends.RewriteRules %}
reqrep {{ rule }}
{% endfor %}
{% for rule in svc.Backends.HeaderRules %}
acl ___header_x_{{ forloop.Counter }}_exists req.hdr({{ rule|header_name }}) -m found
http-request add-header {{ rule }} unless ___header_x_{{ forloop.Counter }}_exists
{% endfor %}
{% for e in svc.Backends.Endpoints %}
{% if e.ExternalName %}
{% if e.UseDNSResolver %}
server {{ e.Name }} {{ e.ExternalName }}:{{ e.Port }} {% if e.DNSResolver %} {% if e.CheckHealth %} check {% endif %} resolvers {{ e.DNSResolver }} resolve-prefer ipv4 {% endif %}
{% elif not svc.Backends.BackendRules %}
http-request redirect location https://{{e.ExternalName}}:{{ e.Port }} code 301
{% endif %}
{% else %}
server {{ e.Name }} {{ e.IP }}:{{ e.Port }} {% if e.Weight %}weight {{ e.Weight|integer }} {% endif %} {% if Sticky %} cookie {{ e.Name }} {% endif %}
{% endif %}
{% endfor %}
{% endfor %}
{% if HttpService %}
# http services.
frontend http-frontend
bind *:80 {% if AcceptProxy %}accept-proxy{% endif %}
mode http
option httplog
option forwardfor
{% for svc in HttpService %}
{% set both = 0 %}
{% if svc.AclMatch %}acl url_acl_{{ svc.Name }} path_beg {{ svc.AclMatch }} {% set both = both + 1 %}{% endif %}
{% if svc.Host %}acl host_acl_{{ svc.Name }} {{ svc.Host|host_name }} {% set both = both + 1 %}{% endif %}
use_backend http-{{ svc.Name }} {% if both != 0 %}if {% endif %}{% if svc.AclMatch %}url_acl_{{ svc.Name }}{% endif %} {% if svc.Host %}host_acl_{{ svc.Name }}{% endif %}
{% endfor %}
{% if DefaultBackend %}default_backend default-backend{% endif %}
{% endif %}
{% for svc in HttpService %}
backend http-{{ svc.Name }}
{% if Sticky %}cookie SERVERID insert indirect nocache{% endif %}
{% for rule in svc.Backends.BackendRules %}
{{ rule }}
{% endfor %}
{% for rule in svc.Backends.RewriteRules %}
reqrep {{ rule }}
{% endfor %}
{% for rule in svc.Backends.HeaderRules %}
acl ___header_x_{{ forloop.Counter }}_exists req.hdr({{ rule|header_name }}) -m found
http-request add-header {{ rule }} unless ___header_x_{{ forloop.Counter }}_exists
{% endfor %}
{% for e in svc.Backends.Endpoints %}
{% if e.ExternalName %}
{% if e.UseDNSResolver %}
server {{ e.Name }} {{ e.ExternalName }}:{{ e.Port }} {% if e.DNSResolver %} {% if e.CheckHealth %} check {% endif %} resolvers {{ e.DNSResolver }} resolve-prefer ipv4 {% endif %}
{% elif not svc.Backends.BackendRules %}
http-request redirect location http://{{e.ExternalName}}:{{ e.Port }} code 301
{% endif %}
{% else %}
server {{ e.Name }} {{ e.IP }}:{{ e.Port }} {% if e.Weight %}weight {{ e.Weight|integer }} {% endif %} {% if Sticky %}cookie {{ e.Name }} {% endif %}
{% endif %}
{% endfor %}
{% endfor %}
{% if TCPService %}
# tcp service
{% for svc in TCPService %}
frontend tcp-frontend-key-{{ svc.Port }}
bind *:{{ svc.Port }} {% if AcceptProxy %}accept-proxy{% endif %} {% if svc.SecretName %}ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/ssl/private/haproxy/{{ svc.SecretName }}.pem{% endif %} {%if svc.ALPNOptions %} {{svc.ALPNOptions}}{% endif %}
mode tcp
default_backend tcp-{{ svc.Name }}
{% endfor %}
{% endif %}
{% for svc in TCPService %}
backend tcp-{{ svc.Name }}
mode tcp
{% for rule in svc.Backends.BackendRules %}
{{ rule }}
{% endfor %}
{% if Sticky %}
stick-table type ip size 100k expire 30m
stick on src
{% endif %}
{% for e in svc.Backends.Endpoints %}
{% if e.ExternalName %}
server {{ e.Name }} {{ e.ExternalName }}:{{ e.Port }} {% if e.DNSResolver %} {% if e.CheckHealth %} check {% endif %} resolvers {{ e.DNSResolver }} resolve-prefer ipv4 {% endif %}
{% else %}
server {{ e.Name }} {{ e.IP }}:{{ e.Port }} {% if e.Weight %}weight {{ e.Weight|integer }} {% endif %}
{% endif %}
{% endfor %}
{% endfor %}
{% if !HttpService and !HttpsService and DefaultBackend %}
frontend http-frontend
bind *:80 {% if AcceptProxy %}accept-proxy{% endif %}
mode http
option forwardfor
default_backend default-backend
{% endif %}`