Ansible role to install and configure HAProxy.
Building and improving this Ansible role have been sponsored by my current and previous employers like Cloudpunks GmbH and Proact Deutschland GmbH.
- Requirements
- Default Variables
- haproxy_acls
- haproxy_backends
- haproxy_blocks
- haproxy_client_timeout
- haproxy_config
- haproxy_connect_timeout
- haproxy_content_type_options
- haproxy_default_backend
- haproxy_enable_maintenance
- haproxy_enable_security_headers
- haproxy_error_list
- haproxy_error_pages
- haproxy_expect_ct
- haproxy_exporter_binding
- haproxy_frame_options
- haproxy_frontends
- haproxy_global_maxconn
- haproxy_http_logging
- haproxy_incoming
- haproxy_incoming_binding
- haproxy_keyring
- haproxy_letsencrypt_backend
- haproxy_log_address
- haproxy_log_extra
- haproxy_log_facility
- haproxy_maintenance_backend
- haproxy_maintenance_filter
- haproxy_peers
- haproxy_queue_timeout
- haproxy_referer_policy
- haproxy_retry_on
- haproxy_server_timeout
- haproxy_skip_configuration
- haproxy_ssl_ciphers
- haproxy_ssl_ciphersuites
- haproxy_ssl_options
- haproxy_sslredirect_filter
- haproxy_tcp_logging
- haproxy_tunnel_timeout
- haproxy_userlists
- haproxy_version
- haproxy_xss_protection
- haprxy_http_reuse
- Discovered Tags
- Dependencies
- License
- Author
- Minimum Ansible version:
2.10
List of acl file definitions
haproxy_acls:
- name: private
whitelist:
- 10.10.0.0/20haproxy_acls:
- name: office
whitelist:
- 192.168.1.1/24
- 10.0.0.0/20
- name: remote
whitelist:
- 10.1.0.0/24
- name: ancient
state: absentList of backends
haproxy_backends: []haproxy_backends:
- name: backend1
content: |
mode tcp
server backend1 localhost:1337
- name: backend2
settings:
- mode http
options:
- tcp-smart-connect
defaults:
- tfo
- check
smart_connect: True
retry_on:
- conn-failure
- empty-response
- response-timeout
csp: True
servers:
- server1:8080
- server2:8080
- server3:8080List of combined frontend and backends
haproxy_blocks: []haproxy_blocks:
- name: foobar
frontends: |
bind 0.0.0.0:8080
log global
mode tcp
use_backend foobar
backends: |
log global
mode tcp
server foobar-01 foobar.example.com:8080 check
- name: barfoo
frontends:
- name: barfoo1
content: |
...
- name: barfoo2
content: |
...
- name: barfoo3
content: |
...
backends:
- name: backend1
content: |
...
- name: backend2
content: |
...
- name: backend3
content: |
...haproxy_client_timeout: 600sRaw configuration for the HAProxy
haproxy_config:haproxy_config: |
global
log /dev/log local0
chroot /var/lib/haproxy
...
defaults
log global
mode http
...
frontend incoming
bind 0.0.0.0:80
bind 0.0.0.0:443 alpn h2,http/1.1,http/1.0 ssl crt /etc/haproxy/ssl/
...Global default tunnel timeout
haproxy_connect_timeout: 600sX-Content-Type-Options header if security headers are enabled
haproxy_content_type_options: nosniffDefault fallback backend
haproxy_default_backend: fallbackEnable or disable the maintenance backend
haproxy_enable_maintenance: falseEnable general security headers
haproxy_enable_security_headers: trueList of supported error pages
haproxy_error_list:
- 400
- 403
- 405
- 408
- 429
- 500
- 502
- 503
- 504Path to error page files
haproxy_error_pages: errorsExpect-CT header if security headers are enabled
haproxy_expect_ct: max-age=0Address to bind the Prometheus exporter
haproxy_exporter_binding: 0.0.0.0X-Frame-Options header if security headers are enabled
haproxy_frame_options: SAMEORIGINList of frontends
haproxy_frontends: []haproxy_frontends:
- name: frontend1
content: |
bind 0.0.0.0:1337
mode tcp
use_backend backend1
- name: frontend2
content: |
bind 0.0.0.0:1338
mode tcp
use_backend backend2Globally defined max connections
haproxy_global_maxconn: 32000Logging format for HTTP frontends
haproxy_http_logging: '{"host":"%H","ident":"haproxy","pid":%pid,"timestamp":"%Tl","haproxy":{"conn":{"act":%ac,"fe":%fc,"be":%bc,"srv":%sc},"queue":{"backend":%bq,"srv":%sq},"time":{"tq":%Tq,"tw":%Tw,"tc":%Tc,"tr":%Tr,"tt":%Tt},"termination_state":"%tsc","retries":%rc,"network":{"client_ip":"%ci","client_port":%cp,"frontend_ip":"%fi","frontend_port":%fp},"ssl":{"version":"%sslv","ciphers":"%sslc"},"request":{"method":"%HM","uri":"%HP","protocol":"%HV","header":{"host":"%[capture.req.hdr(0),json(utf8s)]","referer":"%[capture.req.hdr(1),json(utf8s)]"}},"name":{"backend":"%b","frontend":"%ft","server":"%s"},"response":{"status_code":%ST,"location":"%[capture.res.hdr(0),json(utf8s)]"},"bytes":{"uploaded":%U,"read":%B}}}'Configuration for the incoming frontend
haproxy_incoming:haproxy_incoming: |
acl domain1-host req.hdr(host) -m dom -i example.com
use_backend domain1 if domain1-hostAddress to bind the incoming frontend
haproxy_incoming_binding: 0.0.0.0Path for the repository keyring
haproxy_keyring: /usr/share/keyrings/haproxy-archive-keyring.gpgDefault letsencrypt backend
haproxy_letsencrypt_backend: '{{ haproxy_default_backend }}'Address to log into
haproxy_log_address: /dev/logExtra options for global log definiton
haproxy_log_extra:Facility to log
haproxy_log_facility: local0Backend used for maintenance mode
haproxy_maintenance_backend: maintenanceFilter to apply skip maintenance mode
haproxy_maintenance_filter: '!private-network'List of clustering peers
haproxy_peers: []haproxy_peers:
- name: haproxy-01
address: 192.168.1.2
- name: haproxy-02
address: 192.168.1.3haproxy_queue_timeout: 600sReferrer-Policy header if security headers are enabled
haproxy_referer_policy: no-referrer-when-downgradeList of default retry-on options for backends
haproxy_retry_on:
- conn-failure
- empty-response
- response-timeouthaproxy_server_timeout: 600sSkip the configuration and don't touch it
haproxy_skip_configuration: falseList of ciphers used for SSL connections
haproxy_ssl_ciphers:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384List of ciphersuites used for SSL connections
haproxy_ssl_ciphersuites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256List of options used for SSL connections
haproxy_ssl_options:
- no-sslv3
- no-tlsv10
- no-tlsv11
- no-tls-ticketsFilter to apply an redirect to HTTPS
haproxy_sslredirect_filter: http !letsencryptLogging format for TCP frontends
haproxy_tcp_logging: '{"host":"%H","ident":"haproxy","pid":%pid,"timestamp":"%Tl","haproxy":{"conn":{"act":%ac,"fe":%fc,"be":%bc,"srv":%sc},"queue":{"backend":%bq,"srv":%sq},"time":{"tw":%Tw,"tc":%Tc,"tt":%Tt},"termination_state":"%tsc","retries":%rc,"network":{"client_ip":"%ci","client_port":%cp,"frontend_ip":"%fi","frontend_port":%fp},"name":{"backend":"%b","frontend":"%ft","server":"%s"},"bytes":{"uploaded":%U,"read":%B}}}'haproxy_tunnel_timeout: 600sList of userlist definitions
haproxy_userlists: []haproxy_userlists:
- name: example
users:
- username: username1
password: $6$To5YrYYRjY/.utPQ$hPTAoVJrf5heTtFBFDJIJz58X15fNQ5MD0qqkt4.MSHjyqyyE8cNoZRqr7qBLh/h/VgdcNQiHCd6VvB8av70t0
- username: username2
password: $6$kZ/4XMtsx$2v4XFur04PG3iWnBKSJMm03.TqYachWUrfsMTayVFhtOZ7y8LO7GubBZK4P7.TQhwUjYeZ3UpmC0VO5V8JLfi/
- username: username3
password: $6$.1t20Tfh8pocL2$0YX7s.Yrze6Vge1XI.Fs.FvegmqZSkg2sdFXjFi271LNwOC1lRtf.F46PIOIYmsVfjpEu86scRNpY/MqA/tE0/Version of the PPA repo to use
haproxy_version: 2.0X-XSS-Protection header if security headers are enabled
haproxy_xss_protection: 1; mode=blockDeclare how idle HTTP connections may be shared between requests
haprxy_http_reuse: alwayshaproxy
- [community.crypto](https://github.com/ansible-collections/community.crypto
Apache-2.0