-
Notifications
You must be signed in to change notification settings - Fork 120
/
pillar.example
261 lines (249 loc) · 6.74 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
#
# Example pillar configuration
#
---
haproxy:
# use lookup section to override 'map.jinja' values
# lookup:
# user: 'custom-user'
# group: 'custom-group'
# new setting to override configuration file path
# config_file: /etc/haproxy/haproxy.cfg
enabled: true
# Overwrite an existing config file if present
# (default behaviour unless set to false)
overwrite: true
# old setting to override configuration file path, kept for compatibility
# config_file_path: /etc/haproxy/haproxy.cfg
global:
log:
- 127.0.0.1 local2
- 127.0.0.1 local1 notice
# Option log-tag parameter, sets the tag field in the syslog header
log-tag: haproxy
# Optional log-send-hostname parameter, sets the hostname field in the syslog header
log-send-hostname: localhost
# stats sockets
stats:
/run/haproxy/stats-ro:
# the defaults
level: user
mode: 600
user: haproxy
group: haproxy
/run/haproxy/stats-rw:
# custom example
level: admin
mode: 660
group: sysadmins
# yamllint disable-line rule:line-length
ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"
user: haproxy
group: haproxy
chroot:
enable: true
path: /var/lib/haproxy
daemon: true
userlists:
userlist1:
users:
john: insecure-password doe
sam: insecure-password frodo
defaults:
log: global
mode: http
retries: 3
options:
- httplog
- dontlognull
- forwardfor
- http-server-close
# yamllint disable-line rule:line-length
logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r"
timeouts:
- http-request 10s
- queue 1m
- connect 10s
- client 1m
- server 1m
- http-keep-alive 10s
- check 10s
stats:
- enable
- uri: '/admin?stats'
- realm: 'Haproxy\ Statistics'
- auth: 'admin1:AdMiN123'
errorfiles:
400: /etc/haproxy/errors/400.http
403: /etc/haproxy/errors/403.http
408: /etc/haproxy/errors/408.http
500: /etc/haproxy/errors/500.http
502: /etc/haproxy/errors/502.http
503: /etc/haproxy/errors/503.http
504: /etc/haproxy/errors/504.http
resolvers:
local_dns:
options:
- nameserver resolvconf 127.0.0.1:53
- resolve_retries 3
- timeout retry 1s
- hold valid 10s
listens:
stats:
bind:
- "0.0.0.0:8998"
mode: http
options:
- httpchk
httpcheck: disable-on-404
stats:
enable: true
uri: "/admin?stats"
refresh: "20s"
myservice:
bind:
- "*:8888"
options:
- forwardfor
- http-server-close
- httpchk
defaultserver:
slowstart: 60s
maxconn: 256
maxqueue: 128
weight: 100
httpchecks:
- send-state
- expect status 200
servers:
web1:
host: web1.example.com
port: 80
check: check
web2:
host: web2.example.com
port: 18888
check: check
web3:
host: web3.example.com
redis:
bind:
- '*:6379'
balance: roundrobin
defaultserver:
fall: 3
options:
- tcp-check
tcpchecks:
- send PINGrn
- expect string +PONG
- send info replicationrn
- expect string role:master
- send QUITrn
- expect string +OK
servers:
server1:
host: server1
port: 6379
check: check
extra: port 6379 inter 1s
server2:
host: server2
port: 6379
check: check
extra: port 6379 inter 1s backup
frontends:
frontend1:
name: www-http
bind: "*:80"
redirects:
- scheme https if !{ ssl_fc }
reqadds:
- "X-Forwarded-Proto:\\ http"
default_backend: www-backend
# www-https:
# bind: "*:443 ssl crt /etc/ssl/private/certificate-chain-and-key-combined.pem"
# yamllint disable-line rule:line-length
# logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r\\ ssl_version:%sslv\\ ssl_cipher:%sslc"
# reqadds:
# - "X-Forwarded-Proto:\\ https"
# default_backend: www-backend
# acls:
# - url_static path_beg -i /static /images /javascript /stylesheets
# - url_static path_end -i .jpg .gif .png .css .js
# use_backends:
# - static-backend if url_static
# extra: "rspadd Strict-Transport-Security:\ max-age=15768000"
# some-services:
# bind:
# - "*:8080"
# - "*:8088"
# default_backend: api-backend
backends:
backend1:
name: www-backend
balance: roundrobin
redirects:
- scheme https if !{ ssl_fc }
extra: "reqidel ^X-Forwarded-For:"
servers:
server1:
name: server1-its-name
host: 192.168.1.213
port: 80
check: check
static-backend:
balance: roundrobin
redirects:
- scheme https if !{ ssl_fc }
options:
- http-server-close
- httpclose
- forwardfor except 127.0.0.0/8
- httplog
cookie: "pm insert indirect"
stats:
enable: true
uri: /url/to/stats
realm: LoadBalancer
auth: "user:password"
servers:
some-server:
host: 123.156.189.111
port: 8080
check: check
another-server:
host: 123.156.189.112
api-backend:
options:
- http-server-close
- forwardfor
servers:
apiserver1:
host: apiserver1.example.com
port: 80
check: check
server2:
name: apiserver2
host: apiserver2.example.com
port: 80
check: check
extra: resolvers local_dns resolve-prefer ipv4
another_www:
mode: tcp
balance: source
sticktable: "type binary len 32 size 30k expire 30m"
acls:
- clienthello req_ssl_hello_type 1
- serverhello rep_ssl_hello_type 2
tcprequests:
- "inspect-delay 5s"
- "content accept if clienthello"
tcpresponses:
- "content accept if serverhello"
stickons:
- "payload_lv(43,1) if clienthello"
reqreps:
- '^([^\ :]*)\ /static/(.*) \1\ \2'
options: "ssl-hello-chk"