haproxy-external.jinja.cfg

global
    log /dev/log    local0
    #log /dev/log   local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin-external.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.5.14&openssl=1.0.1k&hsts=yes&profile=modern
    # set default parameters to the modern configuration
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    ssl-default-bind-options no-sslv3

defaults
    log	global
    mode	http
    option	httplog
    option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

{%- if "http" in services.group_by_tagvalue("smartstack:protocol:") -%}
    {%- set http_services = services.group_by_tagvalue("smartstack:protocol:")["http"] -%}
{%- endif -%}
{%- if "sni" in  services.group_by_tagvalue("smartstack:protocol:") -%}
    {%- set sni_services = services.group_by_tagvalue("smartstack:protocol:")["sni"] -%}
{%- endif -%}
{%- if "https" in services.group_by_tagvalue("smartstack:protocol:") -%}
    {%- set https_services = services.group_by_tagvalue("smartstack:protocol:")["https"] -%}
{%- endif -%}
{%- set use_sni_dispatch = sni_services is defined and sni_services and https_services is defined and https_services -%}

{#- first let's handle all port 80 http services. We also redirect SSL services to HTTPS, if
    they have the right tags -#}
{% if http_services is defined or "https-redirect" in https_services.tagvalue_set("smartstack:") %}
frontend http-routing
    bind {{localip}}:80
    reqadd X-Forwarded-Proto:\ http
    {% if http_services is defined %}
        {% for svcname, svclist in http_services.group_by("name").items() -%}
            {% for hostname in svclist.tagvalue_set("smartstack:hostname:") -%}
                acl host_{{svcname}} hdr(Host) -i {{hostname}}
            {% endfor %}
            {% for option in svclist.tagvalue_set("haproxy:frontend:option:") -%}
                option {{option}}
            {% endfor %}
            {% for timeout in group.tagvalue_set("haproxy:frontend:timeout:") %}
                timeout {{timeout.split(':', 1)[0]}} {{timeout.split(':', 1)[1]}}
            {% endfor %}
            use_backend backend-http-{{svcname}} if host_{{svcname}}
        {% endfor -%}
    {% endif %}
    {% for svcname, svclist in https_services.group_by("name").items() -%}
        {% for hostname in svclist.tagvalue_set("smartstack:hostname:") -%}
            {% if "https-redirect" in svclist.tagvalue_set("smartstack:") -%}
                acl host_{{hostname}}_httpsredir hdr(Host) -i {{hostname}}
                redirect prefix https://{{hostname}} code 301 if host_{{hostname}}_httpsredir
            {%- endif -%}
        {% endfor %}
    {% endfor -%}
{% endif -%}

{#- If we have SNI based services, the routing will go like this:
        ingress -> SNI routing -> local port https routing
                     |                |
                     +-> servers      +-> servers

    This routing might become a performance problem at some point since SSL termination passes
    through two frontends in this configuration. When that happens, split the loadbalancer in two,
    where one routes SNI and one routes SSL terminated connections. -#}
{% if sni_services is defined and sni_services %}
frontend sni-routing
    bind {{localip}}:443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    mode tcp
    {% for name, svc in sni_services.group_by("name").items() -%}
        {% for hostname in svc.tagvalue_set("smartstack:hostname:") -%}
            acl host_{{name}} req.ssl_sni {{hostname}}
        {% endfor %}
        use_backend backend-sni-{{name}} if host_{{name}}
    {% endfor %}

    {%- if https_services is defined and https_services -%}
        # dispatch to https SSL termination
        {% for name, svc in https_services.group_by("name").items() -%}
            {% for hostname in svc.tagvalue_set("smartstack:hostname:") -%}
                acl sslterminate_dispatch req.ssl_sni {{hostname}}
            {% endfor %}
        {% endfor %}
        use_backend ssl-termination-dispatch if sslterminate_dispatch
    {%- endif %}
{% endif -%}

{% if use_sni_dispatch -%}
backend ssl-termination-dispatch
    mode tcp
    server dispatch localhost:10443
{%- endif %}

{% if https_services is defined and https_services %}
frontend https-routing
    bind {% if use_sni_dispatch %}localhost:10443{% else %}{{localip}}:443{% endif %} ssl {% if maincert is defined %}crt {{maincert}}{% endif %}{% for cert in https_services.tagvalue_set("crt") %} crt {{cert}}{% endfor %}
    reqadd X-Forwarded-Proto:\ https
    {% for name, svc in https_services.group_by("name").items() %}
        {% for hostname in svc.tagvalue_set("smartstack:hostname:") %}
            acl host_{{name}} hdr(host) -i {{hostname}}
        {% endfor %}
        {% for option in svc.tagvalue_set("haproxy:frontend:option:") %}
            option {{option}}
        {% endfor %}
        use_backend backend-https-{{name}} if host_{{name}}
    {% endfor %}
{% endif %}

{% for prot, servicegroup in services.group_by_tagvalue("smartstack:protocol:").items() %}
    {% for name, svc in servicegroup.group_by("name").items() %}
backend backend-{{prot}}-{{name}}
        {% for backend in svc %}
            server {{name}}-{{prot}}-srv{{loop.index}} {{backend.ip}}:{{backend.port}} check
        {% endfor %}
        mode {% if prot == "sni" %}tcp{% else %}http{% endif %}
        {% for option in svc.tagvalue_set("haproxy:backend:option:") %}
            option {{option}}
        {% endfor %}
        {% if svc[0].tagvalue("haproxy:backend:timeout:") %}
            timeout {{timeout.split(':', 1)[0]}} {{timeout.split(':', 1)[1]}}
        {% endif %}
        {% if prot.startswith("http") and not svc[0].tagvalue("haproxy:no-forward-for") %}
            option forwardfor
        {% endif %}
    {% endfor %}
{% endfor %}