From c5fe4a66aafa91a809c17fe26e8b13e89999bf77 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 12 Jun 2018 21:49:03 -0500 Subject: [PATCH] roles/dch-proxy: Deploy reverse HTTP/HTTPS proxy The *dch-proxy* role sets up HAProxy to provide a revers proxy for all public-facing web services on the Pyrocufflink network. It uses the TLS Server Name Indication (SNI) extension to determine the proper backend server based on the name requested by the client. For now, only Gitea is configured; the name *git.pyrocufflink.blue* is proxied to *git0.pyrocufflink.blue*. All other names are proxied to Myala. --- roles/dch-proxy/meta/main.yml | 2 ++ roles/dch-proxy/tasks/main.yml | 20 +++++++++++++++++++ .../templates/backend-gitea.haproxy.cfg.j2 | 7 +++++++ .../templates/backend-myala.haproxy.cfg.j2 | 7 +++++++ .../templates/frontend-main.haproxy.cfg.j2 | 17 ++++++++++++++++ 5 files changed, 53 insertions(+) create mode 100644 roles/dch-proxy/meta/main.yml create mode 100644 roles/dch-proxy/tasks/main.yml create mode 100644 roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2 create mode 100644 roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2 create mode 100644 roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 diff --git a/roles/dch-proxy/meta/main.yml b/roles/dch-proxy/meta/main.yml new file mode 100644 index 0000000..7259f30 --- /dev/null +++ b/roles/dch-proxy/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- haproxy diff --git a/roles/dch-proxy/tasks/main.yml b/roles/dch-proxy/tasks/main.yml new file mode 100644 index 0000000..5d0987f --- /dev/null +++ b/roles/dch-proxy/tasks/main.yml @@ -0,0 +1,20 @@ +- name: ensure main haproxy frontend is configured + template: + src=frontend-main.haproxy.cfg.j2 + dest=/etc/haproxy/50-frontend-main.cfg + mode=0644 + notify: reload haproxy + +- name: ensure default haproxy backend is configured + template: + src=backend-myala.haproxy.cfg.j2 + dest=/etc/haproxy/70-backend-myala.cfg + mode=0644 + notify: reload haproxy + +- name: ensure gitea haproxy backend is configured + template: + src=backend-gitea.haproxy.cfg.j2 + dest=/etc/haproxy/70-backend-gitea.cfg + mode=0644 + notify: reload haproxy diff --git a/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2 new file mode 100644 index 0000000..acf02f9 --- /dev/null +++ b/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2 @@ -0,0 +1,7 @@ +backend gitea + server gitea git0.pyrocufflink.blue:80 check + + +backend gitea-tls + mode tcp + server gitea git0.pyrocufflink.blue:443 check diff --git a/roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2 new file mode 100644 index 0000000..5379f47 --- /dev/null +++ b/roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2 @@ -0,0 +1,7 @@ +backend myala + server myala myala.pyrocufflink.jazz:80 check + + +backend myala-tls + mode tcp + server myala myala.pyrocufflink.jazz:443 check diff --git a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 new file mode 100644 index 0000000..8ed785f --- /dev/null +++ b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 @@ -0,0 +1,17 @@ +frontend main + bind :::80 + + use_backend gitea if { hdr(host) -i git.pyrocufflink.blue } + default_backend myala + + +frontend main-tls + bind :::443 + mode tcp + option tcplog + + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + + use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.blue } + default_backend myala-tls