diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..20513dc --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,11 @@ +--- +haproxy_ssl_certs_dir: /etc/haproxy/ssl/certs +haproxy_ssl_self_dir: /etc/haproxy/ssl/self +haproxy_ssl_self_signed_subj: '/C=FR/ST=France/L=Marseille/O={{ inventory_hostname }}' +haproxy_ssl_self_signed_days: 3650 +haproxy_ssl_self_signed_domains: + - '{{ inventory_hostname }}' + +haproxy_accept_warnings: yes + +haproxy_bind_ip: '*' diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..5b344ae --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: haproxy restart + systemd_service: + name: haproxy + state: restarted + +- name: haproxy reload + systemd_service: + name: haproxy + state: reloaded diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..c334925 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,9 @@ +--- +galaxy_info: + author: Ludovic Cartier + description: install & configure haproxy + company: brainsys + license: MIT + min_ansible_version: 2.8 + issue_tracker_url: https://git.brainsys.io/ansible-roles/haproxy/issues + github_branch: main diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..b9fe4b6 --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,34 @@ +--- +- name: haproxy | ensure certs directory + file: + path: '{{ item }}' + state: directory + mode: '0755' + owner: root + group: root + with_items: + - '/etc/haproxy/ssl/certs' + - '/etc/haproxy/ssl/self' + +- name: haproxy | create default self-signed certificate + shell: | + openssl req -newkey rsa:2048 -nodes -sha256 -x509 -subj "{{ haproxy_ssl_self_signed_subj }}/CN={{ item }}" -days {{ haproxy_ssl_self_signed_days }} -keyout "{{ item }}.key" -out "{{ item }}.crt" -extensions v3_ca + cat {{ item }}.crt {{ item }}.key >> {{ haproxy_ssl_certs_dir }}/{{ item }}.pem + chmod 0600 {{ item }}.crt {{ item }}.key {{ haproxy_ssl_certs_dir }}/{{ item }}.pem + args: + chdir: '{{ haproxy_ssl_self_dir }}' + creates: '{{ haproxy_ssl_certs_dir }}/{{ item }}.pem' + with_items: '{{ haproxy_ssl_self_signed_domains }}' + notify: + - haproxy restarted + +- name: haproxy | copy configuration file + template: + src: haproxy.cfg.j2 + dest: '/etc/haproxy/haproxy.cfg' + owner: root + group: root + mode: '0440' + validate: 'haproxy -f %s -c {% if haproxy_accept_warnings %}-q{% endif %}' + notify: + - haproxy reloaded diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..7ec380f --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,7 @@ +--- +- name: haproxy | installation + apt: + name: haproxy + state: present + default_release: {{ ansible_distribution_release }}-backports + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..dc4c819 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- name: haproxy | requirements + include_tasks: requirements.yml + +- name: haproxy | installation + include_tasks: install.yml + +- name: haproxy | configuration + include_tasks: configure.yml + diff --git a/tasks/requirements.yml b/tasks/requirements.yml new file mode 100644 index 0000000..c560c01 --- /dev/null +++ b/tasks/requirements.yml @@ -0,0 +1,11 @@ +--- +- name: haproxy | add backports repository + apt_repository: + repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main + state: present + filename: "{{ ansible_distribution_release }}-backports" + +- name: haproxy | update apt cache + apt: + update_cache: yes + cache_valid_time: 86400 diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 new file mode 100644 index 0000000..087eaf6 --- /dev/null +++ b/templates/haproxy.cfg.j2 @@ -0,0 +1,186 @@ +# {{ ansible_managed }} + +########## +# Global # +########## + +global + ca-base /etc/ssl/certs + chroot /var/lib/haproxy + crt-base /etc/ssl/private + log /dev/log local0 info + log /dev/log local1 notice + log-tag haproxy + maxconn 20000 + pidfile /var/run/haproxy.pid + spread-checks 8 + + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-HA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-server-verify none + + stats socket /var/lib/haproxy/stats mode 600 level admin + + tune.bufsize 65536 + tune.maxrewrite 32768 + tune.ssl.cachesize 100000 + tune.ssl.default-dh-param 2048 + tune.ssl.lifetime 600 + tune.ssl.maxrecord 1460 + +############ +# Defaults # +############ + +defaults 000-main + compression algo gzip + compression type text/html text/plain text/xml text/css text/javascript application/javascript application/json text/json image/svg+xml + log global + mode http + + option httplog + option http-server-close + option dontlognull + option forwardfor + option redispatch + + retries 3 + + stats realm Haproxy\ Statistics + stats show-desc Haproxy\ Statistics + stats show-node {{ ansible_hostname }} + stats uri /haproxy-stats + stats refresh 5s + stats hide-version + stats show-legends + + timeout http-request 60s + timeout queue 60s + timeout connect 60s + timeout client 60s + timeout server 60s + timeout check 10s + +############ +# Userlist # +############ + +userlist prod + group ADMIN + user brainsys password $6$whKvhQcRLecqnNlC$CZS.p3EHfJDmC9H6KDeLkwOddLOPvPuEUDsaR3iLGbXU3eJ9kKcGDfq.Y59qgX2Q10x2Q2QuJ0lAcs0T2eAfa. groups ADMIN + +############# +# Frontends # +############# + +frontend stats + bind *:8404 + option httpclose + stats enable + stats uri /stats + stats refresh 10s + http-request use-service prometheus-exporter if { path /metrics } + +frontend prd_frontend1 + bind {{ haproxy_bind_ip }}:80 + bind {{ haproxy_bind_ip }}:443 ssl crt /etc/haproxy/ssl/certs + + mode http + option http-server-close + option forwardfor + log-format %ci\ -\ [%Tl]\ %{+Q}r\ %ST\ %B\ %{+Q}hrl\ ---\ %{+Q}[var(txn.SCHEME)]\ %{+Q}[var(txn.COUNTRY)]\ %b\ %s\ %{+Q}hsl\ %Tq/%Tw/%Tc/%Tr/%Tt + + ## acl ## + acl has_DEBUG always_false + acl has_SCHEME_HTTPS ssl_fc + acl has_BYPASS_MAINTENANCE always_false + acl has_MAINTENANCE always_false + acl has_BYPASS_CACHE hdr_sub(X-Requested-With) XMLHttpRequest + acl has_BYPASS_CACHE method POST + acl has_AUTHORIZATION always_false + acl has_HEADER_X_FORWARDED_FOR hdr(X-Forwarded-For) -m found + acl has_HEADER_CF_CONNECTING_IP hdr(CF-Connecting-IP) -m found + acl has_HEADER_CF_TRUE_CLIENT_IP hdr(True-Client-IP) -m found # was cf_hdr_found + acl to_RESTRICTED_AREA path_beg -i /haproxy-stats + acl to_ACME_CHALLENGE path_beg /.well-known/acme-challenge/ + acl is_auth_ok http_auth(prod) + acl is_HAPROXY_STATS path_beg -i /haproxy + acl is_localhost hdr(host) -i localhost + acl is_POST method POST + acl is_DELETE method DELETE + acl disable_AUTH_to_RESTRICTED_AREA always_false + acl disable_REDIRECT_TO_HTTPS always_false + acl disable_REDIRECT_TO_HTTPS hdr(host) -i localhost {{ ansible_hostname }} + acl disable_REDIRECT_TO_HTTPS path_beg -i /.well-known/acme-challenge/ + + + ## capture ## + capture request header X-Forwarded-For len 64 + capture request header CF-Connecting-IP len 64 + capture request header Referer len 64 + capture request header User-Agent len 512 + capture request header Host len 128 + capture response header Content-Length len 10 + capture response header X-Cache len 4 + capture response header X-Cache-Hits len 8 + capture response header Cache-Control len 64 + capture response header X-UA-Device len 8 + + ## http-response ## + http-response add-header Strict-Transport-Security max-age=15768000 + http-response add-header Referrer-Policy no-referrer-when-downgrade + http-response del-header Server if !has_DEBUG + http-response del-header X-Generator if !has_DEBUG + http-response del-header X-Apache-Server-ID if !has_DEBUG + http-response del-header X-Vhost-ID if !has_DEBUG + http-response del-header x-url if !has_DEBUG + http-response del-header X-UA-Device if !has_DEBUG + http-response del-header X-Cache-Hits if !has_DEBUG + http-response del-header X-Powered-By if !has_DEBUG + http-response del-header X-Served-By if !has_DEBUG + http-response del-header X-Varnish-Ip if !has_DEBUG + http-response del-header X-Varnish-Port if !has_DEBUG + http-response del-header via if !has_DEBUG + http-response set-header X-XSS-Protection "1; mode=block" + http-response set-header X-Content-Type-Options nosniff + http-response del-header content-security-policy-report-only + # no follow / no index !!! + http-response set-header X-Robots-Tag "noindex, nofollow" + + ## http-request ## + http-request set-src hdr_ip(CF-Connecting-IP) if has_HEADER_CF_CONNECTING_IP + http-request set-src hdr_ip(X-Forwarded-For) if has_HEADER_X_FORWARDED_FOR + http-request set-src hdr(True-Client-IP) if has_HEADER_CF_TRUE_CLIENT_IP + http-request set-header X-Client-IP %[src] + http-request set-header X-Forwarded-For %[src] + http-request set-header X-Forwarded-Proto https if has_SCHEME_HTTPS + http-request set-header X-Forwarded-Port 443 if has_SCHEME_HTTPS + http-request set-header X-Forwarded-Port 80 if !has_SCHEME_HTTPS + http-request set-var(txn.SCHEME) hdr(X-Forwarded-Proto) + http-request set-var(txn.host) hdr(Host) + http-request set-var(txn.path) path + http-request redirect code 301 scheme https if !has_SCHEME_HTTPS !disable_REDIRECT_TO_HTTPS + http-request del-header authorization if to_RESTRICTED_AREA has_AUTHORIZATION + http-request del-header user-agent if { hdr(user-agent) -i HAPROXY-LB-Check VARNISH-LB-Check } + http-request del-header Authorization if is_auth_ok + http-request deny if to_RESTRICTED_AREA !has_AUTHORIZATION + http-request deny if is_HAPROXY_STATS !is_localhost + http-request auth realm "haproxy statistics - Limited access" if !is_auth_ok is_HAPROXY_STATS + http-request auth realm "You need a valid user and password to access this content. Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected" if to_RESTRICTED_AREA !has_AUTHORIZATION !disable_AUTH_to_RESTRICTED_AREA + ## end http-request ## + + ## use backends ## + default_backend prd_backend + +############ +# Backends # +############ +backend prd_backend + mode http + server nginx 127.0.0.1:80 check inter 3s