diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 4e88b9a..5019efe 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -1,33 +1,36 @@ --- - yum: name=haproxy state=present - name: rsyslog for haproxy lineinfile: dest: /etc/rsyslog.conf line: "{{ item }}" notify: restart rsyslogd with_items: - "$AllowedSender UDP, 127.0.0.1" - "local2.* /var/log/haproxy.log" - "*.info;mail.none;authpriv.none;cron.none;local2.none /var/log/messages" - "$ModLoad imudp" - "$UDPServerRun 514" - name: rsyslog for haproxy lineinfile: dest: /etc/rsyslog.conf line: "*.info;mail.none;authpriv.none;cron.none /var/log/messages" state: absent notify: restart rsyslogd - name: Configure the haproxy cnf file with hosts template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg notify: reload haproxy - name: Start the haproxy service service: name=haproxy state=started enabled=yes - name: Sorry page template: src=sorry.http dest=/etc/haproxy/sorry.http + +- name: Google webmaster verification file + template: src=google.http dest=/etc/haproxy/google.http diff --git a/roles/haproxy/templates/google.http b/roles/haproxy/templates/google.http new file mode 100644 index 0000000..1c7c792 --- /dev/null +++ b/roles/haproxy/templates/google.http @@ -0,0 +1,6 @@ +HTTP/1.0 200 Found +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +google-site-verification: {{ google_webmaster_file }} diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index 28dd204..ca31af9 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -1,125 +1,131 @@ global log 127.0.0.1 local2 notice warning chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats level admin # SSL/TLS tune.ssl.default-dh-param 2048 ssl-default-bind-options no-sslv3 #ssl-default-bind-options no-tlsv10 ssl-default-bind-options no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK defaults mode http log global option dontlognull #option forceclose option redispatch retries 3 timeout connect 10s timeout client 1m timeout server 1m maxconn 3000 userlist admins user {{ monit_user }} insecure-password {{ monit_pass }} frontend public bind :::80 v4v6 #acl host_sub1 hdr(host) -i jenkins.{{ domain }} #use_backend ci if host_sub1 #redirect scheme https if !host_sub1 redirect scheme https frontend public_tls rspadd Strict-Transport-Security:\ max-age=15768000 bind :::443 v4v6 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem errorfile 503 /etc/haproxy/sorry.http acl host_sub1 hdr(host) -i jenkins.{{ domain }} + acl is_google path /{{ google_webmaster_file }} use_backend ci if host_sub1 + use_backend google if is_google default_backend app +backend google + mode http + errorfile 503 /etc/haproxy/google.http + backend app balance source hash-type consistent option http-server-close option forwardfor option httpchk HEAD /maniphest/ HTTP/1.1\r\nHost:\ {{ domain }} {% for host in groups['app'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:80 check #send-proxy {% endfor %} backend ci balance static-rr {% for host in groups['ci'] %} server {{ hostvars[host]['host_name']}} {{ host }}:{{ jenkins_port }} check {% endfor %} frontend monit bind *:{{ monit_port }} ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem default_backend monitd acl auth_admin http_auth(admins) http-request allow if auth_admin http-request auth realm Restricted unless auth_admin http-request deny backend monitd {% for host in groups['monit'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:80 {% endfor %} frontend sshd mode tcp option tcplog option tcpka timeout client 1h bind :::{{ vcs_port }} v4v6 default_backend ssh backend ssh mode tcp balance source hash-type consistent timeout connect 500s timeout server 1h {% for host in groups['app'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:{{ vcs_port }} check port {{ vcs_port }} {% endfor %} frontend mysqld mode tcp option tcplog bind {{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}:3306 default_backend mysql backend mysql mode tcp balance static-rr option mysql-check user {{ mysql_lbs_user }} {% for host in groups['dbs'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:3306 check port 3306 {% if not loop.first %}backup{% endif %} {% endfor %} listen haproxy-monit bind :::{{ stats_port }} v4v6 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem stats enable stats refresh 5s stats show-legends stats uri / acl auth_admin http_auth(admins) stats http-request allow if auth_admin stats http-request auth realm Restricted unless auth_admin stats http-request deny stats admin if auth_admin diff --git a/vars/main.yml.example b/vars/main.yml.example index d003704..4342d44 100644 --- a/vars/main.yml.example +++ b/vars/main.yml.example @@ -1,105 +1,106 @@ --- env: prod project_name: "c4science" ansible_ssh_user: "centos" proxy: no http_proxy: "" no_proxy: "localhost" proxy_url: "{{ http_proxy }}" user_pwd_root: "" user_pwd_centos: "" # OpenStack keypair_name: "" image_id: "" image_id_coreos: "" public_net: "" private_net: "" flavor_id_small: "" flavor_id_medium: "" flavor_id_large: "" flavor_id_small_backup: "" private_net_backup: "" image_id_backup: "" region_main: "" region_back: "" # Storage s3_access_key: "" s3_secret_key: "" s3_endpoint: "" s3_bucket: "" s3_region: "" # Lbs external_ip: 0.0.0.0 backup_ip: 0.0.0.0 ip_range: "10.0.0.0/16" jenkins_port: 8080 stats_port: 8082 monit_port: 8081 monit_user: admin monit_pass: rolling_reboot_proxy_host: "{{ external_ip }}" rolling_reboot_pause: 30 rolling_reboot_wait_delay: 20 # App developer_mode: false http_scheme: 'http://' domain: example.com file_domain: "{{ http_scheme }}static.{{ domain }}/" phabricator_path: /srv/www/facebook/ repositories_path: /var/repo/ phd_user: phabricator www_user: apache vcs_user: git vcs_port: 2222 jenkins_admin_user: admin jenkins_admin_pass: jenkins_phab_url: "{{ http_scheme }}{{ domain }}/" jenkins_phab_id: "PHID-" jenkins_phab_secret: "" jenkins_url: "{{ http_scheme }}jenkins.{{ domain }}/" shib_metadata_file: "metadata.xml" shib_metadata_provider: "http://example.com/{{ shib_metadata_file }}" phabricator_domains: - "{{ domain }}" - 'example.com' +google_webmaster_file: "googleXYZ.html" # Dbs mysql_app_user: "" mysql_app_pass: "" mysql_shib_user: "" mysql_shib_pass: "" mysql_shib_db: "shibboleth" mysql_lbs_user: "haproxy" mysql_cluster_name: "" mysql_host: "10.0.0.0/255.255.0.0" # SSH ssh_keys: - "ssh-rsa mysuperkey1" - "ssh-rsa mysuperkey2" # Swap swap_path: "/swapfile" dd_bs_size_mb: 32 swap_count: 128 swappiness: 10 vfs_cache_pressure: 50 # Email configure_postfix: true enable_postfix_domain_rewrite: true enable_postfix_relayhost: true postfix_rewrite_domain: "{{ domain }}" email_alias_phabricator: "" email_alias_postmaster: "" email_alias_admin: "" email_monitoring: ""