diff --git a/Vagrantfile b/Vagrantfile index 9f65881d..55cf6ee6 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -11,7 +11,7 @@ SERVERS = [ "docs", "downloads", {:name => "hg", :codename => "noble"}, - {:name => "loadbalancer", :ports => [20000, 20001, 20002, 20003, 20004, 20005, 20010, 20011]}, + {:name => "loadbalancer", :codename => "noble", :ports => [20000, 20001, 20002, 20003, 20004, 20005, 20010, 20011]}, "mail", "moin", "planet", diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja index 34e087b5..1c44478d 100644 --- a/salt/haproxy/config/haproxy.cfg.jinja +++ b/salt/haproxy/config/haproxy.cfg.jinja @@ -122,7 +122,6 @@ frontend main capture request header X-Forwarded-For len 64 acl letsencrypt-well-known-acl path_beg /.well-known/acme-challenge/ - use_backend letsencrypt-well-known if letsencrypt-well-known-acl # Determine if this request has TLS on the client side or not. acl is_tls dst_port 19001 @@ -142,6 +141,8 @@ frontend main # Redirect all HTTP traffic to HTTPS redirect code 301 scheme https if !is_tls !letsencrypt-well-known-acl + use_backend letsencrypt-well-known if letsencrypt-well-known-acl + # Dispatch to the redirect backend for any redirects we have, we're going # to do this here after the HTTP -> HTTPS redirect even though this will # result in an extra redirect because we want to give this domain a chance @@ -215,7 +216,25 @@ backend redirect {% for service, config in haproxy.services.items() %} backend {{ service }} {% if config.get("check") -%} + {% if grains["oscodename"] != "noble" -%} option httpchk {{ config.check }} + {%- else -%} + # Noble Config using the newer http-check syntax + # We need to split the check into parts to handle the extra things + # ...maybe there is a better way to do this? + {% set check_parts = config.check.split(' ', 2) -%} + {% set method = check_parts[0] -%} + {% set path = check_parts[1] -%} + {% if check_parts|length > 2 -%} + {% set extra = check_parts[2].split('\r\n') -%} + {% set version = extra[0] -%} + {% set headers = extra[1:] -%} + {% endif -%} + http-check send meth {{ method }} uri {{ path }} ver {{ version }} + {%- for header in headers %} + http-check send hdr {{ header.replace(':\\ ', ': ') }} + {%- endfor %} + {%- endif %} {%- endif %} # http://gnuterrypratchett.com/ @@ -249,7 +268,7 @@ listen {{ name }} {% endfor %} {{ "{{" }}range service "{{ config.service }}@{{ pillar.dc }}"}} - {% raw %}server {{.Node}} {{.Address}}:{{.Port}} check{{end}}{% endraw %}{% if config.get("send_proxy", False) %} send-proxy{% endif %} + {% raw %}server {{.Node}} {{.Address}}:{{.Port}} check{% endraw %}{% if config.get("send_proxy", False) %} send-proxy{% endif %}{{ "{{end}}" }} {% endfor %} diff --git a/salt/haproxy/init.sls b/salt/haproxy/init.sls index 74a0942b..9d42bfd7 100644 --- a/salt/haproxy/init.sls +++ b/salt/haproxy/init.sls @@ -29,6 +29,7 @@ haproxy: - pkg: haproxy - cmd: consul-template - service: rsyslog + - file: /etc/haproxy/fastly_token - watch: - file: /etc/ssl/private/*.pem - file: /etc/haproxy/fastly_token @@ -39,7 +40,7 @@ haproxy: file.managed: - contents_pillar: fastly:token - user: root - - group: root + - group: ssl-cert - mode: "0640" - show_diff: False - require: @@ -65,6 +66,11 @@ haproxy: - mode: "0644" - require: - pkg: consul-pkgs + - file: /etc/haproxy/our_domains + - file: /etc/haproxy/fastly_token + {% for name in salt["pillar.get"]("tls:certs", {}) %} + - file: /etc/ssl/private/{{ name }}.pem + {% endfor %} /etc/consul-template.d/haproxy.json: @@ -74,12 +80,13 @@ haproxy: - context: source: /usr/share/consul-template/templates/haproxy.cfg destination: /etc/haproxy/haproxy.cfg - command: service haproxy reload + command: systemctl reload-or-restart haproxy - user: root - group: root - mode: "0640" - require: - pkg: consul-pkgs + - pkg: haproxy /usr/local/bin/haproxy-ocsp: