From 854b8395ab8b0c6c26c15738d592e05f1e2d7bb8 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Tue, 30 Jul 2024 09:42:28 -0500 Subject: [PATCH 1/4] feat(loadbalancer): working on noble --- salt/haproxy/config/haproxy.cfg.jinja | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja index 34e087b5..c76dfdec 100644 --- a/salt/haproxy/config/haproxy.cfg.jinja +++ b/salt/haproxy/config/haproxy.cfg.jinja @@ -122,7 +122,6 @@ frontend main capture request header X-Forwarded-For len 64 acl letsencrypt-well-known-acl path_beg /.well-known/acme-challenge/ - use_backend letsencrypt-well-known if letsencrypt-well-known-acl # Determine if this request has TLS on the client side or not. acl is_tls dst_port 19001 @@ -142,6 +141,8 @@ frontend main # Redirect all HTTP traffic to HTTPS redirect code 301 scheme https if !is_tls !letsencrypt-well-known-acl + use_backend letsencrypt-well-known if letsencrypt-well-known-acl + # Dispatch to the redirect backend for any redirects we have, we're going # to do this here after the HTTP -> HTTPS redirect even though this will # result in an extra redirect because we want to give this domain a chance @@ -215,7 +216,25 @@ backend redirect {% for service, config in haproxy.services.items() %} backend {{ service }} {% if config.get("check") -%} + {% if grains["oscodename"] != "noble" -%} option httpchk {{ config.check }} + {%- else -%} + # Noble Config using the newer http-check syntax + # We need to split the check into parts to handle the extra things + # ...maybe there is a better way to do this? + {% set check_parts = config.check.split(' ', 2) -%} + {% set method = check_parts[0] -%} + {% set path = check_parts[1] -%} + {% if check_parts|length > 2 -%} + {% set extra = check_parts[2].split('\r\n') -%} + {% set version = extra[0] -%} + {% set headers = extra[1:] -%} + {% endif -%} + http-check send meth {{ method }} uri {{ path }} ver {{ version }} + {%- for header in headers %} + http-check send hdr {{ header.replace(':\\ ', ': ') }} + {%- endfor %} + {%- endif %} {%- endif %} # http://gnuterrypratchett.com/ From 5ea9534d5f85e9739559f9b60f4704f4519105a4 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Mon, 12 Aug 2024 13:12:22 -0500 Subject: [PATCH 2/4] chore(loadbalancer): rebase against main --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 9f65881d..55cf6ee6 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -11,7 +11,7 @@ SERVERS = [ "docs", "downloads", {:name => "hg", :codename => "noble"}, - {:name => "loadbalancer", :ports => [20000, 20001, 20002, 20003, 20004, 20005, 20010, 20011]}, + {:name => "loadbalancer", :codename => "noble", :ports => [20000, 20001, 20002, 20003, 20004, 20005, 20010, 20011]}, "mail", "moin", "planet", From 98ccf0686c51865810763ddde74c495434b85677 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Mon, 12 Aug 2024 16:25:36 -0500 Subject: [PATCH 3/4] fix(loadbalancer): fix order for vagrant up, permissions to view token file --- salt/haproxy/init.sls | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/haproxy/init.sls b/salt/haproxy/init.sls index 74a0942b..1707a8a0 100644 --- a/salt/haproxy/init.sls +++ b/salt/haproxy/init.sls @@ -29,6 +29,7 @@ haproxy: - pkg: haproxy - cmd: consul-template - service: rsyslog + - file: /etc/haproxy/fastly_token - watch: - file: /etc/ssl/private/*.pem - file: /etc/haproxy/fastly_token @@ -39,7 +40,7 @@ haproxy: file.managed: - contents_pillar: fastly:token - user: root - - group: root + - group: ssl-cert - mode: "0640" - show_diff: False - require: @@ -65,6 +66,8 @@ haproxy: - mode: "0644" - require: - pkg: consul-pkgs + - file: /etc/haproxy/our_domains + - file: /etc/haproxy/fastly_token /etc/consul-template.d/haproxy.json: @@ -80,6 +83,7 @@ haproxy: - mode: "0640" - require: - pkg: consul-pkgs + - pkg: haproxy /usr/local/bin/haproxy-ocsp: From d50808da7b61f4299e79b98ba4634480eeae65d7 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Tue, 13 Aug 2024 11:06:22 -0500 Subject: [PATCH 4/4] fix(loadbalancer): fix order for states, server proxy protocol issue --- salt/haproxy/config/haproxy.cfg.jinja | 2 +- salt/haproxy/init.sls | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja index c76dfdec..1c44478d 100644 --- a/salt/haproxy/config/haproxy.cfg.jinja +++ b/salt/haproxy/config/haproxy.cfg.jinja @@ -268,7 +268,7 @@ listen {{ name }} {% endfor %} {{ "{{" }}range service "{{ config.service }}@{{ pillar.dc }}"}} - {% raw %}server {{.Node}} {{.Address}}:{{.Port}} check{{end}}{% endraw %}{% if config.get("send_proxy", False) %} send-proxy{% endif %} + {% raw %}server {{.Node}} {{.Address}}:{{.Port}} check{% endraw %}{% if config.get("send_proxy", False) %} send-proxy{% endif %}{{ "{{end}}" }} {% endfor %} diff --git a/salt/haproxy/init.sls b/salt/haproxy/init.sls index 1707a8a0..9d42bfd7 100644 --- a/salt/haproxy/init.sls +++ b/salt/haproxy/init.sls @@ -68,6 +68,9 @@ haproxy: - pkg: consul-pkgs - file: /etc/haproxy/our_domains - file: /etc/haproxy/fastly_token + {% for name in salt["pillar.get"]("tls:certs", {}) %} + - file: /etc/ssl/private/{{ name }}.pem + {% endfor %} /etc/consul-template.d/haproxy.json: @@ -77,7 +80,7 @@ haproxy: - context: source: /usr/share/consul-template/templates/haproxy.cfg destination: /etc/haproxy/haproxy.cfg - command: service haproxy reload + command: systemctl reload-or-restart haproxy - user: root - group: root - mode: "0640"