diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja index d0048797..c42c9752 100644 --- a/salt/haproxy/config/haproxy.cfg.jinja +++ b/salt/haproxy/config/haproxy.cfg.jinja @@ -83,7 +83,14 @@ defaults errorfile 504 /etc/haproxy/errors/504.http -listen tls: +frontend main + # HTTP Binds + bind :20000 + bind :20001 accept-proxy + bind 0.0.0.0:80 + bind :::80 + + # HTTPS Binds # Advertise http/1.1 over NPN to enable TLS False Start bind :20003 ssl alpn h2,http/1.1 crt star.python.org.pem bind :20005 ssl alpn h2,http/1.1 crt star.pypa.io.pem @@ -95,27 +102,6 @@ listen tls: bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem bind :20011 accept-proxy ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem - mode http - - option httplog - - # Capture the user agent in the log - capture request header User-Agent len 512 - # Capture X-Forwarded-For in the log - capture request header X-Forwarded-For len 64 - - http-request set-header X-Client-IP %[src] - - server default 127.0.0.1:19001 - - -frontend main - bind :20000 - bind :20001 accept-proxy - bind 0.0.0.0:80 - bind :::80 - bind 127.0.0.1:19001 # This is our TLS socket. - # Define a stick table for all services stick-table type ipv6 size 100k expire 30s store http_req_rate(10s) # Track all requests using a single counter @@ -147,7 +133,7 @@ frontend main use_backend letsencrypt-well-known if letsencrypt-well-known-acl # Determine if this request has TLS on the client side or not. - acl is_tls dst_port 19001 + acl is_tls ssl_fc acl our_domains hdr(host) -i -f /etc/haproxy/our_domains diff --git a/salt/haproxy/config/nginx-http2.conf.jinja b/salt/haproxy/config/nginx-http2.conf.jinja deleted file mode 100644 index eaa25f4c..00000000 --- a/salt/haproxy/config/nginx-http2.conf.jinja +++ /dev/null @@ -1,23 +0,0 @@ -upstream backend { - server 127.0.0.1:19001 max_fails=3 fail_timeout=15s; -} - -server { - listen 127.0.0.1:19000 http2; - - port_in_redirect off; - server_name_in_redirect off; - - proxy_buffering off; - - # nginx default is 1m which is too small for us. - client_max_body_size 20m; - - location / { - proxy_pass http://backend; - proxy_http_version 1.1; - proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie X-Accel-Redirect X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset; - proxy_pass_header Server; - proxy_set_header Host $host; - } -} diff --git a/salt/haproxy/init.sls b/salt/haproxy/init.sls index 0c5103a3..87062355 100644 --- a/salt/haproxy/init.sls +++ b/salt/haproxy/init.sls @@ -117,17 +117,6 @@ haproxy-ocsp: {% endif %} -/etc/nginx/sites.d/http2.conf: - file.managed: - - source: salt://haproxy/config/nginx-http2.conf.jinja - - template: jinja - - user: root - - group: root - - mode: "0644" - - require: - - file: /etc/nginx/sites.d/ - - /etc/nginx/sites.d/redirect.conf: file.managed: - source: salt://haproxy/config/nginx-redirect.conf.jinja