Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove separate tls listen for haproxy #543

Merged
merged 2 commits into from
Dec 18, 2024
Merged

remove separate tls listen for haproxy #543

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6a285da
remove separate tls listen for haproxy
ewdurbin Dec 18, 2024
56a4569
fix tls redirect acl
ewdurbin Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 9 additions & 23 deletions salt/haproxy/config/haproxy.cfg.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,14 @@ defaults
errorfile 504 /etc/haproxy/errors/504.http


listen tls:
frontend main
# HTTP Binds
bind :20000
bind :20001 accept-proxy
bind 0.0.0.0:80
bind :::80

# HTTPS Binds
# Advertise http/1.1 over NPN to enable TLS False Start
bind :20003 ssl alpn h2,http/1.1 crt star.python.org.pem
bind :20005 ssl alpn h2,http/1.1 crt star.pypa.io.pem
Expand All @@ -95,27 +102,6 @@ listen tls:
bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
bind :20011 accept-proxy ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem

mode http

option httplog

# Capture the user agent in the log
capture request header User-Agent len 512
# Capture X-Forwarded-For in the log
capture request header X-Forwarded-For len 64

http-request set-header X-Client-IP %[src]

server default 127.0.0.1:19001


frontend main
bind :20000
bind :20001 accept-proxy
bind 0.0.0.0:80
bind :::80
bind 127.0.0.1:19001 # This is our TLS socket.

# Define a stick table for all services
stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
# Track all requests using a single counter
Expand Down Expand Up @@ -147,7 +133,7 @@ frontend main
use_backend letsencrypt-well-known if letsencrypt-well-known-acl

# Determine if this request has TLS on the client side or not.
acl is_tls dst_port 19001
acl is_tls ssl_fc

acl our_domains hdr(host) -i -f /etc/haproxy/our_domains

Expand Down
23 changes: 0 additions & 23 deletions salt/haproxy/config/nginx-http2.conf.jinja
View file
Open in desktop

This file was deleted.

11 changes: 0 additions & 11 deletions salt/haproxy/init.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,17 +117,6 @@ haproxy-ocsp:
{% endif %}


/etc/nginx/sites.d/http2.conf:
file.managed:
- source: salt://haproxy/config/nginx-http2.conf.jinja
- template: jinja
- user: root
- group: root
- mode: "0644"
- require:
- file: /etc/nginx/sites.d/


/etc/nginx/sites.d/redirect.conf:
file.managed:
- source: salt://haproxy/config/nginx-redirect.conf.jinja
Expand Down
Loading