OpenStack-Ansible HAProxy server

• Configuring HAProxy (optional)
  • Making HAProxy highly-available
  • Configuring keepalived ping checks
  • Securing HAProxy communication with SSL certificates
  • Using Certificates from LetsEncrypt
  • Using Certificates from LetsEncrypt (legacy method)
  • Configuring additional services
  • Adding additional global VIP addresses
  • Overriding the address haproxy will bind to
  • Adding Access Control Lists to HAProxy front end

This Ansible role installs the HAProxy Load Balancer service.

To clone or view the source code for this repository, visit the role repository for haproxy_server.

Default variables

# Validate Certificates when downloading hatop. May be set to "no" when proxy server
# is intercepting the certificates.
haproxy_hatop_download_validate_certs: yes

# Set the package install state for distribution packages
# Options are 'present' and 'latest'
haproxy_package_state: "latest"

## Haproxy Configuration
haproxy_rise: 3
haproxy_fall: 3
haproxy_interval: 12000

## Haproxy Stats
haproxy_stats_enabled: False
haproxy_stats_bind_address: 127.0.0.1
haproxy_stats_port: 1936
haproxy_username: admin
haproxy_stats_password: secrete
haproxy_stats_refresh_interval: 60

# Default haproxy backup nodes to empty list so this doesn't have to be
# defined for each service.
haproxy_backup_nodes: []

haproxy_service_configs: []
# Example:
# haproxy_service_configs:
#   - service:
#       haproxy_service_name: haproxy_all
#       haproxy_backend_nodes: "{{ groups['haproxy_all'][0] }}"
#       # haproxy_backup_nodes: "{{ groups['haproxy_all'][1:] }}"
#       haproxy_port: 80
#       haproxy_balance_type: http
#       haproxy_backend_options:
#         - "forwardfor"
#         - "httpchk"
#         - "httplog"
#       haproxy_backend_server_options:
#         - "inter 3000"                # a contrived example, there are many server config options possible
#       haproxy_acls:
#         white_list:
#           rule: "src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
#           backend_name: "mybackend"
#      haproxy_frontend_acls:
#          letsencrypt-acl:
#            rule: "path_beg /.well-known/acme-challenge/"
#            backend_name: letsencrypt

galera_monitoring_user: monitoring
haproxy_bind_on_non_local: False

## haproxy SSL
haproxy_ssl: true
haproxy_ssl_all_vips: false
haproxy_ssl_dh_param: 2048
haproxy_ssl_self_signed_regen: no
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
haproxy_ssl_key: /etc/ssl/private/haproxy.key
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
haproxy_ssl_bind_options: "force-tlsv12"
# activate letsencrypt option
haproxy_ssl_letsencrypt_enable: false
# choose the certbot install method, 'distro' for a package manager repo, or downloaded with the certbot-auto script 'certbot-auto'
haproxy_ssl_letsencrypt_install_method: "certbot-auto"
haproxy_ssl_letsencrypt_certbot_auto_binary: "{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}"
haproxy_ssl_letsencrypt_certbot_binary: "{{ (haproxy_ssl_letsencrypt_install_method == 'certbot-auto') | ternary(haproxy_ssl_letsencrypt_certbot_auto_binary, 'certbot') }}"
haproxy_ssl_letsencrypt_certbot_backend_port: 8888
haproxy_ssl_letsencrypt_pre_hook_timeout: 5
haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}"
haproxy_ssl_letsencrypt_email: "example@example.com"
haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"
haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
haproxy_ssl_letsencrypt_install_path: "/opt/letsencrypt"
haproxy_ssl_letsencrypt_setup_extra_params: ""
haproxy_ssl_letsencrypt_cron_minute: "0"
haproxy_ssl_letsencrypt_cron_hour: "0"
haproxy_ssl_letsencrypt_cron_weekday: "0"

# hatop extra package URL and checksum
haproxy_hatop_download_url: "https://github.com/jhunt/hatop/archive/v0.8.0.tar.gz"
haproxy_hatop_download_checksum: "sha256:bcdab1664358ec83027957df11bbeb322df1a96d414a3ccc4e211532b82c4ad2"

# Install hatop
haproxy_hatop_install: true

# The location where the extra packages are downloaded to
haproxy_hatop_download_path: "/opt/cache/files"

## haproxy default
# Set the number of retries to perform on a server after a connection failure
haproxy_retries: "3"
# Set the maximum inactivity time on the client side
haproxy_client_timeout: "50s"
# Set the maximum time to wait for a connection attempt to a server to succeed
haproxy_connect_timeout: "10s"
# Set the maximum allowed time to wait for a complete HTTP request
haproxy_http_request_timeout: "5s"
# Set the maximum inactivity time on the server side
haproxy_server_timeout: "50s"
# Set the HTTP keepalive mode to use
# Disable persistent connections by default because they can cause issues when the server side closes the connection
# at the same time a request is sent.
haproxy_keepalive_mode: 'forceclose'


## haproxy tuning params
haproxy_maxconn: 4096

# Parameters below should only be specified if necessary, defaults are programmed in the template
#haproxy_tuning_params:
#  nbproc: 1
#  bufsize: 384000
#  chksize: 16384
#  comp_maxlevel: 1
#  http_maxhdr: 101
#  maxaccept: 64
#  ssl_cachesize: 20000
#  ssl_lifetime: 300

# Add extra VIPs to all services
extra_lb_vip_addresses: []

# Add extra TLS VIPs to all services
extra_lb_tls_vip_addresses: []

# Option to override which address haproxy binds to for external vip.
haproxy_bind_external_lb_vip_address: "{{ external_lb_vip_address }}"

# Option to override which address haproxy binds to for internal vip.
haproxy_bind_internal_lb_vip_address: "{{ internal_lb_vip_address }}"

# Make the log socket available to the chrooted filesystem
haproxy_log_socket: "/dev/log"
haproxy_log_mount_point: "/var/lib/haproxy/dev/log"

# Ansible group name which should be used for distrtibuting self signed SSL Certificates
haproxy_ansible_group_name: haproxy_all

Required variables

None.

Dependencies

None.

Example playbook

---
- name: Install haproxy
  hosts: haproxy
  user: root
  roles:
    - { role: "haproxy_server", tags: [ "haproxy-server" ] }
  vars:
    haproxy_service_configs:
      - service:
          haproxy_service_name: group_name
          haproxy_backend_nodes: "{{ groups['group_name'][0] }}"
          haproxy_backup_nodes: "{{ groups['group_name'][1:] }}"
          haproxy_port: 80
          haproxy_balance_type: http
          haproxy_backend_options:
            - "forwardfor"
            - "httpchk"
            - "httplog"
          haproxy_backend_arguments:
            - 'http-check expect string OK'