OpenStack-Ansible HAProxy server¶
- Configuring HAProxy (optional)
- Making HAProxy highly-available
- Configuring keepalived ping checks
- Securing HAProxy communication with SSL certificates
- Using Certificates from LetsEncrypt
- Using Certificates from LetsEncrypt (legacy method)
- Configuring additional services
- Adding additional global VIP addresses
- Overriding the address haproxy will bind to
- Adding Access Control Lists to HAProxy front end
- Adding prometheus metrics to haproxy
This Ansible role installs the HAProxy Load Balancer service.
To clone or view the source code for this repository, visit the role repository for haproxy_server.
Default variables¶
# Validate Certificates when downloading hatop. May be set to "no" when proxy server
# is intercepting the certificates.
haproxy_hatop_download_validate_certs: yes
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
haproxy_package_state: "latest"
## Haproxy Configuration
haproxy_rise: 3
haproxy_fall: 3
haproxy_interval: 12000
## Haproxy Stats
haproxy_stats_enabled: False
haproxy_stats_bind_address: 127.0.0.1
haproxy_stats_port: 1936
haproxy_username: admin
haproxy_stats_password: secrete
haproxy_stats_refresh_interval: 60
# Default haproxy backup nodes to empty list so this doesn't have to be
# defined for each service.
haproxy_backup_nodes: []
haproxy_service_configs: []
# Example:
# haproxy_service_configs:
# - service:
# haproxy_service_name: haproxy_all
# haproxy_backend_nodes: "{{ groups['haproxy_all'][0] }}"
# # haproxy_backup_nodes: "{{ groups['haproxy_all'][1:] }}"
# haproxy_port: 80
# haproxy_balance_type: http
# haproxy_backend_options:
# - "forwardfor"
# - "httpchk"
# - "httplog"
# haproxy_backend_server_options:
# - "inter 3000" # a contrived example, there are many server config options possible
# haproxy_acls:
# white_list:
# rule: "src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
# backend_name: "mybackend"
# haproxy_frontend_acls:
# letsencrypt-acl:
# rule: "path_beg /.well-known/acme-challenge/"
# backend_name: letsencrypt
# - service:
# # https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
# haproxy_service_name: prometheus-metrics
# haproxy_port: 8404
# haproxy_bind:
# - '127.0.0.1'
# haproxy_whitelist_networks: "{{ haproxy_whitelist_networks }}"
# haproxy_frontend_only: True
# haproxy_balance_type: "http"
# haproxy_frontend_raw:
# - 'http-request use-service prometheus-exporter if { path /metrics }'
# haproxy_service_enabled: True
galera_monitoring_user: monitoring
haproxy_bind_on_non_local: False
## haproxy SSL
haproxy_ssl: true
haproxy_ssl_all_vips: false
haproxy_ssl_dh_param: 2048
haproxy_ssl_self_signed_regen: no
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
haproxy_ssl_key: /etc/ssl/private/haproxy.key
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
haproxy_ssl_bind_options: "force-tlsv12"
# activate letsencrypt option
haproxy_ssl_letsencrypt_enable: false
# choose the certbot install method, 'distro' for a package manager repo, or downloaded with the certbot-auto script 'certbot-auto'
haproxy_ssl_letsencrypt_install_method: "certbot-auto"
haproxy_ssl_letsencrypt_certbot_auto_binary: "{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}"
haproxy_ssl_letsencrypt_certbot_binary: "{{ (haproxy_ssl_letsencrypt_install_method == 'certbot-auto') | ternary(haproxy_ssl_letsencrypt_certbot_auto_binary, 'certbot') }}"
haproxy_ssl_letsencrypt_certbot_backend_port: 8888
haproxy_ssl_letsencrypt_pre_hook_timeout: 5
haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}"
haproxy_ssl_letsencrypt_certbot_challenge: "http-01"
haproxy_ssl_letsencrypt_email: "example@example.com"
haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"
haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
haproxy_ssl_letsencrypt_install_path: "/opt/letsencrypt"
haproxy_ssl_letsencrypt_setup_extra_params: ""
haproxy_ssl_letsencrypt_cron_minute: "0"
haproxy_ssl_letsencrypt_cron_hour: "0"
haproxy_ssl_letsencrypt_cron_weekday: "0"
haproxy_ssl_letsencrypt_acl:
letsencrypt-acl:
rule: "path_beg /.well-known/acme-challenge/"
backend_name: letsencrypt
# hatop extra package URL and checksum
haproxy_hatop_download_url: "https://github.com/jhunt/hatop/archive/v0.8.0.tar.gz"
haproxy_hatop_download_checksum: "sha256:bcdab1664358ec83027957df11bbeb322df1a96d414a3ccc4e211532b82c4ad2"
# Install hatop
haproxy_hatop_install: true
# The location where the extra packages are downloaded to
haproxy_hatop_download_path: "/opt/cache/files"
## haproxy default
# Set the number of retries to perform on a server after a connection failure
haproxy_retries: "3"
# Set the maximum inactivity time on the client side
haproxy_client_timeout: "50s"
# Set the maximum time to wait for a connection attempt to a server to succeed
haproxy_connect_timeout: "10s"
# Set the maximum allowed time to wait for a complete HTTP request
haproxy_http_request_timeout: "5s"
# Set the maximum inactivity time on the server side
haproxy_server_timeout: "50s"
# Set the HTTP keepalive mode to use
# Disable persistent connections by default because they can cause issues when the server side closes the connection
# at the same time a request is sent.
haproxy_keepalive_mode: 'forceclose'
## haproxy tuning params
haproxy_maxconn: 4096
# Parameters below should only be specified if necessary, defaults are programmed in the template
#haproxy_tuning_params:
# nbproc: 1
# bufsize: 384000
# chksize: 16384
# comp_maxlevel: 1
# http_maxhdr: 101
# maxaccept: 64
# ssl_cachesize: 20000
# ssl_lifetime: 300
# Add extra VIPs to all services
extra_lb_vip_addresses: []
# Add extra TLS VIPs to all services
extra_lb_tls_vip_addresses: []
# Option to override which address haproxy binds to for external vip.
haproxy_bind_external_lb_vip_address: "{{ external_lb_vip_address }}"
# Option to override which address haproxy binds to for internal vip.
haproxy_bind_internal_lb_vip_address: "{{ internal_lb_vip_address }}"
# Make the log socket available to the chrooted filesystem
haproxy_log_socket: "/dev/log"
haproxy_log_mount_point: "/var/lib/haproxy/dev/log"
# Ansible group name which should be used for distrtibuting self signed SSL Certificates
haproxy_ansible_group_name: haproxy_all
Required variables¶
None.
Dependencies¶
None.
Example playbook¶
---
- name: Install haproxy
hosts: haproxy
user: root
roles:
- { role: "haproxy_server", tags: [ "haproxy-server" ] }
vars:
haproxy_service_configs:
- service:
haproxy_service_name: group_name
haproxy_backend_nodes: "{{ groups['group_name'][0] }}"
haproxy_backup_nodes: "{{ groups['group_name'][1:] }}"
haproxy_port: 80
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
- "httpchk"
- "httplog"
haproxy_backend_arguments:
- 'http-check expect string OK'