antaflos/haproxy.cfg

## haproxy.cfg
# This file managed by Puppet
global
  chroot  /var/lib/haproxy
  daemon
  group  haproxy
  log 127.0.0.1  local1  info
  log-send-hostname
  maxconn  4096
  stats  socket /var/lib/haproxy/admin.sock mode 660 level admin
  stats  socket /var/lib/haproxy/user.sock mode 666 level user
  stats  timeout 30s
  tune.ssl.default-dh-param  2048
  user  haproxy

defaults
  default-server  init-addr last,libc,none
  log  global
  mode  http
  option  redispatch
  option  abortonclose
  option  dontlognull
  option  httplog
  option  http-server-close
  option  forwardfor except 127.0.0.1
  option  logasap
  retries  3
  timeout  http-request 10s
  timeout  queue 1m
  timeout  connect 5s
  timeout  client 1m
  timeout  server 1m

frontend ft_puppet
  bind 0.0.0.0:8140 ssl crt /etc/ssl/certs/puppet-frontend.example.com_bundle.crt.pem ca-file /etc/puppetlabs/puppet/ssl/certs/ca.pem crl-file /etc/puppetlabs/puppet/ssl/crl.pem verify optional no-sslv3 no-tls-tickets force-tlsv12 ciphers AES128+EECDH:AES128+EDH
  mode http
  acl is_ca_request path_beg /puppet-ca/v1/
  capture request header X-Forwarded-For len 50
  default_backend bk_puppet
  http-request set-header X-Client-Verify SUCCESS if { ssl_c_verify 0 }
  http-request set-header X-Client-Verify NONE if ! { ssl_c_used }
  http-request set-header X-Client-Verify FAILED:expired if { ssl_c_verify 10 }
  http-request set-header X-Client-Verify FAILED:revoked if { ssl_c_verify 23 }
  http-request set-header X-Client-DN %{+Q}[ssl_c_s_dn]
  http-request set-header X-Client-Cert -----BEGIN\ CERTIFICATE-----%%0A%[ssl_c_der,base64]%%0A-----END\ CERTIFICATE----- if { ssl_c_used }
  use_backend bk_puppet_ca if is_ca_request

backend bk_puppet
  mode http
  balance source
  http-request deny unless { ssl_c_verify 0 }
  option httpchk GET /puppet/v3/status/no_such_key?environment=production HTTP/1.1\r\nHost:\ localhost\r\nAccept:\ */*\r\nUser-Agent:\ HAProxy
  server puppet01 puppet01.example.com:18140 check inter 30s rise 2 fall 2
  server puppet02 puppet02.example.com:18140 check inter 30s rise 2 fall 2

backend bk_puppet_ca
  mode http
  option httpchk GET /puppet/v3/status/no_such_key?environment=production HTTP/1.1\r\nHost:\ localhost\r\nAccept:\ */*\r\nUser-Agent:\ HAProxy
  server puppetca puppetca.example.com:18140 check inter 30s rise 2 fall 2

listen stats
  bind 0.0.0.0:8000
  stats enable
  stats hide-version
  stats realm Haproxy\ Statistics
  stats uri /
  stats auth stats:changeme
  stats admin if TRUE
	# This file managed by Puppet
	global
	chroot /var/lib/haproxy
	daemon
	group haproxy
	log 127.0.0.1 local1 info
	log-send-hostname
	maxconn 4096
	stats socket /var/lib/haproxy/admin.sock mode 660 level admin
	stats socket /var/lib/haproxy/user.sock mode 666 level user
	stats timeout 30s
	tune.ssl.default-dh-param 2048
	user haproxy

	defaults
	default-server init-addr last,libc,none
	log global
	mode http
	option redispatch
	option abortonclose
	option dontlognull
	option httplog
	option http-server-close
	option forwardfor except 127.0.0.1
	option logasap
	retries 3
	timeout http-request 10s
	timeout queue 1m
	timeout connect 5s
	timeout client 1m
	timeout server 1m

	frontend ft_puppet
	bind 0.0.0.0:8140 ssl crt /etc/ssl/certs/puppet-frontend.example.com_bundle.crt.pem ca-file /etc/puppetlabs/puppet/ssl/certs/ca.pem crl-file /etc/puppetlabs/puppet/ssl/crl.pem verify optional no-sslv3 no-tls-tickets force-tlsv12 ciphers AES128+EECDH:AES128+EDH
	mode http
	acl is_ca_request path_beg /puppet-ca/v1/
	capture request header X-Forwarded-For len 50
	default_backend bk_puppet
	http-request set-header X-Client-Verify SUCCESS if { ssl_c_verify 0 }
	http-request set-header X-Client-Verify NONE if ! { ssl_c_used }
	http-request set-header X-Client-Verify FAILED:expired if { ssl_c_verify 10 }
	http-request set-header X-Client-Verify FAILED:revoked if { ssl_c_verify 23 }
	http-request set-header X-Client-DN %{+Q}[ssl_c_s_dn]
	http-request set-header X-Client-Cert -----BEGIN\ CERTIFICATE-----%%0A%[ssl_c_der,base64]%%0A-----END\ CERTIFICATE----- if { ssl_c_used }
	use_backend bk_puppet_ca if is_ca_request

	backend bk_puppet
	mode http
	balance source
	http-request deny unless { ssl_c_verify 0 }
	option httpchk GET /puppet/v3/status/no_such_key?environment=production HTTP/1.1\r\nHost:\ localhost\r\nAccept:\ /\r\nUser-Agent:\ HAProxy
	server puppet01 puppet01.example.com:18140 check inter 30s rise 2 fall 2
	server puppet02 puppet02.example.com:18140 check inter 30s rise 2 fall 2

	backend bk_puppet_ca
	mode http
	option httpchk GET /puppet/v3/status/no_such_key?environment=production HTTP/1.1\r\nHost:\ localhost\r\nAccept:\ /\r\nUser-Agent:\ HAProxy
	server puppetca puppetca.example.com:18140 check inter 30s rise 2 fall 2

	listen stats
	bind 0.0.0.0:8000
	stats enable
	stats hide-version
	stats realm Haproxy\ Statistics
	stats uri /
	stats auth stats:changeme
	stats admin if TRUE