mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-20 12:07:34 +08:00
4d82d65a9b
The proxies in the new fedora-isolated vlan are in rdu3 and have rdu3 domain in their hostname, but they aren't strictly in the rdu3 datacenter for purposes of access. They do not have acls to directly talk to backend applications from that vlan. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
319 lines
11 KiB
INI
319 lines
11 KiB
INI
global
|
|
log 127.0.0.1:514 local0 warning
|
|
maxconn 5000
|
|
chroot /var/lib/haproxy
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
stats socket /var/run/haproxy-stat user haproxy group nrpe mode 0664
|
|
stats socket /var/run/haproxy-admin level admin user root group root mode 0660
|
|
#debug
|
|
#quiet
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
option httpclose
|
|
option redispatch
|
|
retries 3
|
|
timeout connect 5s
|
|
timeout client 500s
|
|
timeout server 500s
|
|
errorfile 503 /etc/haproxy/503.http
|
|
|
|
frontend stats-frontend
|
|
bind 0.0.0.0:8080
|
|
default_backend stats-backend
|
|
|
|
backend stats-backend
|
|
balance hdr(appserver)
|
|
stats enable
|
|
stats uri /
|
|
|
|
{% if env == "production" and datacenter == 'rdu3' %}
|
|
frontend ocp-masters-kapi
|
|
mode tcp
|
|
option tcplog
|
|
bind 0.0.0.0:6443
|
|
default_backend ocp-masters-backend-kapi
|
|
|
|
backend ocp-masters-backend-kapi
|
|
mode tcp
|
|
server ocp01.ocp.rdu3.fedoraproject.org ocp01.ocp.rdu3.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp02.ocp.rdu3.fedoraproject.org ocp02.ocp.rdu3.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp03.ocp.rdu3.fedoraproject.org ocp03.ocp.rdu3.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
# temp bootstrap node
|
|
# server bootstrap.ocp.rdu3.fedoraproject.org bootstrap.ocp.rdu3.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
|
|
frontend ocp-masters-machineconfig
|
|
mode tcp
|
|
option tcplog
|
|
bind 0.0.0.0:22623
|
|
default_backend ocp-masters-backend-machineconfig
|
|
|
|
backend ocp-masters-backend-machineconfig
|
|
mode tcp
|
|
server ocp01.ocp.rdu3.fedoraproject.org ocp01.ocp.rdu3.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp02.ocp.rdu3.fedoraproject.org ocp02.ocp.rdu3.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp03.ocp.rdu3.fedoraproject.org ocp03.ocp.rdu3.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
# temp bootstrap node
|
|
# server bootstrap.ocp.rdu3.fedoraproject.org bootstrap.ocp.rdu3.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
{% endif %}
|
|
|
|
{% if env != "production" and datacenter == 'rdu3' %}
|
|
frontend ocp-masters-kapi
|
|
mode tcp
|
|
option tcplog
|
|
bind 0.0.0.0:6443
|
|
default_backend ocp-masters-backend-kapi
|
|
|
|
backend ocp-masters-backend-kapi
|
|
mode tcp
|
|
server ocp01.ocp.stg.rdu3.fedoraproject.org ocp01.ocp.stg.rdu3.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp02.ocp.stg.rdu3.fedoraproject.org ocp02.ocp.stg.rdu3.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp03.ocp.stg.rdu3.fedoraproject.org ocp03.ocp.stg.rdu3.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
# temp bootstrap node
|
|
server bootstrap.ocp.stg.rdu3.fedoraproject.org bootstrap.ocp.stg.rdu3.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
|
|
frontend ocp-masters-machineconfig
|
|
mode tcp
|
|
option tcplog
|
|
bind 0.0.0.0:22623
|
|
default_backend ocp-masters-backend-machineconfig
|
|
|
|
backend ocp-masters-backend-machineconfig
|
|
mode tcp
|
|
server ocp01.ocp.stg.rdu3.fedoraproject.org ocp01.ocp.stg.rdu3.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp02.ocp.stg.rdu3.fedoraproject.org ocp02.ocp.stg.rdu3.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp03.ocp.stg.rdu3.fedoraproject.org ocp03.ocp.stg.rdu3.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
# temp bootstrap node
|
|
server bootstrap.ocp.stg.rdu3.fedoraproject.org bootstrap.ocp.stg.rdu3.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
{% endif %}
|
|
frontend fp-wiki-frontend
|
|
bind 0.0.0.0:10001
|
|
default_backend fp-wiki-backend
|
|
|
|
backend fp-wiki-backend
|
|
balance hdr(appserver)
|
|
server wiki01 wiki01:80 check inter 15s rise 2 fall 5
|
|
{% if env == "production" %}
|
|
server wiki02 wiki02:80 check inter 15s rise 2 fall 5
|
|
{% endif %}
|
|
option httpchk GET /wiki/Main_Page
|
|
|
|
frontend mirror-lists-frontend
|
|
bind 0.0.0.0:10002
|
|
default_backend mirror-lists-backend
|
|
|
|
backend mirror-lists-backend
|
|
balance hdr(appserver)
|
|
timeout connect 30s
|
|
server mirrorlist-local1 127.0.0.1:18081 check inter 1s rise 2 fall 3 weight 100
|
|
server mirrorlist-local2 127.0.0.1:18082 check inter 1s rise 2 fall 3 weight 100
|
|
option httpchk GET /metalink?repo=epel-9&arch=x86_64
|
|
option allbackups
|
|
|
|
frontend freemedia-frontend
|
|
bind 0.0.0.0:10011
|
|
default_backend freemedia-backend
|
|
|
|
backend freemedia-backend
|
|
balance hdr(appserver)
|
|
server sundries01 sundries01:80 check inter 60s rise 2 fall 3
|
|
{% if env == "production" %}
|
|
server sundries02 sundries01:80 check inter 60s rise 2 fall 3
|
|
{% endif %}
|
|
option httpchk GET /freemedia/FreeMedia-form.html
|
|
|
|
# IMPORTANT: 10023-10026 will NOT work because of selinux policies
|
|
|
|
frontend geoip-city-frontend
|
|
bind 0.0.0.0:10029
|
|
default_backend geoip-city-backend
|
|
|
|
backend geoip-city-backend
|
|
balance hdr(appserver)
|
|
server sundries01 sundries01:80 check inter 30s rise 2 fall 3
|
|
{% if env == "production" %}
|
|
server sundries02 sundries02:80 check inter 30s rise 2 fall 3
|
|
{% endif %}
|
|
option httpchk GET /city?ip=18.0.0.1 HTTP/1.1
|
|
http-check send hdr Host haproxy
|
|
|
|
# IMPORTANT: 10031 will NOT work because of selinux policies
|
|
|
|
frontend oci-registry-frontend
|
|
bind 0.0.0.0:10048
|
|
default_backend oci-registry-backend
|
|
|
|
backend oci-registry-backend
|
|
balance hdr(appserver)
|
|
server oci-registry01 oci-registry01:5000 check inter 10s rise 1 fall 2
|
|
{% if env == "production" %}
|
|
server oci-registry02 oci-registry02:5000 check inter 10s rise 1 fall 2
|
|
{% endif %}
|
|
retries 5
|
|
retry-on all-retryable-errors
|
|
|
|
frontend ipsilon-frontend
|
|
bind 0.0.0.0:10020
|
|
|
|
option http-buffer-request
|
|
# Define ipsilon OpenID only instance
|
|
acl path_openidc path_beg /openidc
|
|
acl path_openid path_beg /openid
|
|
acl is_openid_cookie req.cook(OPENID) true
|
|
{% if env == 'staging' %}
|
|
acl host_is_id_sub hdr(host) -m reg -i ^.+\.id\.stg\.fedoraproject\.org$
|
|
{% else %}
|
|
acl host_is_id_sub hdr(host) -m reg -i ^.+\.id\.fedoraproject\.org$
|
|
{% endif %}
|
|
|
|
use_backend ipsilon-backend if path_openidc
|
|
use_backend ipsilon-backend-openid if path_openid
|
|
use_backend ipsilon-backend-openid if is_openid_cookie
|
|
use_backend ipsilon-backend-openid if host_is_id_sub
|
|
|
|
default_backend ipsilon-backend
|
|
|
|
backend ipsilon-backend-openid
|
|
balance hdr(appserver)
|
|
cookie OPENID insert indirect nocache attr Max-Age=300
|
|
{% if env == "staging" %}
|
|
server ipsilon02 ipsilon02:80 cookie true check inter 10s rise 1 fall 3
|
|
{% else %}
|
|
server ipsilon03 ipsilon03:80 cookie true check inter 10s rise 1 fall 3
|
|
{% endif %}
|
|
option httpchk GET /
|
|
|
|
backend ipsilon-backend
|
|
balance hdr(appserver)
|
|
server ipsilon01 ipsilon01:80 check inter 10s rise 1 fall 3
|
|
http-response set-header x-xrds-location "https://id{{ env_suffix }}.fedoraproject.org/openid/XRDS"
|
|
{% if env == "production" %}
|
|
server ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 3
|
|
{% endif %}
|
|
option httpchk GET /
|
|
|
|
frontend ipa-frontend
|
|
bind 0.0.0.0:10053
|
|
default_backend ipa-backend
|
|
|
|
backend ipa-backend
|
|
balance hdr(appserver)
|
|
server ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
|
|
{% if env != "staging" %}
|
|
server ipa02 ipa02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem backup
|
|
server ipa03 ipa03:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem backup
|
|
{% endif %}
|
|
option httpchk GET /ipa/ui/
|
|
|
|
frontend krb5-frontend
|
|
mode tcp
|
|
option tcplog
|
|
bind 0.0.0.0:1088
|
|
default_backend krb5-backend
|
|
|
|
backend krb5-backend
|
|
mode tcp
|
|
balance roundrobin
|
|
fullconn 16384
|
|
timeout queue 5000
|
|
timeout server 86400000
|
|
timeout connect 86400000
|
|
server ipa01 ipa01:88 weight 1 maxconn 16384
|
|
{% if env == "production" %}
|
|
server ipa02 ipa02:88 weight 1 maxconn 16384
|
|
server ipa03 ipa03:88 weight 1 maxconn 16384
|
|
{% endif %}
|
|
|
|
frontend oci-candidate-registry-frontend
|
|
bind 0.0.0.0:10054
|
|
default_backend oci-candidate-registry-backend
|
|
|
|
backend oci-candidate-registry-backend
|
|
balance hdr(appserver)
|
|
server oci-candidate-registry01 oci-candidate-registry01:5000 check inter 10s rise 1 fall 2
|
|
|
|
{% if datacenter == 'rdu3' %}
|
|
|
|
# Only enable this on rdu3 proxies
|
|
frontend src-frontend
|
|
bind 0.0.0.0:10057
|
|
default_backend src-backend
|
|
|
|
backend src-backend
|
|
balance hdr(appserver)
|
|
{% if env == "staging" or datacenter == 'rdu3' %}
|
|
server pkgs01 pkgs01:80 check inter 10s rise 1 fall 2
|
|
{% endif %}
|
|
option httpchk GET /
|
|
retries 5
|
|
retry-on all-retryable-errors
|
|
|
|
{% endif %}
|
|
# This is an endpoint using only ipa01. This is used for API access, since sessions
|
|
# are not synchronized.
|
|
frontend ipa01-frontend
|
|
bind 0.0.0.0:10061
|
|
default_backend ipa01-backend
|
|
|
|
backend ipa01-backend
|
|
balance hdr(appserver)
|
|
server ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
|
|
option httpchk GET /ipa/ui/
|
|
|
|
{% if env == "production" and datacenter == 'rdu3' %}
|
|
frontend kojipkgs-frontend
|
|
bind 0.0.0.0:10062
|
|
default_backend kojipkgs-backend
|
|
|
|
backend kojipkgs-backend
|
|
balance uri
|
|
server kojipkgs01.{{ datacenter }}.fedoraproject.org kojipkgs01.{{ datacenter }}.fedoraproject.org:80 check inter 30s rise 1 fall 3
|
|
server kojipkgs02.{{ datacenter }}.fedoraproject.org kojipkgs02.{{ datacenter }}.fedoraproject.org:80 check inter 30s rise 1 fall 3
|
|
option httpchk GET /
|
|
retries 5
|
|
retry-on all-retryable-errors
|
|
option redispatch 1
|
|
{% endif %}
|
|
|
|
{% if datacenter == "rdu3" %}
|
|
# These ports are for proxying rabbitmq (AMQP) protocol through.
|
|
# At this moment, internal- and public-rabbitmq both point to the exact same set of
|
|
# brokers on the backend, but the internal- is intended for applications we directly control.
|
|
# This allows us to move to a separate cluster for public access if that became necessary
|
|
# on just the infra side, with no need to ask users to change anything.
|
|
frontend internal-rabbitmq
|
|
mode tcp
|
|
option tcplog
|
|
bind 0.0.0.0:15671
|
|
default_backend rabbitmq
|
|
|
|
frontend public-rabbitmq
|
|
mode tcp
|
|
option tcplog
|
|
bind 0.0.0.0:5671
|
|
default_backend rabbitmq
|
|
|
|
backend rabbitmq
|
|
mode tcp
|
|
balance roundrobin
|
|
fullconn 16384
|
|
server rabbitmq01 rabbitmq01:5671 weight 1 maxconn 16384
|
|
server rabbitmq02 rabbitmq02:5671 weight 1 maxconn 16384
|
|
server rabbitmq03 rabbitmq03:5671 weight 1 maxconn 16384
|
|
{% endif %}
|
|
|
|
{% if datacenter == "rdu3" %}
|
|
frontend zabbix-frontend
|
|
bind 0.0.0.0:10068
|
|
default_backend zabbix-backend
|
|
|
|
backend zabbix-backend
|
|
balance hdr(appserver)
|
|
server zabbix01 zabbix01:80 check inter 10s rise 1 fall 2
|
|
{% endif %}
|