WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-27 03:52:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
2ffdf1bd5270b702cfd8cba2ebf4e4e8f04b98d4
fedora-infra_ansible/roles/httpd/reverseproxy/templates/reversepassproxy.conf
Kevin Fenzi 91ccdea73f proxies: Reach ocp4 cluster in prod over vpn instead of sending 421 
I think I handled all the special cases here already.
We want to switch non iad2 proxies to reach the oco4 cluster over it's
vpn now that it has one. This should allow us to still keep ipv6
available for applications and not have to change dns for moving from
ocp3 cluster anymore. Will roll this out slowly to one proxy then
another, then the rest if it all looks ok.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-06-13 10:08:48 -07:00

78 lines
2.3 KiB
Plaintext
Raw Blame History

{% if rewrite %}
RewriteEngine On
RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
{% endif %}
{% if header_scheme %}
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
{% endif %}
{% if header_expect %}
RequestHeader unset Expect early
{% endif %}
{% if keephost %}
ProxyPreserveHost On
{% endif %}
{% if balancer_name is defined %}
# This is something that wants a apache balancer
SSLProxyEngine On
{% if targettype is defined and targettype == "openshift" %}
SSLProxyVerify require
SSLProxyCheckPeerName Off
{% if ocp4 and env == "production" %}
SSLProxyCACertificateFile "/etc/haproxy/ocp-prod.pem"
{% elif ocp4 and env == "staging" %}
SSLProxyCACertificateFile "/etc/haproxy/ocp-stg.pem"
{% else %}
SSLProxyCACertificateFile "/etc/haproxy/os-master.pem"
{% endif %}
{% endif %}
<Proxy "balancer://{{balancer_name}}-websocket">
{% for member in balancer_members %}
{% if http_not_https_yes_this_is_insecure_and_i_feel_bad %}
{% if remotepath is defined and remotepath != "/" %}
BalancerMember "ws://{{ member }}{{ remotepath }}"
{% else %}
BalancerMember "ws://{{ member }}"
{% endif %}
{% else %}
{% if remotepath is defined and remotepath != "/" %}
BalancerMember "wss://{{ member }}{{ remotepath }}"
{% else %}
BalancerMember "wss://{{ member }}"
{% endif %}
{% endif %}
{% endfor %}
</Proxy>
RewriteEngine on
RewriteCond %{HTTP:Upgrade} ^WebSocket$ [NC]
RewriteCond %{HTTP:Connection} Upgrade [NC]
{% if remotepath is defined and remotepath != "/" %}
RewriteCond %{REQUEST_URI} ^{{ remotepath }}/(.)*
{% endif %}
RewriteRule .* "balancer://{{ balancer_name }}-websocket%{REQUEST_URI}" [P]
<Proxy "balancer://{{balancer_name}}">
{% for member in balancer_members %}
{% if http_not_https_yes_this_is_insecure_and_i_feel_bad %}
BalancerMember "http://{{ member }}"
{% else %}
BalancerMember "https://{{ member }}"
{% endif %}
{% endfor %}
</Proxy>
ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
{% else %}
# This is an application that just goes to one url, not a balancer
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink