Allow customisation of stick-tables for each service.
A new variable "haproxy_stick_table" is added which allows a custom stick-table to be supplied that is used as the default stick-table for all haproxy back-ends. In addition, the variable service.haproxy_stick_table can be defined for each service to allow a unique stick-table to be supplied for a particular service. The old default stick-table definition is removed as there was no use case defined for it in this role before. An example is added to defaults/main.yml to show how the custom stick-table can be used to rate-limit requests that generate 4xx responses which commonly occur during vulnerability scanning or credential stuffing attacks. There are many other uses for stick-tables, consult the HAProxy documentation for details. Change-Id: I50daba08c10f071157d6450ea2fa97df448f99ec
This commit is contained in:
parent
be9a66c280
commit
06e76706c7
|
@ -67,6 +67,10 @@ haproxy_service_configs: []
|
|||
# letsencrypt-acl:
|
||||
# rule: "path_beg /.well-known/acme-challenge/"
|
||||
# backend_name: letsencrypt
|
||||
# haproxy_stick_table:
|
||||
# - "stick-table type ipv6 size 256k expire 10s store http_err_rate(10s)"
|
||||
# - "http-request track-sc0 src"
|
||||
# - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 10.0.0.0/8 } !{ src 172.16.0.0/12 } !{ src 192.168.0.0/16 }"
|
||||
# - service:
|
||||
# # https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
|
||||
# haproxy_service_name: prometheus-metrics
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
A new variable ``haproxy_stick_table`` can be defined to apply a
|
||||
customised stick-table to all backends on the loadbalancer. In addition,
|
||||
``haproxy_stick_table`` can be set in each service definition to have a
|
||||
customised stick-table for a particular backend.
|
||||
upgrade:
|
||||
- |
|
||||
A default stick-table was previously applied to all backends by default
|
||||
but did not have any specific purpose. This is now removed, and the variable
|
||||
``haproxy_stick_table`` should be used to supply a list of config lines
|
||||
to be applied to each backend to control stick-table functionality.
|
|
@ -94,8 +94,10 @@ backend {{ item.service.haproxy_service_name }}-back
|
|||
timeout server {{ item.service.haproxy_timeout_server }}
|
||||
{% endif %}
|
||||
{% if (item.service.haproxy_stick_table_enabled | default(true) | bool) %}
|
||||
stick store-request src
|
||||
stick-table type ip size 256k expire 30m
|
||||
{% set stick_table = item.service.haproxy_stick_table|default( haproxy_stick_table | default([])) %}
|
||||
{% for entry in stick_table %}
|
||||
{{ entry }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if request_option == "http" %}
|
||||
option forwardfor
|
||||
|
|
Loading…
Reference in New Issue