openstack/openstack-ansible
Code Issues Proposed changes
426c49da6d
openstack-ansible/inventory/group_vars/horizon_all/haproxy_service.yml
Jonathan Rosser af8adb377e Remove extra slash character from horizon haproxy healthcheck url. 
This would end up as //auth/login and can cause the healthcheck to
fail.

Change-Id: I16b5ad1efa1831348c70f0c332b7ba674f9e40c3
2024-08-14 12:58:35 +00:00

50 lines
2.5 KiB
YAML
Raw Blame History

---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# special haproxy stick table for horizon
# returns 429 when more than 20 calls to /auth per 10 second window
# returns 429 when more than 20 4xx responses per 10 second window
# from external IP addresses. Override as necessary.
openstack_haproxy_horizon_stick_table:
- "stick-table type ipv6 size 256k expire 10s store http_req_rate(10s),http_err_rate(10s)"
- "http-request track-sc0 src"
- "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
- "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
horizon_webroot: "{{ (groups['skyline_all'] | default([])) | ternary('/horizon', '/') }}"
haproxy_horizon_service:
haproxy_backend_only: true #only describe the backends, frontend is in `base` via haproxy_all group vars
haproxy_service_name: horizon
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
haproxy_backend_port: "{{ (horizon_backend_ssl | default(openstack_service_backend_ssl)) | ternary(443, 80) }}"
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_httpcheck_options:
- 'send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri {{ horizon_webroot.rstrip("/") }}/auth/login/'
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
haproxy_backend_ssl: "{{ horizon_backend_ssl | default(openstack_service_backend_ssl) }}"
haproxy_backend_ca: "{{ horizon_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}"
haproxy_map_entries:
- name: base_regex
order: 98
#match any requests to the horizon backend
entries:
- "{{ horizon_webroot }} horizon-back"
horizon_haproxy_services:
- "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}"
View Git Blame Copy Permalink