144 lines
7.2 KiB
YAML
144 lines
7.2 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
haproxy_bind_on_non_local: "{{ (groups.haproxy | length) > 1 }}"
|
|
haproxy_use_keepalived: "{{ (groups.haproxy | length) > 1 }}"
|
|
keepalived_selinux_compile_rules:
|
|
- keepalived_ping
|
|
- keepalived_haproxy_pid_file
|
|
|
|
haproxy_ssl_letsencrypt_enable: false
|
|
haproxy_ssl_letsencrypt_acl:
|
|
letsencrypt-acl:
|
|
rule: "path_beg /.well-known/acme-challenge/"
|
|
backend_name: letsencrypt
|
|
|
|
# Ensure that the package state matches the global setting
|
|
haproxy_package_state: "{{ package_state }}"
|
|
|
|
# Variables to set security headers used by browsers
|
|
haproxy_security_headers_max_age: 31536000
|
|
# Set CSP headers to report only for testing
|
|
haproxy_security_headers_csp_report_only: False
|
|
haproxy_security_headers_csp: >
|
|
http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} "
|
|
default-src 'self';
|
|
frame-ancestors 'self';
|
|
form-action 'self';
|
|
upgrade-insecure-requests;
|
|
style-src 'self' 'unsafe-inline';
|
|
script-src 'self' 'unsafe-inline' 'unsafe-eval';
|
|
child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
|
|
frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
|
|
connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }};
|
|
img-src 'self' data:;
|
|
worker-src blob:;
|
|
"
|
|
|
|
# To disable security headers set to []
|
|
haproxy_security_headers:
|
|
- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\""
|
|
- 'http-response set-header X-Content-Type-Options "nosniff"'
|
|
- 'http-response set-header Referrer-Policy "same-origin"'
|
|
- 'http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()"'
|
|
|
|
haproxy_security_txt_service:
|
|
haproxy_backend_only: true
|
|
haproxy_service_name: security_txt
|
|
haproxy_backend_nodes: []
|
|
haproxy_balance_type: http
|
|
haproxy_service_enabled: "{{ haproxy_security_txt_content is truthy }}"
|
|
# https://sleeplessbeastie.eu/2020/05/11/how-to-serve-single-file-using-haproxy/
|
|
haproxy_backend_arguments:
|
|
- 'errorfile 503 /etc/haproxy/security.txt'
|
|
haproxy_map_entries:
|
|
- name: base_regex
|
|
entries:
|
|
- '.*/security.txt security_txt-back'
|
|
|
|
# haproxy 'base' frontend-only service that is used always deployed for port 80 redirect and 443
|
|
# this potentially supports horizon dashboard, security.txt and certbot
|
|
# plus any other user defined custom backend
|
|
haproxy_base_service:
|
|
haproxy_service_name: base
|
|
haproxy_frontend_only: true
|
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
|
haproxy_ssl_all_vips: true
|
|
haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}"
|
|
haproxy_redirect_http_port: 80
|
|
haproxy_balance_type: http
|
|
haproxy_service_enabled: true
|
|
haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
|
|
haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
|
|
haproxy_frontend_raw: >-
|
|
{{
|
|
(haproxy_ssl | bool and haproxy_security_headers is defined) | ternary(
|
|
haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)] + [haproxy_skyline_csp | default('')],
|
|
[])
|
|
}}
|
|
haproxy_maps:
|
|
- 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]'
|
|
haproxy_map_entries:
|
|
- name: base_regex
|
|
entries:
|
|
- "#Regular expression map file - this comment is defined in the base frontend config"
|
|
|
|
# Handles LetsEncrypt HTTP-01 challenge
|
|
haproxy_letsencrypt_service:
|
|
haproxy_service_name: letsencrypt
|
|
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
|
|
backend_rise: 1
|
|
backend_fall: 5
|
|
interval: 4000
|
|
haproxy_bind:
|
|
- 127.0.0.1
|
|
haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}"
|
|
haproxy_balance_type: http
|
|
haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}"
|
|
|
|
# RGW backend is defined here as it might be referring to an external ceph cluster via 'ceph_rgws'
|
|
haproxy_ceph_rgw_service:
|
|
haproxy_service_name: ceph-rgw
|
|
haproxy_backend_nodes: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(groups['ceph-rgw'], ceph_rgws) }}"
|
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
|
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
|
|
haproxy_balance_alg: source
|
|
haproxy_port: "{{ radosgw_service_port | default(7980) }}"
|
|
haproxy_balance_type: http
|
|
haproxy_backend_httpcheck_options:
|
|
- send meth HEAD
|
|
- expect rstatus 200|405
|
|
# `openstack_service_backend_ssl` is not taken into account if ceph is installed independently.
|
|
haproxy_backend_ssl: "{{ ceph_rgw_backend_ssl | default((groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(openstack_service_backend_ssl, False)) }}"
|
|
haproxy_backend_ca: "{{ ceph_rgw_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
|
|
haproxy_accept_both_protocols: "{{ ceph_rgw_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
|
|
haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}"
|
|
|
|
haproxy_default_services:
|
|
- "{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}"
|
|
- "{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}"
|
|
- "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}"
|
|
- "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}"
|
|
|
|
# ensure correct facts are gathered in haproxy play
|
|
# to determine the network gateway to use in keepalived track script
|
|
deployment_extra_facts_filter:
|
|
- "ansible_processor_*"
|
|
- ansible_default_ipv4
|
|
deployment_extra_facts_subset:
|
|
- '!all'
|
|
- hardware
|
|
- network
|