2 # Copyright © 2018 Amdocs, Bell Canada, AT&T
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
20 # it is required else pod will not come up
25 #################################
26 # Default SSL material locations#
27 #################################
28 ca-base /etc/ssl/certs
29 crt-base /etc/ssl/private
31 # Default ciphers to use on SSL-enabled listening sockets.
32 # For more information, see ciphers(1SSL). This list is from:
33 # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
34 # An alternative list with additional directives can be obtained from
35 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
36 tune.ssl.default-dh-param 2048
42 {{- if ( include "common.needTLS" .) }}
46 http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ=='
47 default-server init-addr none
49 # errorfile 400 /etc/haproxy/errors/400.http
50 # errorfile 403 /etc/haproxy/errors/403.http
51 # errorfile 408 /etc/haproxy/errors/408.http
52 # errorfile 500 /etc/haproxy/errors/500.http
53 # errorfile 502 /etc/haproxy/errors/502.http
54 # errorfile 503 /etc/haproxy/errors/503.http
55 # errorfile 504 /etc/haproxy/errors/504.http
57 option http-server-close
58 option forwardfor except 127.0.0.1
65 timeout http-keep-alive 30000
69 http-request use-service prometheus-exporter if { path /metrics }
77 log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
82 capture request header Host len 100
83 capture response header Host len 100
84 option log-separate-errors
86 http-request set-header X-Forwarded-Proto http
87 http-request set-header X-Forwarded-Proto http
88 http-request add-header X-Forwarded-Port 8080
90 #######################
91 #ACLS FOR PORT 8446####
92 #######################
94 acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
95 acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
96 acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
97 acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
98 acl is_named-query path_beg -i /aai/search/named-query
99 acl is_search-model path_beg -i /aai/search/model
100 use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
102 default_backend IST_Default_8447
104 {{- if ( include "common.needTLS" .) }}
107 bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
108 # log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
109 log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
114 capture request header Host len 100
115 capture response header Host len 100
116 option log-separate-errors
119 http-request set-header X-Forwarded-Proto https
120 http-request add-header X-Forwarded-Port 8443
122 http-request set-header X-Forwarded-Proto https if { ssl_fc }
123 http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
124 http-request set-header X-AAI-SSL %[ssl_fc]
125 http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
126 http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
127 http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
128 http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
129 http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
130 http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
131 http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
132 http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
133 http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
134 http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
135 http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
136 http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
137 #######################################
138 ## Request blocking configuration ###
139 #######################################
140 {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
141 {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
148 #######################
149 #ACLS FOR PORT 8446####
150 #######################
152 acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
153 acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
154 acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
155 acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
156 acl is_named-query path_beg -i /aai/search/named-query
157 acl is_search-model path_beg -i /aai/search/model
158 use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
160 default_backend IST_Default_8447
162 #######################
163 #DEFAULT BACKEND 8447##
164 #######################
166 backend IST_Default_8447
168 stick-table type string len 100 size 200k expire 2m
170 http-request set-header X-Forwarded-Port %[src_port]
171 http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
172 {{- if ( include "common.needTLS" .) }}
173 server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
175 server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
178 #######################
179 # BACKEND 8446#########
180 #######################
184 stick-table type string len 100 size 200k expire 2m
186 http-request set-header X-Forwarded-Port %[src_port]
187 http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
188 {{- if ( include "common.needTLS" .) }}
189 server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
191 server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446