log /dev/log local0
stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
stats timeout 30s
+ # it is required else pod will not come up
+ maxconn 50000
+ user root
+ group root
daemon
#################################
# Default SSL material locations#
log global
mode http
option httplog
+{{- if ( include "common.needTLS" .) }}
option ssl-hello-chk
- option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ==
+{{- end }}
+ option httpchk
+ http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ=='
default-server init-addr none
# option dontlognull
# errorfile 400 /etc/haproxy/errors/400.http
timeout server 480000
timeout http-keep-alive 30000
+frontend stats
+ bind *:8448
+ http-request use-service prometheus-exporter if { path /metrics }
+ stats enable
+ stats uri /stats
+ stats refresh 10s
+
+frontend IST_8080
+ mode http
+ bind 0.0.0.0:8080
+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ option httplog
+ log global
+ option logasap
+ option forwardfor
+ capture request header Host len 100
+ capture response header Host len 100
+ option log-separate-errors
+ option forwardfor
+ http-request set-header X-Forwarded-Proto http
+ http-request set-header X-Forwarded-Proto http
+ http-request add-header X-Forwarded-Port 8080
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+ acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
+ acl is_named-query path_beg -i /aai/search/named-query
+ acl is_search-model path_beg -i /aai/search/model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
+
+ default_backend IST_Default_8447
+{{- if ( include "common.needTLS" .) }}
frontend IST_8443
mode http
- bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+ bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
option httplog
capture response header Host len 100
option log-separate-errors
option forwardfor
+
+ http-request set-header X-Forwarded-Proto https
+ http-request add-header X-Forwarded-Port 8443
+
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
http-request set-header X-AAI-SSL %[ssl_fc]
http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
- reqadd X-Forwarded-Proto:\ https
- reqadd X-Forwarded-Port:\ 8443
+#######################################
+## Request blocking configuration ###
+#######################################
+ {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
+ {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
+ {{ $custom_config }}
+ {{- end }}
+ {{- end }}
+
+{{- end }}
#######################
#ACLS FOR PORT 8446####
default_backend IST_Default_8447
-
#######################
-#DEFAULT BACKEND 847###
+#DEFAULT BACKEND 8447##
#######################
backend IST_Default_8447
balance roundrobin
+ stick-table type string len 100 size 200k expire 2m
+ stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
- server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
-
+{{- if ( include "common.needTLS" .) }}
+ server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
+{{- else }}
+ server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
+{{- end }}
#######################
# BACKEND 8446#########
backend IST_AAI_8446
balance roundrobin
+ stick-table type string len 100 size 200k expire 2m
+ stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
- server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
-
+{{- if ( include "common.needTLS" .) }}
+ server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
+{{- else }}
+ server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
+{{- end }}