X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Faai%2Fresources%2Fconfig%2Fhaproxy%2Fhaproxy.cfg;h=a953a508bf20424f933d450cb67571f03d9e9461;hb=d12c16773174e0cdd1fcdd861c7b93ae05de1bc9;hp=1db4addb5a18516b2d82d1cd0ae648bb088f4539;hpb=11da9b758e5ae73020ad65ade87a2f2692852410;p=oom.git diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg index 1db4addb5a..a953a508bf 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +18,10 @@ global log /dev/log local0 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin stats timeout 30s + # it is required else pod will not come up + maxconn 50000 + user haproxy + group haproxy daemon ################################# # Default SSL material locations# @@ -35,10 +40,8 @@ defaults log global mode http option httplog -{{- if ( include "common.needTLS" .) }} - option ssl-hello-chk -{{- end }} - option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ== + option httpchk + http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ==' default-server init-addr none # option dontlognull # errorfile 400 /etc/haproxy/errors/400.http @@ -59,6 +62,12 @@ defaults timeout server 480000 timeout http-keep-alive 30000 +frontend stats + bind *:8448 + http-request use-service prometheus-exporter if { path /metrics } + stats enable + stats uri /stats + stats refresh 10s frontend IST_8080 mode http @@ -73,8 +82,8 @@ frontend IST_8080 option log-separate-errors option forwardfor http-request set-header X-Forwarded-Proto http - reqadd X-Forwarded-Proto:\ http - reqadd X-Forwarded-Port:\ 8080 + http-request set-header X-Forwarded-Proto http + http-request add-header X-Forwarded-Port 8080 ####################### #ACLS FOR PORT 8446#### @@ -90,39 +99,6 @@ frontend IST_8080 default_backend IST_Default_8447 -{{- if ( include "common.needTLS" .) }} -frontend IST_8443 - mode http - bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem -# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" - option httplog - log global - option logasap - option forwardfor - capture request header Host len 100 - capture response header Host len 100 - option log-separate-errors - option forwardfor - http-request set-header X-Forwarded-Proto https if { ssl_fc } - http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } - http-request set-header X-AAI-SSL %[ssl_fc] - http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] - http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] - http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] - http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] - http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] - http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] - http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] - http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] - http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] - http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] - http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] - http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] - reqadd X-Forwarded-Proto:\ https - reqadd X-Forwarded-Port:\ 8443 -{{- end }} - ####################### #ACLS FOR PORT 8446#### ####################### @@ -143,13 +119,11 @@ frontend IST_8443 backend IST_Default_8447 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; -{{- if ( include "common.needTLS" .) }} - server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none -{{- else }} - server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 -{{- end }} + server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 ####################### # BACKEND 8446######### @@ -157,10 +131,8 @@ backend IST_Default_8447 backend IST_AAI_8446 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; -{{- if ( include "common.needTLS" .) }} - server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none -{{- else }} - server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 -{{- end }} + server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446