Merge "[DMAAP] DMaaP ServiceMesh compatibility"

[oom.git] / kubernetes / aai / resources / config / haproxy / haproxy.cfg

{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
global
        log /dev/log    local0
        stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
        stats timeout 30s
        daemon
        #################################
        # Default SSL material locations#
        #################################
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        tune.ssl.default-dh-param 2048

defaults
        log     global
        mode    http
        option  httplog
{{- if ( include "common.needTLS" .) }}
        option  ssl-hello-chk
{{- end }}
        option  httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ==
        default-server init-addr none
#       option  dontlognull
#       errorfile 400 /etc/haproxy/errors/400.http
#       errorfile 403 /etc/haproxy/errors/403.http
#       errorfile 408 /etc/haproxy/errors/408.http
#       errorfile 500 /etc/haproxy/errors/500.http
#       errorfile 502 /etc/haproxy/errors/502.http
#       errorfile 503 /etc/haproxy/errors/503.http
#       errorfile 504 /etc/haproxy/errors/504.http

        option  http-server-close
        option forwardfor except 127.0.0.1
        retries 6
        option redispatch
        maxconn 50000
        timeout connect 50000
        timeout client  480000
        timeout server  480000
        timeout http-keep-alive 30000


frontend IST_8080
        mode http
        bind 0.0.0.0:8080
        log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
        option httplog
        log global
        option logasap
        option forwardfor
        capture request header  Host len 100
        capture response header Host len 100
        option log-separate-errors
        option forwardfor
        http-request set-header X-Forwarded-Proto http
        reqadd X-Forwarded-Proto:\ http
        reqadd X-Forwarded-Port:\ 8080

#######################
#ACLS FOR PORT 8446####
#######################

        acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
        acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
        acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
        acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
        acl is_named-query path_beg -i /aai/search/named-query
        acl is_search-model path_beg -i /aai/search/model
        use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl

        default_backend IST_Default_8447

{{- if ( include "common.needTLS" .) }}
frontend IST_8443
        mode http
        bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
#       log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
        log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
        option httplog
        log global
        option logasap
        option forwardfor
        capture request header  Host len 100
        capture response header Host len 100
        option log-separate-errors
        option forwardfor
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
        http-request set-header X-AAI-SSL                       %[ssl_fc]
        http-request set-header X-AAI-SSL-Client-Verify         %[ssl_c_verify]
        http-request set-header X-AAI-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
        http-request set-header X-AAI-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
        http-request set-header X-AAI-SSL-Issuer                %{+Q}[ssl_c_i_dn]
        http-request set-header X-AAI-SSL-Client-NotBefore      %{+Q}[ssl_c_notbefore]
        http-request set-header X-AAI-SSL-Client-NotAfter       %{+Q}[ssl_c_notafter]
        http-request set-header X-AAI-SSL-ClientCert-Base64   %{+Q}[ssl_c_der,base64]
        http-request set-header X-AAI-SSL-Client-OU             %{+Q}[ssl_c_s_dn(OU)]
        http-request set-header X-AAI-SSL-Client-L              %{+Q}[ssl_c_s_dn(L)]
        http-request set-header X-AAI-SSL-Client-ST             %{+Q}[ssl_c_s_dn(ST)]
        http-request set-header X-AAI-SSL-Client-C              %{+Q}[ssl_c_s_dn(C)]
        http-request set-header X-AAI-SSL-Client-O              %{+Q}[ssl_c_s_dn(O)]
#######################################
## Request blocking configuration ###
#######################################
        {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
        {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
        {{ $custom_config }}
        {{- end }}
        {{- end }}

        reqadd X-Forwarded-Proto:\ https
        reqadd X-Forwarded-Port:\ 8443
{{- end }}

#######################
#ACLS FOR PORT 8446####
#######################

        acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
        acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
        acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
        acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
        acl is_named-query path_beg -i /aai/search/named-query
        acl is_search-model path_beg -i /aai/search/model
        use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl

        default_backend IST_Default_8447

#######################
#DEFAULT BACKEND 8447##
#######################

backend IST_Default_8447
        balance roundrobin
        http-request set-header X-Forwarded-Port %[src_port]
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
{{- if ( include "common.needTLS" .) }}
        server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
{{- else }}
        server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
{{- end }}

#######################
# BACKEND 8446#########
#######################

backend IST_AAI_8446
        balance roundrobin
        http-request set-header X-Forwarded-Port %[src_port]
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
{{- if ( include "common.needTLS" .) }}
        server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
{{- else }}
        server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
{{- end }}