Benoit/esh
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Archive abandoned project

Browse source
This commit is contained in:
Benoit 2025-02-15 00:56:26 +09:00
parent bc8862d90b
commit 65be894048
501 changed files with 24305 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
esh_haproxy/.gitignore vendored Normal file
View file

@ -0,0 +1,25 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
kitchen.local.yml
# Chef Infra
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json
.idea/

10
esh_haproxy/CHANGELOG.md Normal file
View file

@ -0,0 +1,10 @@
# esh_haproxy CHANGELOG
This file is used to list changes made in each version of the esh_haproxy cookbook.
## 0.1.0
Initial release.
- change 0
- change 1

201
esh_haproxy/LICENSE Normal file
View file

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

16
esh_haproxy/Policyfile.rb Normal file
View file

@ -0,0 +1,16 @@
# Policyfile.rb - Describe how you want Chef Infra Client to build your system.
#
# For more information on the Policyfile feature, visit
# https://docs.chef.io/policyfile/
# A name that describes what the system you're building with Chef does.
name 'esh_haproxy'
# Where to find external cookbooks:
default_source :supermarket
# run_list: chef-client will run these recipes in the order specified.
run_list 'esh_haproxy::default'
# Specify a custom source for a single cookbook:
cookbook 'esh_haproxy', path: '.'

4
esh_haproxy/README.md Normal file
View file

@ -0,0 +1,4 @@
# esh_haproxy
TODO: Enter the cookbook description here.

115
esh_haproxy/chefignore Normal file
View file

@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

25
esh_haproxy/compliance/README.md Normal file
View file

@ -0,0 +1,25 @@
# compliance
This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase.
Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/).
```plain
./compliance
├── inputs
├── profiles
└── waivers
```
Use the `chef generate` command from Chef Workstation to create content for these directories:
```sh
# Generate a Chef InSpec profile
chef generate profile PROFILE_NAME
# Generate a Chef InSpec waiver file
chef generate waiver WAIVER_NAME
# Generate a Chef InSpec input file
chef generate input INPUT_NAME
```

64
esh_haproxy/files/default/haproxy_country Normal file
View file

@ -0,0 +1,64 @@
#!/bin/bash
set -euo pipefail
LICENSE_KEY=${LICENSE_KEY:?LICENSE_KEY missing}
TMPDIR=$(mktemp -p /tmp -d haproxy_country.XXX)
curl --silent \
--output "$TMPDIR/geoip.zip" \
"https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=${LICENSE_KEY}&suffix=zip"
unzip -j "$TMPDIR/geoip.zip" -d "$TMPDIR" -x '*.txt'
cd "$TMPDIR"
# Create an array of country codes using the first column of
# GeoLite2-Country-Locations-en.csv as the indices and the fifth column as the
# values
# Use sed to skip the first line
declare -A country_codes
while IFS=',' read -r geoname_id _ _ _ country_iso_code _ _; do
country_codes[$geoname_id]=$country_iso_code
done < <(sed '1d' GeoLite2-Country-Locations-en.csv)
# Process the blocks file, replacing country identifiers with the corresponding
# country codes
# Use sed to skip the first line
while IFS=',' read -r network geoname_id registered_country_geoname_id _ _ _; do
# If geoname_id is not present, use registered_country_geoname_id as a substitute
# Or if registered_country_geoname_id is not present, use whois
if [[ -z $geoname_id ]]; then
if [[ -n $registered_country_geoname_id ]]; then
geoname_id=$registered_country_geoname_id
else
country_code=$(whois -h whois.cymru.com "-v $network" | tail -n1 | awk -F'|' '{print $4}' | tr -d ' ')
# Convert country code to GeoLite country code
geo_country_code=$(grep "$country_code" GeoLite2-Country-Locations-en.csv | awk -F',' '{print $1}')
geoname_id=$geo_country_code
fi
fi
echo "$network" >> "${country_codes[$geoname_id]}.txt"
done < <(sed '1d' GeoLite2-Country-Blocks-IPv4.csv)
while IFS=',' read -r network geoname_id registered_country_geoname_id _ _ _; do
# If geoname_id is not present, use registered_country_geoname_id as a substitute
# Or if registered_country_geoname_id is not present, use whois
if [[ -z $geoname_id ]]; then
if [[ -n $registered_country_geoname_id ]]; then
geoname_id=$registered_country_geoname_id
else
country_code=$(whois -h whois.cymru.com "-v $network" | tail -n1 | awk -F'|' '{print $4}' | tr -d ' ')
# Convert country code to GeoLite country code
geo_country_code=$(grep "$country_code" GeoLite2-Country-Locations-en.csv | awk -F',' '{print $1}')
geoname_id=$geo_country_code
fi
fi
echo "$network" >> "${country_codes[$geoname_id]}.txt"
done < <(sed '1d' GeoLite2-Country-Blocks-IPv6.csv)
rm -f /etc/haproxy/country/*.txt
cp ./*.txt /etc/haproxy/country/
systemctl reload haproxy
cd - > /dev/null
rm -rf "$TMPDIR"

31
esh_haproxy/kitchen.yml Normal file
View file

@ -0,0 +1,31 @@
---
driver:
name: vagrant
## The forwarded_port port feature lets you connect to ports on the VM guest
## via localhost on the host.
## see also: https://www.vagrantup.com/docs/networking/forwarded_ports
# network:
# - ["forwarded_port", {guest: 80, host: 8080}]
provisioner:
name: chef_zero
## product_name and product_version specifies a specific Chef product and version to install.
## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
# product_name: chef
# product_version: 17
verifier:
name: inspec
platforms:
- name: ubuntu-20.04
- name: centos-8
suites:
- name: default
verifier:
inspec_tests:
- test/integration/default

19
esh_haproxy/metadata.rb Normal file
View file

@ -0,0 +1,19 @@
name 'esh_haproxy'
maintainer 'https://easyself.host'
maintainer_email 'esh@benpro.fr'
license 'Apache-2.0'
description 'Installs/Configures esh_haproxy'
version '0.1.0'
chef_version '>= 16.0'
# The `issues_url` points to the location where issues for this cookbook are
# tracked. A `View Issues` link will be displayed on this cookbook's page when
# uploaded to a Supermarket.
#
# issues_url 'https://github.com/<insert_org_here>/esh_haproxy/issues'
# The `source_url` points to the development repository for this cookbook. A
# `View Source` link will be displayed on this cookbook's page when uploaded to
# a Supermarket.
#
# source_url 'https://github.com/<insert_org_here>/esh_haproxy'

145
esh_haproxy/recipes/config.rb Normal file
View file

@ -0,0 +1,145 @@
#
# Cookbook:: esh_haproxy
# Recipe:: config
#
# Copyright:: 2022, https://easyself.host
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apt_package %w(haproxy whois)
directory "/etc/haproxy/country" do
owner 'root'
group 'root'
mode '0755'
action :create
end
cookbook_file '/usr/local/bin/haproxy_country' do
owner 'root'
group 'root'
mode '0755'
action :create
end
execute 'haproxy generate country acl' do
command '/usr/local/bin/haproxy_country'
environment ({ 'LICENSE_KEY' => node['esh']['haproxy']['config']['maxmind_key'] })
action :run
not_if { ::File.exist?('/etc/haproxy/country/JP.txt') }
end
remote_file '/etc/haproxy/dhparam' do
source 'https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem'
owner 'root'
group 'root'
mode '0444'
action :create
end
template '/etc/haproxy/haproxy.cfg' do
owner 'root'
group 'root'
mode '0444'
variables acls: node['esh']['haproxy']['config']['acls'],
listen: node['esh']['haproxy']['config']['listen'],
backends: node['esh']['haproxy']['config']['backends'],
stats_password: node['esh']['haproxy']['config']['stats_password']
action :create
end
systemd_unit 'haproxy_country_failure.service' do
content <<~EOU
[Unit]
Description=Notifies HC if haproxy country fail
[Service]
Type=simple
ExecStart=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']}/fail
EOU
verify false
action [:create, :enable]
end
systemd_unit 'haproxy_country_success.service' do
content <<~EOU
[Unit]
Description=Notifies HC if haproxy country succeed
[Service]
Type=simple
ExecStart=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']}
EOU
verify false
action [:create, :enable]
end
systemd_unit 'haproxy_country.service' do
content <<~EOU
[Unit]
Description=Update haproxy country IP range
OnFailure=haproxy_country_failure.service
OnSuccess=haproxy_country_success.service
[Service]
Type=simple
Environment="LICENSE_KEY=#{node['esh']['haproxy']['config']['maxmind_key']}"
ExecStartPre=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']}/start
ExecStart=/usr/local/bin/haproxy_country
EOU
verify false
action [:create, :enable]
end
systemd_unit 'haproxy_country.timer' do
content <<~EOU
[Unit]
Description=Run haproxy_country on Fridays, 12h random
[Timer]
OnCalendar=Fri 00:00
RandomizedDelaySec=12h
[Install]
WantedBy=timers.target
EOU
verify false
action [:create, :enable]
end
apt_package 'ssl-cert'
directory '/etc/haproxy/crt' do
owner 'root'
group 'root'
mode '0755'
action :create
end
execute 'add to haproxy default self-signed certificate' do
command <<~EOT
cat /etc/ssl/certs/ssl-cert-snakeoil.pem \
/etc/ssl/private/ssl-cert-snakeoil.key \
> /etc/haproxy/crt/ssl-cert-snakeoil.pem
EOT
not_if { ::File.exist?('/etc/haproxy/crt/ssl-cert-snakeoil.pem') }
action :run
end
service 'haproxy' do
action :nothing
subscribes :reload, 'template[/etc/haproxy/haproxy.cfg]', :immediately
end

17
esh_haproxy/recipes/default.rb Normal file
View file

@ -0,0 +1,17 @@
#
# Cookbook:: esh_haproxy
# Recipe:: default
#
# Copyright:: 2022, https://easyself.host
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

387
esh_haproxy/templates/default/haproxy.cfg.erb Normal file
View file

@ -0,0 +1,387 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# TLS config
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 1m
timeout server 1m
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h # for websocket
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# The cache instance used by the frontend (256MB, 50MB max object, 1 hour max)
# May be consulted using "show cache" on the CLI socket
cache cache
total-max-size 256 # RAM cache size in megabytes
max-object-size 52428800 # max cacheable object size in bytes
max-age 3600 # max cache duration in seconds
process-vary on # handle the Vary header (otherwise don't cache)
# Frontends
frontend frontend_default
bind :80 name http
bind :::80 name httpv6 v6only
# Sadly we can't use strict-sni because of Let's Encrypt challenge on https
bind :443 name https ssl crt /etc/haproxy/crt alpn h2,http/1.1
bind :::443 name httpsv6 v6only ssl crt /etc/haproxy/crt alpn h2,http/1.1
option socket-stats # provide per-bind line stats
stats enable
stats auth admin:<%= @stats_password %>
stats admin if TRUE
stats uri /haproxy?stats
stats refresh 10s
# silently ignore connect probes and pre-connect without request
option http-ignore-probes
# pass client's IP address to the server and prevent against attempts
# to inject bad contents
http-request del-header x-forwarded-for
option forwardfor
# enable HTTP compression of text contents
compression algo deflate gzip
compression type text/ application/javascript application/xhtml+xml image/x-icon
# enable HTTP caching of any cacheable content
http-request cache-use cache
http-response cache-store cache
# Redirect to HTTPS
http-request redirect scheme https unless { ssl_fc }
# ACLs
# ACL for country blocks
acl AD src -f /etc/haproxy/country/AD.txt
acl AE src -f /etc/haproxy/country/AE.txt
acl AF src -f /etc/haproxy/country/AF.txt
acl AG src -f /etc/haproxy/country/AG.txt
acl AI src -f /etc/haproxy/country/AI.txt
acl AL src -f /etc/haproxy/country/AL.txt
acl AM src -f /etc/haproxy/country/AM.txt
acl AO src -f /etc/haproxy/country/AO.txt
acl AQ src -f /etc/haproxy/country/AQ.txt
acl AR src -f /etc/haproxy/country/AR.txt
acl AS src -f /etc/haproxy/country/AS.txt
acl AT src -f /etc/haproxy/country/AT.txt
acl AU src -f /etc/haproxy/country/AU.txt
acl AW src -f /etc/haproxy/country/AW.txt
acl AX src -f /etc/haproxy/country/AX.txt
acl AZ src -f /etc/haproxy/country/AZ.txt
acl BA src -f /etc/haproxy/country/BA.txt
acl BB src -f /etc/haproxy/country/BB.txt
acl BD src -f /etc/haproxy/country/BD.txt
acl BE src -f /etc/haproxy/country/BE.txt
acl BF src -f /etc/haproxy/country/BF.txt
acl BG src -f /etc/haproxy/country/BG.txt
acl BH src -f /etc/haproxy/country/BH.txt
acl BI src -f /etc/haproxy/country/BI.txt
acl BJ src -f /etc/haproxy/country/BJ.txt
acl BL src -f /etc/haproxy/country/BL.txt
acl BM src -f /etc/haproxy/country/BM.txt
acl BN src -f /etc/haproxy/country/BN.txt
acl BO src -f /etc/haproxy/country/BO.txt
acl BQ src -f /etc/haproxy/country/BQ.txt
acl BR src -f /etc/haproxy/country/BR.txt
acl BS src -f /etc/haproxy/country/BS.txt
acl BT src -f /etc/haproxy/country/BT.txt
acl BV src -f /etc/haproxy/country/BV.txt
acl BW src -f /etc/haproxy/country/BW.txt
acl BY src -f /etc/haproxy/country/BY.txt
acl BZ src -f /etc/haproxy/country/BZ.txt
acl CA src -f /etc/haproxy/country/CA.txt
acl CC src -f /etc/haproxy/country/CC.txt
acl CD src -f /etc/haproxy/country/CD.txt
acl CF src -f /etc/haproxy/country/CF.txt
acl CG src -f /etc/haproxy/country/CG.txt
acl CH src -f /etc/haproxy/country/CH.txt
acl CI src -f /etc/haproxy/country/CI.txt
acl CK src -f /etc/haproxy/country/CK.txt
acl CL src -f /etc/haproxy/country/CL.txt
acl CM src -f /etc/haproxy/country/CM.txt
acl CN src -f /etc/haproxy/country/CN.txt
acl CO src -f /etc/haproxy/country/CO.txt
acl CR src -f /etc/haproxy/country/CR.txt
acl CU src -f /etc/haproxy/country/CU.txt
acl CV src -f /etc/haproxy/country/CV.txt
acl CW src -f /etc/haproxy/country/CW.txt
acl CX src -f /etc/haproxy/country/CX.txt
acl CY src -f /etc/haproxy/country/CY.txt
acl CZ src -f /etc/haproxy/country/CZ.txt
acl DE src -f /etc/haproxy/country/DE.txt
acl DJ src -f /etc/haproxy/country/DJ.txt
acl DK src -f /etc/haproxy/country/DK.txt
acl DM src -f /etc/haproxy/country/DM.txt
acl DO src -f /etc/haproxy/country/DO.txt
acl DZ src -f /etc/haproxy/country/DZ.txt
acl EC src -f /etc/haproxy/country/EC.txt
acl EE src -f /etc/haproxy/country/EE.txt
acl EG src -f /etc/haproxy/country/EG.txt
acl EH src -f /etc/haproxy/country/EH.txt
acl ER src -f /etc/haproxy/country/ER.txt
acl ES src -f /etc/haproxy/country/ES.txt
acl ET src -f /etc/haproxy/country/ET.txt
acl FI src -f /etc/haproxy/country/FI.txt
acl FJ src -f /etc/haproxy/country/FJ.txt
acl FK src -f /etc/haproxy/country/FK.txt
acl FM src -f /etc/haproxy/country/FM.txt
acl FO src -f /etc/haproxy/country/FO.txt
acl FR src -f /etc/haproxy/country/FR.txt
acl GA src -f /etc/haproxy/country/GA.txt
acl GB src -f /etc/haproxy/country/GB.txt
acl GD src -f /etc/haproxy/country/GD.txt
acl GE src -f /etc/haproxy/country/GE.txt
acl GF src -f /etc/haproxy/country/GF.txt
acl GG src -f /etc/haproxy/country/GG.txt
acl GH src -f /etc/haproxy/country/GH.txt
acl GI src -f /etc/haproxy/country/GI.txt
acl GL src -f /etc/haproxy/country/GL.txt
acl GM src -f /etc/haproxy/country/GM.txt
acl GN src -f /etc/haproxy/country/GN.txt
acl GP src -f /etc/haproxy/country/GP.txt
acl GQ src -f /etc/haproxy/country/GQ.txt
acl GR src -f /etc/haproxy/country/GR.txt
acl GS src -f /etc/haproxy/country/GS.txt
acl GT src -f /etc/haproxy/country/GT.txt
acl GU src -f /etc/haproxy/country/GU.txt
acl GW src -f /etc/haproxy/country/GW.txt
acl GY src -f /etc/haproxy/country/GY.txt
acl HK src -f /etc/haproxy/country/HK.txt
acl HM src -f /etc/haproxy/country/HM.txt
acl HN src -f /etc/haproxy/country/HN.txt
acl HR src -f /etc/haproxy/country/HR.txt
acl HT src -f /etc/haproxy/country/HT.txt
acl HU src -f /etc/haproxy/country/HU.txt
acl ID src -f /etc/haproxy/country/ID.txt
acl IE src -f /etc/haproxy/country/IE.txt
acl IL src -f /etc/haproxy/country/IL.txt
acl IM src -f /etc/haproxy/country/IM.txt
acl IN src -f /etc/haproxy/country/IN.txt
acl IO src -f /etc/haproxy/country/IO.txt
acl IQ src -f /etc/haproxy/country/IQ.txt
acl IR src -f /etc/haproxy/country/IR.txt
acl IS src -f /etc/haproxy/country/IS.txt
acl IT src -f /etc/haproxy/country/IT.txt
acl JE src -f /etc/haproxy/country/JE.txt
acl JM src -f /etc/haproxy/country/JM.txt
acl JO src -f /etc/haproxy/country/JO.txt
acl JP src -f /etc/haproxy/country/JP.txt
acl KE src -f /etc/haproxy/country/KE.txt
acl KG src -f /etc/haproxy/country/KG.txt
acl KH src -f /etc/haproxy/country/KH.txt
acl KI src -f /etc/haproxy/country/KI.txt
acl KM src -f /etc/haproxy/country/KM.txt
acl KN src -f /etc/haproxy/country/KN.txt
acl KP src -f /etc/haproxy/country/KP.txt
acl KR src -f /etc/haproxy/country/KR.txt
acl KW src -f /etc/haproxy/country/KW.txt
acl KY src -f /etc/haproxy/country/KY.txt
acl KZ src -f /etc/haproxy/country/KZ.txt
acl LA src -f /etc/haproxy/country/LA.txt
acl LB src -f /etc/haproxy/country/LB.txt
acl LC src -f /etc/haproxy/country/LC.txt
acl LI src -f /etc/haproxy/country/LI.txt
acl LK src -f /etc/haproxy/country/LK.txt
acl LR src -f /etc/haproxy/country/LR.txt
acl LS src -f /etc/haproxy/country/LS.txt
acl LT src -f /etc/haproxy/country/LT.txt
acl LU src -f /etc/haproxy/country/LU.txt
acl LV src -f /etc/haproxy/country/LV.txt
acl LY src -f /etc/haproxy/country/LY.txt
acl MA src -f /etc/haproxy/country/MA.txt
acl MC src -f /etc/haproxy/country/MC.txt
acl MD src -f /etc/haproxy/country/MD.txt
acl ME src -f /etc/haproxy/country/ME.txt
acl MF src -f /etc/haproxy/country/MF.txt
acl MG src -f /etc/haproxy/country/MG.txt
acl MH src -f /etc/haproxy/country/MH.txt
acl MK src -f /etc/haproxy/country/MK.txt
acl ML src -f /etc/haproxy/country/ML.txt
acl MM src -f /etc/haproxy/country/MM.txt
acl MN src -f /etc/haproxy/country/MN.txt
acl MO src -f /etc/haproxy/country/MO.txt
acl MP src -f /etc/haproxy/country/MP.txt
acl MQ src -f /etc/haproxy/country/MQ.txt
acl MR src -f /etc/haproxy/country/MR.txt
acl MS src -f /etc/haproxy/country/MS.txt
acl MT src -f /etc/haproxy/country/MT.txt
acl MU src -f /etc/haproxy/country/MU.txt
acl MV src -f /etc/haproxy/country/MV.txt
acl MW src -f /etc/haproxy/country/MW.txt
acl MX src -f /etc/haproxy/country/MX.txt
acl MY src -f /etc/haproxy/country/MY.txt
acl MZ src -f /etc/haproxy/country/MZ.txt
acl NA src -f /etc/haproxy/country/NA.txt
acl NC src -f /etc/haproxy/country/NC.txt
acl NE src -f /etc/haproxy/country/NE.txt
acl NF src -f /etc/haproxy/country/NF.txt
acl NG src -f /etc/haproxy/country/NG.txt
acl NI src -f /etc/haproxy/country/NI.txt
acl NL src -f /etc/haproxy/country/NL.txt
acl NO src -f /etc/haproxy/country/NO.txt
acl NP src -f /etc/haproxy/country/NP.txt
acl NR src -f /etc/haproxy/country/NR.txt
acl NU src -f /etc/haproxy/country/NU.txt
acl NZ src -f /etc/haproxy/country/NZ.txt
acl OM src -f /etc/haproxy/country/OM.txt
acl PA src -f /etc/haproxy/country/PA.txt
acl PE src -f /etc/haproxy/country/PE.txt
acl PF src -f /etc/haproxy/country/PF.txt
acl PG src -f /etc/haproxy/country/PG.txt
acl PH src -f /etc/haproxy/country/PH.txt
acl PK src -f /etc/haproxy/country/PK.txt
acl PL src -f /etc/haproxy/country/PL.txt
acl PM src -f /etc/haproxy/country/PM.txt
acl PN src -f /etc/haproxy/country/PN.txt
acl PR src -f /etc/haproxy/country/PR.txt
acl PS src -f /etc/haproxy/country/PS.txt
acl PT src -f /etc/haproxy/country/PT.txt
acl PW src -f /etc/haproxy/country/PW.txt
acl PY src -f /etc/haproxy/country/PY.txt
acl QA src -f /etc/haproxy/country/QA.txt
acl RE src -f /etc/haproxy/country/RE.txt
acl RO src -f /etc/haproxy/country/RO.txt
acl RS src -f /etc/haproxy/country/RS.txt
acl RU src -f /etc/haproxy/country/RU.txt
acl RW src -f /etc/haproxy/country/RW.txt
acl SA src -f /etc/haproxy/country/SA.txt
acl SB src -f /etc/haproxy/country/SB.txt
acl SC src -f /etc/haproxy/country/SC.txt
acl SD src -f /etc/haproxy/country/SD.txt
acl SE src -f /etc/haproxy/country/SE.txt
acl SG src -f /etc/haproxy/country/SG.txt
acl SH src -f /etc/haproxy/country/SH.txt
acl SI src -f /etc/haproxy/country/SI.txt
acl SJ src -f /etc/haproxy/country/SJ.txt
acl SK src -f /etc/haproxy/country/SK.txt
acl SL src -f /etc/haproxy/country/SL.txt
acl SM src -f /etc/haproxy/country/SM.txt
acl SN src -f /etc/haproxy/country/SN.txt
acl SO src -f /etc/haproxy/country/SO.txt
acl SR src -f /etc/haproxy/country/SR.txt
acl SS src -f /etc/haproxy/country/SS.txt
acl ST src -f /etc/haproxy/country/ST.txt
acl SV src -f /etc/haproxy/country/SV.txt
acl SX src -f /etc/haproxy/country/SX.txt
acl SY src -f /etc/haproxy/country/SY.txt
acl SZ src -f /etc/haproxy/country/SZ.txt
acl TC src -f /etc/haproxy/country/TC.txt
acl TD src -f /etc/haproxy/country/TD.txt
acl TF src -f /etc/haproxy/country/TF.txt
acl TG src -f /etc/haproxy/country/TG.txt
acl TH src -f /etc/haproxy/country/TH.txt
acl TJ src -f /etc/haproxy/country/TJ.txt
acl TK src -f /etc/haproxy/country/TK.txt
acl TL src -f /etc/haproxy/country/TL.txt
acl TM src -f /etc/haproxy/country/TM.txt
acl TN src -f /etc/haproxy/country/TN.txt
acl TO src -f /etc/haproxy/country/TO.txt
acl TR src -f /etc/haproxy/country/TR.txt
acl TT src -f /etc/haproxy/country/TT.txt
acl TV src -f /etc/haproxy/country/TV.txt
acl TW src -f /etc/haproxy/country/TW.txt
acl TZ src -f /etc/haproxy/country/TZ.txt
acl UA src -f /etc/haproxy/country/UA.txt
acl UG src -f /etc/haproxy/country/UG.txt
acl UM src -f /etc/haproxy/country/UM.txt
acl US src -f /etc/haproxy/country/US.txt
acl UY src -f /etc/haproxy/country/UY.txt
acl UZ src -f /etc/haproxy/country/UZ.txt
acl VA src -f /etc/haproxy/country/VA.txt
acl VC src -f /etc/haproxy/country/VC.txt
acl VE src -f /etc/haproxy/country/VE.txt
acl VG src -f /etc/haproxy/country/VG.txt
acl VI src -f /etc/haproxy/country/VI.txt
acl VN src -f /etc/haproxy/country/VN.txt
acl VU src -f /etc/haproxy/country/VU.txt
acl WF src -f /etc/haproxy/country/WF.txt
acl WS src -f /etc/haproxy/country/WS.txt
acl XK src -f /etc/haproxy/country/XK.txt
acl YE src -f /etc/haproxy/country/YE.txt
acl YT src -f /etc/haproxy/country/YT.txt
acl ZA src -f /etc/haproxy/country/ZA.txt
acl ZM src -f /etc/haproxy/country/ZM.txt
acl ZW src -f /etc/haproxy/country/ZW.txt
# Redirect www to non-www domains
http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }
acl letsencrypt path_beg /.well-known/acme-challenge/
<% @acls.each do |acl_name, params| %>
<% params['hosts'].each do |host| %>
acl <%= acl_name %> hdr(host) -i <%= host %>
<% end %>
<% params['denies'].each do |deny| %>
http-request deny if <%= acl_name %> <%= deny %>
<% end %>
<% end %>
use_backend letsencrypt if letsencrypt
<% @acls.each do |acl_name, params| %>
<% params['hosts'].each do |host| %>
use_backend <%= params['backend'] %> if <%= acl_name %>
<% break %>
<% end %>
<% end %>
default_backend default
# Listens (frontend and backend combined)
<% @listen.each do |frontend_name, params| %>
listen <%= frontend_name %>
bind :<%= params['bind'] %>
bind :::<%= params['bind'] %> v6only
<% if params['mode'] == 'tcp' %>
mode tcp
option tcplog
<% end %>
server <%= params['server'] %>
<% end %>
# Backends
backend default
tcp-request content reject
backend letsencrypt
server certbot 127.0.0.1:8899
<% @backends.each do |backend, server| %>
backend <%= backend %>
# set HSTS for one year after all responses
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# add some Security headers
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header X-Content-Type-Options "nosniff"
server <%= server %>
<% end %>

16
esh_haproxy/test/integration/default/default_test.rb Normal file
View file

@ -0,0 +1,16 @@
# Chef InSpec test for recipe esh_haproxy::default
# The Chef InSpec reference, with examples and extensive documentation, can be
# found at https://docs.chef.io/inspec/resources/
unless os.windows?
# This is an example test, replace with your own test.
describe user('root'), :skip do
it { should exist }
end
end
# This is an example test, replace it with your own test.
describe port(80), :skip do
it { should_not be_listening }
end