blob: 1266d4e1c00f8e910958cdee96ce0da595e37959 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
global
log /dev/log local0
stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
stats timeout 30s
# it is required else pod will not come up
maxconn 50000
user root
group root
daemon
#################################
# Default SSL material locations#
#################################
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option ssl-hello-chk
option httpchk
http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ=='
default-server init-addr none
# option dontlognull
# errorfile 400 /etc/haproxy/errors/400.http
# errorfile 403 /etc/haproxy/errors/403.http
# errorfile 408 /etc/haproxy/errors/408.http
# errorfile 500 /etc/haproxy/errors/500.http
# errorfile 502 /etc/haproxy/errors/502.http
# errorfile 503 /etc/haproxy/errors/503.http
# errorfile 504 /etc/haproxy/errors/504.http
option http-server-close
option forwardfor except 127.0.0.1
retries 6
option redispatch
maxconn 50000
timeout connect 50000
timeout client 480000
timeout server 480000
timeout http-keep-alive 30000
frontend stats
bind *:8448
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
frontend IST_8443
mode http
bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
option httplog
log global
option logasap
option forwardfor
capture request header Host len 100
capture response header Host len 100
option log-separate-errors
option forwardfor
http-request set-header X-Forwarded-Proto https
http-request add-header X-Forwarded-Port 8443
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
http-request set-header X-AAI-SSL %[ssl_fc]
http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
#######################################
## Request blocking configuration ###
#######################################
{{- if eq $.Values.haproxy.requestBlocking.enabled true }}
{{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
{{ $custom_config }}
{{- end }}
{{- end }}
#######################
#ACLS FOR PORT 8446####
#######################
acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
acl is_named-query path_beg -i /aai/search/named-query
acl is_search-model path_beg -i /aai/search/model
use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
default_backend IST_Default_8447
#######################
#DEFAULT BACKEND 8447##
#######################
backend IST_Default_8447
balance roundrobin
stick-table type string len 100 size 200k expire 2m
stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
#######################
# BACKEND 8446#########
#######################
backend IST_AAI_8446
balance roundrobin
stick-table type string len 100 size 200k expire 2m
stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
listen IST_AAI_STATS
mode http
bind *:8080
stats uri /stats
stats enable
stats refresh 30s
stats hide-version
stats auth admin:admin
stats show-legends
stats show-desc IST AAI APPLICATION NODES
stats admin if TRUE
|
