aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
blob: b05ffaeaf2bc665aec3709a5c0f8c87c4aa97a38 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
global
        log /dev/log    local0
        stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
        stats timeout 30s
        user root
        group root
        daemon
        #################################
        # Default SSL material locations#
        #################################
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        tune.ssl.default-dh-param 2048

defaults
        log     global
        mode    http
        option  httplog
        option  ssl-hello-chk
        option  httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==
        default-server init-addr none
#       option  dontlognull
#       errorfile 400 /etc/haproxy/errors/400.http
#       errorfile 403 /etc/haproxy/errors/403.http
#       errorfile 408 /etc/haproxy/errors/408.http
#       errorfile 500 /etc/haproxy/errors/500.http
#       errorfile 502 /etc/haproxy/errors/502.http
#       errorfile 503 /etc/haproxy/errors/503.http
#       errorfile 504 /etc/haproxy/errors/504.http

        option  http-server-close
        option forwardfor except 127.0.0.1
        retries 6
        option redispatch
        maxconn 50000
        timeout connect 50000
        timeout client  480000
        timeout server  480000
        timeout http-keep-alive 30000


frontend IST_8443
        mode http
        bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
#       log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
        log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
        option httplog
        log global
        option logasap
        option forwardfor
        capture request header  Host len 100
        capture response header Host len 100
        option log-separate-errors
        option forwardfor
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
        http-request set-header X-AAI-SSL                       %[ssl_fc]
        http-request set-header X-AAI-SSL-Client-Verify         %[ssl_c_verify]
        http-request set-header X-AAI-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
        http-request set-header X-AAI-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
        http-request set-header X-AAI-SSL-Issuer                %{+Q}[ssl_c_i_dn]
        http-request set-header X-AAI-SSL-Client-NotBefore      %{+Q}[ssl_c_notbefore]
        http-request set-header X-AAI-SSL-Client-NotAfter       %{+Q}[ssl_c_notafter]
        http-request set-header X-AAI-SSL-ClientCert-Base64   %{+Q}[ssl_c_der,base64]
        http-request set-header X-AAI-SSL-Client-OU             %{+Q}[ssl_c_s_dn(OU)]
        http-request set-header X-AAI-SSL-Client-L              %{+Q}[ssl_c_s_dn(L)]
        http-request set-header X-AAI-SSL-Client-ST             %{+Q}[ssl_c_s_dn(ST)]
        http-request set-header X-AAI-SSL-Client-C              %{+Q}[ssl_c_s_dn(C)]
        http-request set-header X-AAI-SSL-Client-O              %{+Q}[ssl_c_s_dn(O)]
        reqadd X-Forwarded-Proto:\ https
        reqadd X-Forwarded-Port:\ 8443

#######################
#ACLS FOR PORT 8446####
#######################

        acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
        acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
        acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
        acl is_named-query path_beg -i /aai/search/named-query
        acl is_search-model path_beg -i /aai/search/model
        use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model

        default_backend IST_Default_8447


#######################
#DEFAULT BACKEND 847###
#######################

backend IST_Default_8447
        balance roundrobin
        http-request set-header X-Forwarded-Port %[src_port]
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
        server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none


#######################
# BACKEND 8446#########
#######################

backend IST_AAI_8446
        balance roundrobin
        http-request set-header X-Forwarded-Port %[src_port]
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
        server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none

listen IST_AAI_STATS
        mode http
        bind *:8080
        stats uri /stats
        stats enable
        stats refresh 30s
        stats hide-version
        stats auth admin:admin
        stats show-legends
        stats show-desc IST AAI APPLICATION NODES
        stats admin if TRUE