blob: 1accff993551d02f5eff431f31898b28ce5c19bf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
global
log /dev/log local0
stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
stats timeout 30s
daemon
#################################
# Default SSL material locations#
#################################
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
{{- if ( include "common.needTLS" .) }}
option ssl-hello-chk
{{- end }}
option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ==
default-server init-addr none
# option dontlognull
# errorfile 400 /etc/haproxy/errors/400.http
# errorfile 403 /etc/haproxy/errors/403.http
# errorfile 408 /etc/haproxy/errors/408.http
# errorfile 500 /etc/haproxy/errors/500.http
# errorfile 502 /etc/haproxy/errors/502.http
# errorfile 503 /etc/haproxy/errors/503.http
# errorfile 504 /etc/haproxy/errors/504.http
option http-server-close
option forwardfor except 127.0.0.1
retries 6
option redispatch
maxconn 50000
timeout connect 50000
timeout client 480000
timeout server 480000
timeout http-keep-alive 30000
frontend IST_8080
mode http
bind 0.0.0.0:8080
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
option httplog
log global
option logasap
option forwardfor
capture request header Host len 100
capture response header Host len 100
option log-separate-errors
option forwardfor
http-request set-header X-Forwarded-Proto http
reqadd X-Forwarded-Proto:\ http
reqadd X-Forwarded-Port:\ 8080
#######################
#ACLS FOR PORT 8446####
#######################
acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
acl is_named-query path_beg -i /aai/search/named-query
acl is_search-model path_beg -i /aai/search/model
use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
default_backend IST_Default_8447
{{- if ( include "common.needTLS" .) }}
frontend IST_8443
mode http
bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
option httplog
log global
option logasap
option forwardfor
capture request header Host len 100
capture response header Host len 100
option log-separate-errors
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
http-request set-header X-AAI-SSL %[ssl_fc]
http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
#######################################
## Request blocking configuration ###
#######################################
{{- if eq $.Values.haproxy.requestBlocking.enabled true }}
{{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
{{ $custom_config }}
{{- end }}
{{- end }}
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Port:\ 8443
{{- end }}
#######################
#ACLS FOR PORT 8446####
#######################
acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
acl is_named-query path_beg -i /aai/search/named-query
acl is_search-model path_beg -i /aai/search/model
use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
default_backend IST_Default_8447
#######################
#DEFAULT BACKEND 8447##
#######################
backend IST_Default_8447
balance roundrobin
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
{{- if ( include "common.needTLS" .) }}
server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
{{- else }}
server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
{{- end }}
#######################
# BACKEND 8446#########
#######################
backend IST_AAI_8446
balance roundrobin
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
{{- if ( include "common.needTLS" .) }}
server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
{{- else }}
server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
{{- end }}
|
