Add SNI support as requested in #1
This commit is contained in:
parent
276cff4373
commit
02fdf86327
4 changed files with 58 additions and 7 deletions
|
@ -9,14 +9,18 @@ haproxy_http:
|
|||
addr: '2a01:238:4246:1e00:2207:546f:6a47:6050'
|
||||
- host: 'cloud.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::5'
|
||||
- host: 'dev.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::9'
|
||||
|
||||
haproxy_https:
|
||||
haproxy_sni:
|
||||
- host: 'ccchb.de'
|
||||
addr: '2a01:238:4246:1e00:2207:546f:6a47:6050'
|
||||
- host: 'www.ccchb.de'
|
||||
addr: '2a01:238:4246:1e00:2207:546f:6a47:6050'
|
||||
- host: 'cloud.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::5'
|
||||
- host: 'dev.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::9'
|
||||
|
||||
bhyve_ipv4: 10.0.0.0
|
||||
bhyve_ipv6: 2a01:4f8:150:926f::4
|
||||
|
|
|
@ -122,8 +122,9 @@
|
|||
- defaults.cfg
|
||||
- global.cfg
|
||||
- http.cfg
|
||||
- sni.cfg
|
||||
|
||||
- name: Config HAProxy HTTP backends
|
||||
- name: Configure HAProxy HTTP backends
|
||||
template:
|
||||
dest: '/usr/local/etc/haproxy/http_{{ item.host }}.cfg'
|
||||
src: http_host.cfg.j2
|
||||
|
@ -134,6 +135,31 @@
|
|||
- Reload HAProxy
|
||||
with_items: '{{ haproxy_http }}'
|
||||
|
||||
- name: Configure HAProxy SNI backends
|
||||
template:
|
||||
dest: '/usr/local/etc/haproxy/sni_{{ item.host }}.cfg'
|
||||
src: sni_host.cfg.j2
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: 0444
|
||||
notify:
|
||||
- Reload HAProxy
|
||||
with_items: '{{ haproxy_sni }}'
|
||||
|
||||
- name: Make sure the HTTP map exists
|
||||
command: env touch /usr/local/etc/haproxy/http.map
|
||||
args:
|
||||
creates: /usr/local/etc/haproxy/http.map
|
||||
notify:
|
||||
- Reload HAProxy
|
||||
|
||||
- name: Make sure the SNI map exists
|
||||
command: env touch /usr/local/etc/haproxy/sni.map
|
||||
args:
|
||||
creates: /usr/local/etc/haproxy/sni.map
|
||||
notify:
|
||||
- Reload HAProxy
|
||||
|
||||
- name: Enable HAProxy HTTP backends
|
||||
lineinfile:
|
||||
path: /usr/local/etc/haproxy/http.map
|
||||
|
@ -143,13 +169,14 @@
|
|||
- Reload HAProxy
|
||||
with_items: '{{ haproxy_http }}'
|
||||
|
||||
- name: Make sure the http map exists
|
||||
command: env touch /usr/local/etc/haproxy/http.map
|
||||
args:
|
||||
creates:
|
||||
/usr/local/etc/haproxy/http.map
|
||||
- name: Enable HAProxy SNI backends
|
||||
lineinfile:
|
||||
path: /usr/local/etc/haproxy/sni.map
|
||||
regex: '^{{ item.host }} '
|
||||
line: '{{ item.host }} sni_{{ item.host }}'
|
||||
notify:
|
||||
- Reload HAProxy
|
||||
with_items: '{{ haproxy_sni }}'
|
||||
|
||||
- name: Flush handlers
|
||||
meta: flush_handlers
|
||||
|
|
9
roles/haproxy/templates/sni.cfg.j2
Normal file
9
roles/haproxy/templates/sni.cfg.j2
Normal file
|
@ -0,0 +1,9 @@
|
|||
frontend sni
|
||||
log global
|
||||
mode tcp
|
||||
tcp-request inspect-delay 5s
|
||||
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||
|
||||
bind ${BIND_V4}:443
|
||||
bind ${BIND_V6}:443
|
||||
use_backend %[req_ssl_sni,lower,map(/usr/local/etc/haproxy/sni.map)]
|
11
roles/haproxy/templates/sni_host.cfg.j2
Normal file
11
roles/haproxy/templates/sni_host.cfg.j2
Normal file
|
@ -0,0 +1,11 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
backend sni_{{ item.host }}
|
||||
mode tcp
|
||||
acl clienthello req_ssl_hello_type 1
|
||||
acl serverhello rep_ssl_hello_type 2
|
||||
tcp-request inspect-delay 5s
|
||||
tcp-request content accept if clienthello
|
||||
tcp-response content accept if serverhello
|
||||
option ssl-hello-chk
|
||||
server {{ item.host }} {{ item.addr }}:{{ item.port | default("443") }} check
|
Loading…
Reference in a new issue