openstack/openstack-ansible
Code Issues Proposed changes
b250e3b028
openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
Dmitriy Rabotyagov f4be49b6fe Replace deprecated httpchk with send 
We have replaced httpchk in previous patch [1] while missing to cover
RGW with the change.

[1] https://review.opendev.org/c/openstack/openstack-ansible/+/887285

Change-Id: If642af90f433c3ed02eee5a556d4eaffa3f50a22
2023-10-26 12:09:31 +02:00

129 lines
6.9 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_bind_on_non_local: "{{ (groups.haproxy | length) > 1 }}"
haproxy_use_keepalived: "{{ (groups.haproxy | length) > 1 }}"
keepalived_selinux_compile_rules:
- keepalived_ping
- keepalived_haproxy_pid_file
haproxy_ssl_letsencrypt_enable: false
haproxy_ssl_letsencrypt_acl:
letsencrypt-acl:
rule: "path_beg /.well-known/acme-challenge/"
backend_name: letsencrypt
# Ensure that the package state matches the global setting
haproxy_package_state: "{{ package_state }}"
# Variables to set security headers used by browsers
haproxy_security_headers_max_age: 31536000
# Set CSP headers to report only for testing
haproxy_security_headers_csp_report_only: False
haproxy_security_headers_csp: >
http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} "
default-src 'self';
frame-ancestors 'self';
form-action 'self';
upgrade-insecure-requests;
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }};
img-src 'self' data:;
worker-src blob:;
"
# To disable security headers set to []
haproxy_security_headers:
- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\""
- 'http-response set-header X-Content-Type-Options "nosniff"'
- 'http-response set-header Referrer-Policy "same-origin"'
- 'http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()"'
haproxy_security_txt_service:
haproxy_backend_only: true
haproxy_service_name: security_txt
haproxy_backend_nodes: []
haproxy_balance_type: http
haproxy_service_enabled: "{{ haproxy_security_txt_content is truthy }}"
# https://sleeplessbeastie.eu/2020/05/11/how-to-serve-single-file-using-haproxy/
haproxy_backend_arguments:
- 'errorfile 503 /etc/haproxy/security.txt'
haproxy_map_entries:
- name: base_regex
entries:
- '.*/security.txt security_txt-back'
# haproxy 'base' frontend-only service that is used always deployed for port 80 redirect and 443
# this potentially supports horizon dashboard, security.txt and certbot
# plus any other user defined custom backend
haproxy_base_service:
haproxy_service_name: base
haproxy_frontend_only: true
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: true
haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}"
haproxy_redirect_http_port: 80
haproxy_balance_type: http
haproxy_service_enabled: true
haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
haproxy_frontend_raw: "{{ (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary( haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)], []) }}"
haproxy_maps:
- 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]'
haproxy_map_entries:
- name: base_regex
entries:
- "#Regular expression map file - this comment is defined in the base frontend config"
# Handles LetsEncrypt HTTP-01 challenge
haproxy_letsencrypt_service:
haproxy_service_name: letsencrypt
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
backend_rise: 1
backend_fall: 5
interval: 4000
haproxy_bind:
- 127.0.0.1
haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}"
haproxy_balance_type: http
haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}"
# RGW backend is defined here as it might be referring to an external ceph cluster via 'ceph_rgws'
haproxy_ceph_rgw_service:
haproxy_service_name: ceph-rgw
haproxy_backend_nodes: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(groups['ceph-rgw'], ceph_rgws) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: "{{ radosgw_service_port | default(7980) }}"
haproxy_balance_type: http
haproxy_backend_httpcheck_options:
- send meth HEAD
- expect rstatus 200|405
# `openstack_service_backend_ssl` is not taken into account if ceph is installed independently.
haproxy_backend_ssl: "{{ ceph_rgw_backend_ssl | default((groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(openstack_service_backend_ssl, False)) }}"
haproxy_backend_ca: "{{ ceph_rgw_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
haproxy_accept_both_protocols: "{{ ceph_rgw_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}"
haproxy_default_services:
- "{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}"
- "{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}"
- "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}"
- "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}"
View Git Blame Copy Permalink