roles/dch-proxy: Deploy reverse HTTP/HTTPS proxy

The *dch-proxy* role sets up HAProxy to provide a revers proxy for all public-facing web services on the Pyrocufflink network. It uses the TLS Server Name Indication (SNI) extension to determine the proper backend server based on the name requested by the client. For now, only Gitea is configured; the name *git.pyrocufflink.blue* is proxied to *git0.pyrocufflink.blue*. All other names are proxied to Myala.
2018-06-12 21:49:03 -05:00 · 2018-06-12 21:49:03 -05:00 · c5fe4a66aa
parent 235468a71c
commit c5fe4a66aa
5 changed files with 53 additions and 0 deletions
--- a/roles/dch-proxy/meta/main.yml
+++ b/roles/dch-proxy/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+- haproxy
--- a/roles/dch-proxy/tasks/main.yml
+++ b/roles/dch-proxy/tasks/main.yml
@ -0,0 +1,20 @@
+- name: ensure main haproxy frontend is configured
+  template:
+    src=frontend-main.haproxy.cfg.j2
+    dest=/etc/haproxy/50-frontend-main.cfg
+    mode=0644
+  notify: reload haproxy
+
+- name: ensure default haproxy backend is configured
+  template:
+    src=backend-myala.haproxy.cfg.j2
+    dest=/etc/haproxy/70-backend-myala.cfg
+    mode=0644
+  notify: reload haproxy
+
+- name: ensure gitea haproxy backend is configured
+  template:
+    src=backend-gitea.haproxy.cfg.j2
+    dest=/etc/haproxy/70-backend-gitea.cfg
+    mode=0644
+  notify: reload haproxy
--- a/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2
@ -0,0 +1,7 @@
+backend gitea
+    server gitea git0.pyrocufflink.blue:80 check
+
+
+backend gitea-tls
+    mode tcp
+    server gitea git0.pyrocufflink.blue:443 check
--- a/roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2
@ -0,0 +1,7 @@
+backend myala
+    server myala myala.pyrocufflink.jazz:80 check
+
+
+backend myala-tls
+    mode tcp
+    server myala myala.pyrocufflink.jazz:443 check
--- a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
@ -0,0 +1,17 @@
+frontend main
+    bind :::80
+
+    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
+    default_backend myala
+
+
+frontend main-tls
+    bind :::443
+    mode tcp
+    option tcplog
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.blue }
+    default_backend myala-tls