ISTI-ansible-roles
/
ansible-role-docker-swarm
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

haproxy.cfg: add support for tcp services.

This commit is contained in:
Andrea Dell'Amico 2022-02-02 16:54:32 +01:00
parent 1922304172
commit 5fe2f1f535
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
1 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
templates/haproxy.cfg.j2
View File

@ -106,7 +106,7 @@ frontend http
{% if docker_swarm_expose_api_via_haproxy %}
frontend docker_ft
{% if docker_swarm_haproxy_plain_http_api: %}
{% if docker_swarm_haproxy_plain_http_api %}
bind :{{ docker_swarm_haproxy_swarm_port }} {% if docker_swarm_haproxy_installation_type == 'global' %}accept-proxy{% endif %}
{% else %}
bind :{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1 {% if docker_swarm_haproxy_installation_type == 'global' %}accept-proxy{% endif %}
@ -115,9 +115,11 @@ frontend docker_ft
mode http
acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
# acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
# http-request deny if swarm_api !swarm_api_allowed_nets
http-request deny if swarm_api !swarm_api_allowed_nets
# The following variables must be set in the haproxy docker file
# http-request deny unless METH_GET || { env(POST) -m bool }
# http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
# http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
@ -155,6 +157,20 @@ frontend shinyproxy_metrics
default_backend shinyproxy_metrics_bck
{% endif %}
{% for srv in docker_swarm_haproxy_additional_services %}
{% if srv.mode is defined and srv.mode == 'tcp' %}
frontend {{ srv.acl_name }}
bind: {{ srv.service_port }}
mode {{ srv.mode }}
{% if srv.allowed_networks is defined %}
acl {{ srv.acl_name }}_nets src {% for net in srv.allowed_networks %} {{ net }}{% endfor %}
tcp-request connection reject if {{ srv.acl_name }} !{{ srv.acl_name }}_nets
{% endif %}
use_backend {{ srv.acl_name }}_bck
{% endif %}
{% endfor %}
#
# Backends
#
@ -183,6 +199,12 @@ backend portainer_bck
{% for srv in docker_swarm_haproxy_additional_services %}
backend {{ srv.acl_name }}_bck
{% if srv.mode is defined and srv.mode == 'tcp' %}
mode tcp
balance {{ srv.balance_type | default('roundrobin') }}
server-template {{ srv.service_name }}- {{ srv.service_replica_num }} {{ srv.stack_name }}_{{ srv.service_name }}:{{ srv.service_port }} resolvers docker init-addr libc,none
{% else %}
mode http
option httpchk
balance {{ srv.balance_type | default('roundrobin') }}
@ -201,3 +223,5 @@ backend {{ srv.acl_name }}_bck
{% endif %}
server-template {{ srv.service_name }}- {{ srv.service_replica_num }} {{ srv.stack_name }}_{{ srv.service_name }}:{{ srv.service_port }} {{ srv.backend_options | default('') }} {% if srv.http_check_enabled is defined and srv.http_check_enabled %}check {{ srv.check_options | default('') }}{% endif %} resolvers docker init-addr libc,none
{% endfor %}
{% endif %}