| {{/* |
| # Copyright © 2018 Amdocs, Bell Canada, AT&T |
| # Modifications Copyright © 2023 Nordix Foundation |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| */}} |
| global |
| log /dev/log local0 |
| stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin |
| stats timeout 30s |
| # it is required else pod will not come up |
| maxconn 50000 |
| user haproxy |
| group haproxy |
| daemon |
| ################################# |
| # Default SSL material locations# |
| ################################# |
| ca-base /etc/ssl/certs |
| crt-base /etc/ssl/private |
| |
| # Default ciphers to use on SSL-enabled listening sockets. |
| # For more information, see ciphers(1SSL). This list is from: |
| # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| # An alternative list with additional directives can be obtained from |
| # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| tune.ssl.default-dh-param 2048 |
| |
| defaults |
| log global |
| mode http |
| option httplog |
| option ssl-hello-chk |
| option httpchk |
| http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ==' |
| default-server init-addr none |
| # option dontlognull |
| # errorfile 400 /etc/haproxy/errors/400.http |
| # errorfile 403 /etc/haproxy/errors/403.http |
| # errorfile 408 /etc/haproxy/errors/408.http |
| # errorfile 500 /etc/haproxy/errors/500.http |
| # errorfile 502 /etc/haproxy/errors/502.http |
| # errorfile 503 /etc/haproxy/errors/503.http |
| # errorfile 504 /etc/haproxy/errors/504.http |
| |
| option http-server-close |
| option forwardfor except 127.0.0.1 |
| retries 6 |
| option redispatch |
| maxconn 50000 |
| timeout connect 50000 |
| timeout client 480000 |
| timeout server 480000 |
| timeout http-keep-alive 30000 |
| |
| frontend stats |
| bind *:8448 |
| http-request use-service prometheus-exporter if { path /metrics } |
| stats enable |
| stats uri /stats |
| stats refresh 10s |
| |
| frontend IST_8443 |
| mode http |
| bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem |
| # log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r |
| log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" |
| option httplog |
| log global |
| option logasap |
| option forwardfor |
| capture request header Host len 100 |
| capture response header Host len 100 |
| option log-separate-errors |
| option forwardfor |
| |
| http-request set-header X-Forwarded-Proto https |
| http-request add-header X-Forwarded-Port 8443 |
| |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } |
| http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } |
| http-request set-header X-AAI-SSL %[ssl_fc] |
| http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] |
| http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] |
| http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] |
| http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] |
| http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] |
| http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] |
| http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] |
| http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] |
| http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] |
| http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] |
| http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] |
| http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] |
| ####################################### |
| ## Request blocking configuration ### |
| ####################################### |
| {{- if eq $.Values.haproxy.requestBlocking.enabled true }} |
| {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }} |
| {{ $custom_config }} |
| {{- end }} |
| {{- end }} |
| |
| ####################### |
| #ACLS FOR PORT 8446#### |
| ####################### |
| |
| acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ |
| acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ |
| acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ |
| acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$ |
| acl is_named-query path_beg -i /aai/search/named-query |
| acl is_search-model path_beg -i /aai/search/model |
| use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl |
| |
| default_backend IST_Default_8447 |
| |
| |
| ####################### |
| #DEFAULT BACKEND 8447## |
| ####################### |
| |
| backend IST_Default_8447 |
| balance roundrobin |
| stick-table type string len 100 size 200k expire 2m |
| stick on path |
| http-request set-header X-Forwarded-Port %[src_port] |
| http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; |
| server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none |
| |
| |
| ####################### |
| # BACKEND 8446######### |
| ####################### |
| |
| backend IST_AAI_8446 |
| balance roundrobin |
| stick-table type string len 100 size 200k expire 2m |
| stick on path |
| http-request set-header X-Forwarded-Port %[src_port] |
| http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; |
| server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none |
| |
| listen IST_AAI_STATS |
| mode http |
| bind *:8080 |
| stats uri /stats |
| stats enable |
| stats refresh 30s |
| stats hide-version |
| stats auth admin:admin |
| stats show-legends |
| stats show-desc IST AAI APPLICATION NODES |
| stats admin if TRUE |