Sylvain Desbureaux | 7007041 | 2020-11-09 21:58:48 +0100 | [diff] [blame] | 1 | # Copyright © 2018 Amdocs, Bell Canada, AT&T |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | # you may not use this file except in compliance with the License. |
| 5 | # You may obtain a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | # See the License for the specific language governing permissions and |
| 13 | # limitations under the License. |
| 14 | |
| 15 | global |
| 16 | log /dev/log local0 |
| 17 | stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin |
| 18 | stats timeout 30s |
| 19 | user root |
| 20 | group root |
| 21 | daemon |
| 22 | ################################# |
| 23 | # Default SSL material locations# |
| 24 | ################################# |
| 25 | ca-base /etc/ssl/certs |
| 26 | crt-base /etc/ssl/private |
| 27 | |
| 28 | # Default ciphers to use on SSL-enabled listening sockets. |
| 29 | # For more information, see ciphers(1SSL). This list is from: |
| 30 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 31 | # An alternative list with additional directives can be obtained from |
| 32 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 33 | tune.ssl.default-dh-param 2048 |
| 34 | |
| 35 | defaults |
| 36 | log global |
| 37 | mode http |
| 38 | option httplog |
| 39 | option ssl-hello-chk |
| 40 | option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== |
| 41 | default-server init-addr none |
| 42 | # option dontlognull |
| 43 | # errorfile 400 /etc/haproxy/errors/400.http |
| 44 | # errorfile 403 /etc/haproxy/errors/403.http |
| 45 | # errorfile 408 /etc/haproxy/errors/408.http |
| 46 | # errorfile 500 /etc/haproxy/errors/500.http |
| 47 | # errorfile 502 /etc/haproxy/errors/502.http |
| 48 | # errorfile 503 /etc/haproxy/errors/503.http |
| 49 | # errorfile 504 /etc/haproxy/errors/504.http |
| 50 | |
| 51 | option http-server-close |
| 52 | option forwardfor except 127.0.0.1 |
| 53 | retries 6 |
| 54 | option redispatch |
| 55 | maxconn 50000 |
| 56 | timeout connect 50000 |
| 57 | timeout client 480000 |
| 58 | timeout server 480000 |
| 59 | timeout http-keep-alive 30000 |
| 60 | |
| 61 | |
| 62 | frontend IST_8443 |
| 63 | mode http |
| 64 | bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem |
| 65 | # log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r |
| 66 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" |
| 67 | option httplog |
| 68 | log global |
| 69 | option logasap |
| 70 | option forwardfor |
| 71 | capture request header Host len 100 |
| 72 | capture response header Host len 100 |
| 73 | option log-separate-errors |
| 74 | option forwardfor |
| 75 | http-request set-header X-Forwarded-Proto https if { ssl_fc } |
| 76 | http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } |
| 77 | http-request set-header X-AAI-SSL %[ssl_fc] |
| 78 | http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] |
| 79 | http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] |
| 80 | http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] |
| 81 | http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] |
| 82 | http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] |
| 83 | http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] |
| 84 | http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] |
| 85 | http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] |
| 86 | http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] |
| 87 | http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] |
| 88 | http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] |
| 89 | http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] |
| 90 | reqadd X-Forwarded-Proto:\ https |
| 91 | reqadd X-Forwarded-Port:\ 8443 |
| 92 | |
| 93 | ####################### |
| 94 | #ACLS FOR PORT 8446#### |
| 95 | ####################### |
| 96 | |
| 97 | acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ |
| 98 | acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ |
| 99 | acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ |
| 100 | acl is_named-query path_beg -i /aai/search/named-query |
| 101 | acl is_search-model path_beg -i /aai/search/model |
| 102 | use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model |
| 103 | |
| 104 | default_backend IST_Default_8447 |
| 105 | |
| 106 | |
| 107 | ####################### |
| 108 | #DEFAULT BACKEND 847### |
| 109 | ####################### |
| 110 | |
| 111 | backend IST_Default_8447 |
| 112 | balance roundrobin |
| 113 | http-request set-header X-Forwarded-Port %[src_port] |
| 114 | http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; |
| 115 | server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none |
| 116 | |
| 117 | |
| 118 | ####################### |
| 119 | # BACKEND 8446######### |
| 120 | ####################### |
| 121 | |
| 122 | backend IST_AAI_8446 |
| 123 | balance roundrobin |
| 124 | http-request set-header X-Forwarded-Port %[src_port] |
| 125 | http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; |
| 126 | server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none |
| 127 | |
| 128 | listen IST_AAI_STATS |
| 129 | mode http |
| 130 | bind *:8080 |
| 131 | stats uri /stats |
| 132 | stats enable |
| 133 | stats refresh 30s |
| 134 | stats hide-version |
| 135 | stats auth admin:admin |
| 136 | stats show-legends |
| 137 | stats show-desc IST AAI APPLICATION NODES |
| 138 | stats admin if TRUE |