blob: 6e7acef17f56a2ec52783083730a05e29d7e1b85 [file] [log] [blame]
Sylvain Desbureaux47eb4d22020-12-10 12:15:27 +01001{{/*
Sylvain Desbureaux70070412020-11-09 21:58:48 +01002# Copyright © 2018 Amdocs, Bell Canada, AT&T
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
Sylvain Desbureaux47eb4d22020-12-10 12:15:27 +010015*/}}
Sylvain Desbureaux70070412020-11-09 21:58:48 +010016global
17 log /dev/log local0
18 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
19 stats timeout 30s
20 user root
21 group root
22 daemon
23 #################################
24 # Default SSL material locations#
25 #################################
26 ca-base /etc/ssl/certs
27 crt-base /etc/ssl/private
28
29 # Default ciphers to use on SSL-enabled listening sockets.
30 # For more information, see ciphers(1SSL). This list is from:
31 # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
32 # An alternative list with additional directives can be obtained from
33 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
34 tune.ssl.default-dh-param 2048
35
36defaults
37 log global
38 mode http
39 option httplog
40 option ssl-hello-chk
41 option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==
42 default-server init-addr none
43# option dontlognull
44# errorfile 400 /etc/haproxy/errors/400.http
45# errorfile 403 /etc/haproxy/errors/403.http
46# errorfile 408 /etc/haproxy/errors/408.http
47# errorfile 500 /etc/haproxy/errors/500.http
48# errorfile 502 /etc/haproxy/errors/502.http
49# errorfile 503 /etc/haproxy/errors/503.http
50# errorfile 504 /etc/haproxy/errors/504.http
51
52 option http-server-close
53 option forwardfor except 127.0.0.1
54 retries 6
55 option redispatch
56 maxconn 50000
57 timeout connect 50000
58 timeout client 480000
59 timeout server 480000
60 timeout http-keep-alive 30000
61
62
63frontend IST_8443
64 mode http
Sylvain Desbureaux87f49af2020-12-15 11:56:51 +010065 bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
Sylvain Desbureaux70070412020-11-09 21:58:48 +010066# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
67 log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
68 option httplog
69 log global
70 option logasap
71 option forwardfor
72 capture request header Host len 100
73 capture response header Host len 100
74 option log-separate-errors
75 option forwardfor
76 http-request set-header X-Forwarded-Proto https if { ssl_fc }
77 http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
78 http-request set-header X-AAI-SSL %[ssl_fc]
79 http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
80 http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
81 http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
82 http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
83 http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
84 http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
85 http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
86 http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
87 http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
88 http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
89 http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
90 http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
Suresh Charanc1aa7582022-01-31 06:25:37 -050091#######################################
92## Request blocking configuration ###
93#######################################
94 {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
95 {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
96 {{ $custom_config }}
97 {{- end }}
98 {{- end }}
99
Sylvain Desbureaux70070412020-11-09 21:58:48 +0100100 reqadd X-Forwarded-Proto:\ https
101 reqadd X-Forwarded-Port:\ 8443
102
103#######################
104#ACLS FOR PORT 8446####
105#######################
106
107 acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
108 acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
109 acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
110 acl is_named-query path_beg -i /aai/search/named-query
111 acl is_search-model path_beg -i /aai/search/model
112 use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
113
114 default_backend IST_Default_8447
115
116
117#######################
osk1146127fd7d82021-06-18 00:51:17 +0200118#DEFAULT BACKEND 8447##
Sylvain Desbureaux70070412020-11-09 21:58:48 +0100119#######################
120
121backend IST_Default_8447
122 balance roundrobin
123 http-request set-header X-Forwarded-Port %[src_port]
124 http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
125 server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
126
127
128#######################
129# BACKEND 8446#########
130#######################
131
132backend IST_AAI_8446
133 balance roundrobin
134 http-request set-header X-Forwarded-Port %[src_port]
135 http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
136 server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
137
138listen IST_AAI_STATS
139 mode http
140 bind *:8080
141 stats uri /stats
142 stats enable
143 stats refresh 30s
144 stats hide-version
145 stats auth admin:admin
146 stats show-legends
147 stats show-desc IST AAI APPLICATION NODES
148 stats admin if TRUE