diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9e6d869 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +.claude/ +*.retry +*.pyc +__pycache__/ +.vagrant/ +*.log +.DS_Store diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..46a6978 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,102 @@ +# Changelog + +## v1.0.0 + +Modernize for current platforms and haproxy versions: + +- Drop CentOS 6 and 7 support +- Add Amazon Linux 2023, AlmaLinux 9 and 10 support +- Support haproxy 2.8 (alma9) and 3.0 (al2023, alma10) +- Update Ansible syntax to 2.10+ (FQCN, dnf module, loop) +- Add TLSv1.3 ciphersuite support +- Replace deprecated reqadd with http_request_rules +- Replace external haproxy_exporter with native Prometheus exporter (`haproxy_prometheus_enabled`, `haproxy_prometheus_port`) + +## v0.5.0 + +Support haproxy_exporter for Prometheus + +## v0.4.0 + +- Move Graylog logging to UDP +- Correct issues with Graylog logging + +## v0.3.0 + +Support custom server options for backends + +## v0.2.0 + +- Fixes for haproxy RPM +- Support Graylog exports via syslog + +## v0.1.3 + +Support https redirect on frontends + +## v0.1.2 + +Remove deprecation warnings + +## v0.1.1 + +Syntax fixes. + +## v0.1.0 + +- Added a veryhigh tls level +- Updated medium cipher lists to remove weak ciphers +- Refactored all cipher lists to use a more modern, dynamic string +- Added support for two vars to override the cipher list or tls protocols regardless of the tls level + - haproxy_ciphers + - haproxy_ssllist +- Update rsyslog configuration file to remove the stop verb in favor of the ~ action for wider compatibility + +## v0.0.11 + +Made the medium cipher set more strict than the low cipher set. Previously, they were +the same. + +## v0.0.10 + +Add rsyslog support. Because rsyslog does not listen on UDP by default, at the moment this will set the listener +and then redirect logs to /var/log/haproxy. In the future, we may want to make the listener be optional. + +## v0.0.9 + +Reconfigure SSL settings to use one of low,med,high, defaulting to low. + +Removed vars: +- haproxy_enable_strict_tls +- haproxy_enable_reallystrict_tls + +Added vars: +- haproxy_tls_level + +## v0.0.8 + +Added more stringent SSL settings + +## v0.0.7 + +Fixed ACL enforcement issue + +## v0.0.6 + +Fixed "check" command when cookie validation isn't enabled + +## v0.0.5 + +Added support for back-end mode + +## v0.0.3 + +Added support for generic frontend block rules defined as a list + +## v0.0.2 + +Substantial changes to add additional capabilities from other projects. May not be compatible with previous version. + +## v0.0.1 + +Initial Commit - working version diff --git a/README.md b/README.md index 95416bf..41479bc 100644 --- a/README.md +++ b/README.md @@ -6,10 +6,43 @@ Ansible Role for HAProxy. Requirements ------------ -This role require Ansible 2.0 or higher. +This role requires Ansible 2.10 or higher. -This role was designed for CentOS 6.x or CentOS 7.x +This role supports: +- Amazon Linux 2023 (haproxy 3.0) +- AlmaLinux 9 (haproxy 2.8) +- AlmaLinux 10 (haproxy 3.0) Role Variables -------------- +See `defaults/main.yml` for available variables. + +Breaking Changes +---------------- + +### v1.0.0 + +- Dropped CentOS 6 and 7 support +- Replaced `yum` module with `ansible.builtin.dnf` +- The `reqadd` frontend option has been removed (deprecated in haproxy 2.1+). Use `http_request_rules` instead: + + Before: + ```yaml + haproxy_frontends: + - name: web + reqadd: + - "X-Forwarded-Proto:\\ https" + ``` + + After: + ```yaml + haproxy_frontends: + - name: web + http_request_rules: + - "add-header X-Forwarded-Proto https" + ``` + +- TLS configuration now includes TLSv1.3 ciphersuites (`ssl-default-bind-ciphersuites`) +- TLS options use `ssl-min-ver` syntax instead of `no-tlsv1x` flags +- Replaced external haproxy_exporter with native Prometheus exporter (`haproxy_prometheus_enabled`, `haproxy_prometheus_port`) diff --git a/VERSION.md b/VERSION.md deleted file mode 100644 index 030a735..0000000 --- a/VERSION.md +++ /dev/null @@ -1,61 +0,0 @@ - -v0.1.1 ---------------------------- -Syntax fixes. - -v0.1.0 ---------------------------- -Added a veryhigh tls level -Updated medium cipher lists to remove weak ciphers -Refactored all cipher lists to use a more modern, dynamic string per https://medium.com/@davetempleton/tls-configuration-cipher-suites-and-protocols-a01ee7005778 -Added support for two vars to override the cipher list or tls protocols regardless of the tls level - - haproxy_ciphers - - haproxy_ssllist -Update rsyslog configuration file to remove the stop verb in favor of the ~ action for wider compatibility - -v0.0.11 ---------------------------- -Made the medium cipher set more strict than the low cipher set. Previously, they were -the same. - -v0.0.10 ---------------------------- -Add rsyslog support. Because rsyslog does not listen on UDP By default, at the moment this will set the listener -and then redirect logs to /var/log/haproxy. In the future, we may want to make the listener be optional. - -v0.0.9 ---------------------------- -Reconfigure SSL settings to use one of low,med,high, defaulting to low. -This release removed the following vars: - - haproxy_enable_strict_tls - - haproxy_enable_reallystrict_tls -This release added the following var: - - haproxy_tls_level - -v0.0.8 ---------------------------- -Added more stringent SSL settings - -v0.0.7 ---------------------------- -Fixed ACL enforcement issue - -v0.0.6 ---------------------------- -Fixed "check" command when cookie validation isn't enabled - -v0.0.5 ---------------------------- -Added support for back-end mode - -v0.0.3 ---------------------------- -Added support for generic frontend block rules defined as a list - -v0.0.2 ---------------------------- -Substantial changes to add additional capabilities from other projects. May not be compatible with previous version. - -v0.0.1 ---------------------------- -Initial Commit - working version diff --git a/defaults/main.yml b/defaults/main.yml index 66eed8a..a75a1e2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,7 +12,6 @@ haproxy_listen_port: 80 haproxy_socket_options: - # TLS levels derived from https://medium.com/@davetempleton/tls-configuration-cipher-suites-and-protocols-a01ee7005778 # low is super-compatible but enables weaker ciphers to support IE8/XP. Should be avoided, particularly with SNI # med is conservative, widely compatible, and secure. meets BOD18-01 @@ -23,6 +22,7 @@ haproxy_socket_options: # specific cipher / ssl lists can be provided using the following undefined vars: # # haproxy_ciphers +# haproxy_ciphersuites (TLSv1.3) # haproxy_ssllist # haproxy_tls_level: 'med' @@ -31,14 +31,10 @@ haproxy_ssl_certs: [] # Configure rsyslog udp logging and redirect logs to /var/log/haproxy haproxy_enable_syslog: false -haproxy_use_graylog_json_logging: false -haproxy_graylog_server: -haproxy_graylog_server_port: - -# Prometheus exporter support for haproxy v1.8 -haproxy_external_exporter_enabled: false -haproxy_exporter_download_url: https://github.com/prometheus/haproxy_exporter/releases/download/v0.12.0/haproxy_exporter-0.12.0.linux-amd64.tar.gz -haproxy_exporter_listen_port: 9101 -haproxy_exporter_stats_user: admin -haproxy_exporter_stats_password: password -haproxy_exporter_scrape_uri: "http://{{ haproxy_exporter_stats_user }}:{{ haproxy_exporter_stats_password }}@localhost:1936/haproxy?stats;csv" +haproxy_use_json_logging: false +haproxy_log_forward_server: +haproxy_log_forward_server_port: + +# Native Prometheus exporter (haproxy 2.x+) +haproxy_prometheus_enabled: false +haproxy_prometheus_port: 8405 diff --git a/handlers/main.yml b/handlers/main.yml index ea271cf..0b6d16d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,14 +1,15 @@ --- -# handlers for the haproxy role - name: restart haproxy - service: name=haproxy state=restarted + ansible.builtin.service: + name: haproxy + state: restarted - name: reload haproxy - service: name=haproxy state=reloaded + ansible.builtin.service: + name: haproxy + state: reloaded - name: restart rsyslog-haproxy - service: name=rsyslog state=restarted - -- name: reload systemd - systemd: - daemon_reload: yes + ansible.builtin.service: + name: rsyslog + state: restarted diff --git a/meta/main.yml b/meta/main.yml index 0cc9a36..3950100 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,10 +5,13 @@ galaxy_info: description: Ansible Role for HAProxy company: Rhythmic Technologies, Inc. license: Proprietary - min_ansible_version: 2.0 + min_ansible_version: "2.10" platforms: - - name: CentOS + - name: Amazon versions: - - "6" - - "7" + - "2023" + - name: EL + versions: + - "9" + - "10" dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index b90f6bd..ff55dbc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,98 +1,69 @@ --- -- name: ensure the haproxy packages are installed - yum: name="{{ haproxy_packages | default([]) }}" state=present +- name: Ensure the haproxy packages are installed + ansible.builtin.dnf: + name: "{{ haproxy_packages | default([]) }}" + state: present tags: ['haproxy'] -- name: ensure ssl certificates are in place - copy: +- name: Ensure ssl certificates are in place + ansible.builtin.copy: content: "{{ item.cert }}\n{{ item.key }}\n{{ item.chain }}" dest: "/etc/pki/tls/private/{{ item.name }}.pem" owner: root group: root - mode: 0640 - with_items: "{{ haproxy_ssl_certs }}" + mode: "0640" + loop: "{{ haproxy_ssl_certs }}" tags: ['haproxy', 'certificates'] -- name: ensure the haproxy config is in place - template: +- name: Ensure the haproxy config is in place + ansible.builtin.template: src: etc.haproxy.haproxy.cfg.j2 dest: /etc/haproxy/haproxy.cfg owner: root group: root - mode: 0640 + mode: "0640" notify: restart haproxy tags: ['haproxy'] -- name: ensure the haproxy rsyslog config is in place - template: - src: "EL{{ ansible_distribution_major_version}}.etc.rsyslog.d.49-haproxy.conf.j2" +- name: Ensure the haproxy rsyslog config is in place + ansible.builtin.template: + src: etc.rsyslog.d.49-haproxy.conf.j2 dest: /etc/rsyslog.d/49-haproxy.conf owner: root group: root - mode: 0640 + mode: "0640" when: haproxy_enable_syslog notify: restart rsyslog-haproxy tags: ['haproxy'] -- name: ensure user agent block files are in place - template: +- name: Ensure user agent block files are in place + ansible.builtin.template: src: etc.haproxy.ua-abuser.lst.j2 dest: /etc/haproxy/{{ item.name }}-ua-abuser.lst owner: root group: root - mode: 0640 + mode: "0640" notify: reload haproxy - when: item.block_user_agent|default(false) - with_items: "{{ haproxy_frontends }}" + when: item.block_user_agent | default(false) + loop: "{{ haproxy_frontends }}" tags: ['haproxy'] -- name: ensure ip address block files are in place - template: +- name: Ensure ip address block files are in place + ansible.builtin.template: src: etc.haproxy.ip-abuser.lst.j2 dest: /etc/haproxy/{{ item.name }}-ip-abuser.lst owner: root group: root - mode: 0640 + mode: "0640" notify: reload haproxy - when: item.block_ip_address|default(false) - with_items: "{{ haproxy_frontends }}" + when: item.block_ip_address | default(false) + loop: "{{ haproxy_frontends }}" tags: ['haproxy'] -- name: ensure haproxy is running and enabled - service: name=haproxy state=started enabled=true - tags: ['haproxy'] - -- name: unpack haproxy_exporter - unarchive: - src: "{{ haproxy_exporter_download_url }}" - dest: /usr/local/bin - mode: 0755 - owner: root - group: root - remote_src: yes - extra_opts: - - '--strip-components=1' - - '*/haproxy_exporter' - creates: /usr/local/bin/haproxy_exporter - when: haproxy_external_exporter_enabled - tags: ['haproxy'] - -- name: place haproxy_exporter unit file - template: - src: etc.systemd.system.haproxy_exporter.service.j2 - dest: /etc/systemd/system/haproxy_exporter.service - owner: root - group: root - mode: 0644 - notify: reload systemd - when: haproxy_external_exporter_enabled - tags: ['haproxy'] - -- name: enable haproxy_exporter service - service: - name: haproxy_exporter - enabled: true +- name: Ensure haproxy is running and enabled + ansible.builtin.service: + name: haproxy state: started - when: haproxy_external_exporter_enabled + enabled: true tags: ['haproxy'] - \ No newline at end of file + diff --git a/templates/EL6.etc.rsyslog.d.49-haproxy.conf.j2 b/templates/EL6.etc.rsyslog.d.49-haproxy.conf.j2 deleted file mode 100644 index 8643feb..0000000 --- a/templates/EL6.etc.rsyslog.d.49-haproxy.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -# {{ ansible_managed }} -$ModLoad imudp -$UDPServerAddress 127.0.0.1 -$UDPServerRun 514 - -$template HAProxy,"%TIMESTAMP% %syslogseverity-text:::UPPERCASE%: %msg%\n" -$template HAProxyAccess,"%msg%\n" - -{% if haproxy_use_graylog_json_logging %} -$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\$" -local2.=info -/var/log/haproxy/access.log;HAProxy -local2.=info @{{ haproxy_graylog_server|trim }}:{{ haproxy_graylog_server_port }};GRAYLOGRFC5424 ~ -{% else %} -local2.=info /var/log/haproxy/access.log;HAProxyAccess -{% endif %} -local2.error /var/log/haproxy/error.log;HAProxy -local2.=notice;local2.=warning /var/log/haproxy/status.log -& ~ \ No newline at end of file diff --git a/templates/etc.haproxy.haproxy.cfg.j2 b/templates/etc.haproxy.haproxy.cfg.j2 index 9f069a0..6b96368 100644 --- a/templates/etc.haproxy.haproxy.cfg.j2 +++ b/templates/etc.haproxy.haproxy.cfg.j2 @@ -15,19 +15,24 @@ global {% if haproxy_tls_level == 'veryhigh' %} {% set haproxy_default_ciphers = "ECDHE+AES:@STRENGTH" %} -{% set haproxy_default_ssllist = "no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets" %} +{% set haproxy_default_ciphersuites = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" %} +{% set haproxy_default_ssllist = "ssl-min-ver TLSv1.2 no-tls-tickets" %} {% elif haproxy_tls_level == 'high' %} {% set haproxy_default_ciphers = "EECDH+AES:@STRENGTH:+AES256" %} -{% set haproxy_default_ssllist = "no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets" %} +{% set haproxy_default_ciphersuites = "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256" %} +{% set haproxy_default_ssllist = "ssl-min-ver TLSv1.2 no-tls-tickets" %} {% elif haproxy_tls_level == 'med' %} {% set haproxy_default_ciphers = "EECDH+AES:@STRENGTH:+AES256" %} -{% set haproxy_default_ssllist = "no-sslv3 no-tlsv10" %} +{% set haproxy_default_ciphersuites = "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256" %} +{% set haproxy_default_ssllist = "ssl-min-ver TLSv1.2" %} {% elif haproxy_tls_level == 'low' %} -{% set haproxy_default_ciphers = "EECDH+AES:DHE+AES:@STRENGTH:+AES256:kRSA+3DES" %} -{% set haproxy_default_ssllist = "no-sslv3" %} +{% set haproxy_default_ciphers = "EECDH+AES:DHE+AES:@STRENGTH:+AES256" %} +{% set haproxy_default_ciphersuites = "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256" %} +{% set haproxy_default_ssllist = "ssl-min-ver TLSv1.0" %} {% endif %} ssl-default-bind-ciphers {{ haproxy_ciphers | default(haproxy_default_ciphers) }} + ssl-default-bind-ciphersuites {{ haproxy_ciphersuites | default(haproxy_default_ciphersuites) }} ssl-default-bind-options {{ haproxy_ssllist | default(haproxy_default_ssllist) }} tune.ssl.default-dh-param 4096 @@ -38,7 +43,7 @@ global defaults mode http log global -{% if haproxy_use_graylog_json_logging %} +{% if haproxy_use_json_logging %} log-format {"haproxy_clientIP":"%ci","haproxy_clientPort":"%cp","haproxy_dateTime":"%t","haproxy_frontendNameTransport":"%ft","haproxy_backend":"%b","haproxy_serverName":"%s","haproxy_Tw":"%Tw","haproxy_Tc":"%Tc","haproxy_Tt":"%Tt","haproxy_bytesRead":"%B","haproxy_terminationState":"%ts","haproxy_actconn":%ac,"haproxy_FrontendCurrentConn":%fc,"haproxy_backendCurrentConn":%bc,"haproxy_serverConcurrentConn":%sc,"haproxy_retries":%rc,"haproxy_srvQueue":%sq,"haproxy_backendQueue":%bq,"haproxy_backendSourceIP":"%bi","haproxy_backendSourcePort":"%bp","haproxy_statusCode":"%ST","haproxy_serverIP":"%si","haproxy_serverPort":"%sp","haproxy_frontendIP":"%fi","haproxy_frontendPort":"%fp","haproxy_capturedRequestHeaders":"%hr","haproxy_httpRequest":"%r"} {% else %} option httplog @@ -57,87 +62,96 @@ defaults timeout check 10s maxconn 3000 +{% if haproxy_prometheus_enabled %} +# PROMETHEUS METRICS +frontend prometheus + bind *:{{ haproxy_prometheus_port }} + http-request use-service prometheus-exporter if { path /metrics } + stats enable + stats uri /stats +{% endif %} + # HAPROXY FRONTENDS {% for frontend in haproxy_frontends %} # Front End: {{ frontend.name }} frontend {{ frontend.name }} bind {{ frontend.bind }} -{% if frontend.redirect_ssl|default(false) %} +{% if frontend.redirect_ssl | default(false) %} redirect scheme https if !{ ssl_fc } {% endif %} -{% if frontend.mode|default(false) %} +{% if frontend.mode | default(false) %} mode {{ frontend.mode }} {% endif %} -{% if frontend.log|default(false) %} +{% if frontend.log | default(false) %} log {{ frontend.log }} {% endif %} -{% if frontend.options|default(false) %} +{% if frontend.options | default(false) %} {% for option in frontend.options %} option {{ option }} {% endfor %} {% endif %} # Timeouts -{% if frontend.timeout_client_fin|default(false) %} +{% if frontend.timeout_client_fin | default(false) %} timeout client-fin {{ frontend.timeout_client_fin }} {% endif %} -{% if frontend.block_user_agent|default(false) or frontend.block_ip_address|default(false) %} +{% if frontend.block_user_agent | default(false) or frontend.block_ip_address | default(false) %} tcp-request inspect-delay 1s {% endif %} -{% if frontend.reqadd|default(false) %} +{% if frontend.http_request_rules | default(false) %} - # Headers -{% for reqadd in frontend.reqadd %} - reqadd {{ reqadd }} + # HTTP Request Rules +{% for rule in frontend.http_request_rules %} + http-request {{ rule }} {% endfor %} -{% endif %}{# if frontend.reqadd|default(false) -#} +{% endif %} -{% if frontend.acls|default(false) %} +{% if frontend.acls | default(false) %} # ACLs {% for acl in frontend.acls %} acl {{ acl.name }} {{ acl.policy }} {% endfor %} {% endif %} -{% if frontend.block_user_agent|default(false) or frontend.block_ip_address|default(false) %} +{% if frontend.block_user_agent | default(false) or frontend.block_ip_address | default(false) %} # Blocking related ACLs -{% if frontend.block_user_agent|default(false) %} +{% if frontend.block_user_agent | default(false) %} acl abuser hdr_reg(User-Agent) -i -f /etc/haproxy/{{ frontend.name }}-ua-abuser.lst {% endif %} -{% if frontend.block_ip_address|default(false) %} +{% if frontend.block_ip_address | default(false) %} acl abuser src -f /etc/haproxy/{{ frontend.name }}-ip-abuser.lst {% endif %} -{% endif %}{# if frontend.block_user_agent|default(false) or frontend.block_ip_address|default(false) -#} -{% if frontend.block_rules|default(false) %} +{% endif %} +{% if frontend.block_rules | default(false) %} # Block Rules {% for rule in frontend.block_rules %} {{ rule }} {% endfor %} {% endif %} -{% if frontend.block_user_agent|default(false) or frontend.block_ip_address|default(false) %} +{% if frontend.block_user_agent | default(false) or frontend.block_ip_address | default(false) %} tcp-request content reject if abuser {% endif %} -{% if frontend.use_backend|default(false) %} +{% if frontend.use_backend | default(false) %} # Backend Routing {% for use_backend in frontend.use_backend %} use_backend {{ use_backend }} {% endfor %} -{% endif %}{# if frontend.use_backend|default(false) #} -{% if frontend.default_backend|default(false) %} +{% endif %} +{% if frontend.default_backend | default(false) %} # Default backend default_backend {{ frontend.default_backend }} -{% endif %}{# if frontend.default_backend|default(false) #} -{% if frontend.other_directives|default(false) %} +{% endif %} +{% if frontend.other_directives | default(false) %} # Other directives -{% for directive in frontend.other_directives|default([]) %} +{% for directive in frontend.other_directives | default([]) %} {{ directive }} {% endfor %} {% endif %} @@ -147,51 +161,51 @@ frontend {{ frontend.name }} {% for backend in haproxy_backends %} # Back End: {{ backend.name }} backend {{ backend.name }} -{% if backend.redirect_ssl|default(false) %} +{% if backend.redirect_ssl | default(false) %} redirect scheme https if !{ ssl_fc } {% endif %} - balance {{ backend.balance|default('roundrobin') }} -{% if backend.cookie|default(false) %} + balance {{ backend.balance | default('roundrobin') }} +{% if backend.cookie | default(false) %} cookie {{ backend.cookie }} {% endif %} -{% if backend.mode|default(false) %} +{% if backend.mode | default(false) %} mode {{ backend.mode }} {% endif %} -{% if backend.timeout_tunnel|default(false) %} +{% if backend.timeout_tunnel | default(false) %} timeout tunnel {{ backend.timeout_tunnel }} {% endif %} -{% if backend.timeout_server|default(false) %} +{% if backend.timeout_server | default(false) %} timeout server {{ backend.timeout_server }} {% endif %} -{% for header in backend.headers|default([]) %} +{% for header in backend.headers | default([]) %} http-request set-header {{ header }} {% endfor %} -{% for directive in backend.other_directives|default([]) %} +{% for directive in backend.other_directives | default([]) %} {{ directive }} {% endfor %} -{% if backend.groups|default(false) %} +{% if backend.groups | default(false) %} # Servers (dynamically determined) {% for group in backend.groups %} {% for host in groups[group.group] %} -{% if group.check_cookie|default(false) %} - server {{ hostvars[groups[group.group][loop.index0]]['ansible_nodename'] }} {{ hostvars[groups[group.group][loop.index0]]['ansible_eth0']['ipv4']['address'] }}:{{ group.port }} check cookie {{ hostvars[groups[group.group][loop.index0]]['ansible_eth0']['ipv4']['address']|hash('sha1') }} {{ group.server_options | default([]) | join(" ") }} +{% if group.check_cookie | default(false) %} + server {{ hostvars[groups[group.group][loop.index0]]['ansible_nodename'] }} {{ hostvars[groups[group.group][loop.index0]]['ansible_eth0']['ipv4']['address'] }}:{{ group.port }} check cookie {{ hostvars[groups[group.group][loop.index0]]['ansible_eth0']['ipv4']['address'] | hash('sha1') }} {{ group.server_options | default([]) | join(" ") }} {% else %} server {{ hostvars[groups[group.group][loop.index0]]['ansible_nodename'] }} {{ hostvars[groups[group.group][loop.index0]]['ansible_eth0']['ipv4']['address'] }}:{{ group.port }} check {{ group.server_options | default([]) | join(" ") }} {% endif %} {% endfor %} {% endfor %} -{% endif %}{# if backend.groups|default(false) -#} +{% endif %} -{% if backend.manual_servers|default(false) %} +{% if backend.manual_servers | default(false) %} # Servers (explicitly defined) {% for server in backend.manual_servers.servers %} -{% if backend.manual_servers.check_cookie|default(false) %} - server {{ server }} {{ server }}:{{ backend.manual_servers.port }} check cookie {{ server|hash('sha1') }} {{ backend.manual_servers.server_options | default([]) | join(" ") }} +{% if backend.manual_servers.check_cookie | default(false) %} + server {{ server }} {{ server }}:{{ backend.manual_servers.port }} check cookie {{ server | hash('sha1') }} {{ backend.manual_servers.server_options | default([]) | join(" ") }} {% else %} server {{ server }} {{ server }}:{{ backend.manual_servers.port }} check {{ backend.manual_servers.server_options | default([]) | join(" ") }} {% endif %} {% endfor %} -{% endif %}{#if backend.manual_servers|default(false) #} +{% endif %} {% endfor %} diff --git a/templates/EL7.etc.rsyslog.d.49-haproxy.conf.j2 b/templates/etc.rsyslog.d.49-haproxy.conf.j2 similarity index 80% rename from templates/EL7.etc.rsyslog.d.49-haproxy.conf.j2 rename to templates/etc.rsyslog.d.49-haproxy.conf.j2 index 9349f44..c8db077 100644 --- a/templates/EL7.etc.rsyslog.d.49-haproxy.conf.j2 +++ b/templates/etc.rsyslog.d.49-haproxy.conf.j2 @@ -10,8 +10,8 @@ $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% % if $programname startswith 'haproxy' then { if $syslogseverity == 6 then action(type="omfile" file="/var/log/haproxy/access.log" template="HAProxyAccess") -{% if haproxy_use_graylog_json_logging %} - action(type="omfwd" target="{{ haproxy_graylog_server|trim }}" port="{{ haproxy_graylog_server_port }}" protocol="udp" template="GRAYLOGRFC5424") +{% if haproxy_use_json_logging %} + action(type="omfwd" target="{{ haproxy_log_forward_server | trim }}" port="{{ haproxy_log_forward_server_port }}" protocol="udp" template="GRAYLOGRFC5424") {% endif %} stop if $syslogseverity <= 3 then diff --git a/templates/etc.systemd.system.haproxy_exporter.service.j2 b/templates/etc.systemd.system.haproxy_exporter.service.j2 deleted file mode 100644 index d2b56c9..0000000 --- a/templates/etc.systemd.system.haproxy_exporter.service.j2 +++ /dev/null @@ -1,23 +0,0 @@ -# {{ ansible_managed }} -[Unit] -Description=Prometheus HAProxy Node Exporter -Wants=network-online.target -After=network-online.target - -[Service] -Type=simple -User=haproxy -Group=haproxy -ExecReload=/bin/kill -HUP $MAINPID -ExecStart=/usr/local/bin/haproxy_exporter \ - --haproxy.pid-file=/var/run/haproxy.pid \ - --haproxy.timeout=20s \ - --web.telemetry-path=/metrics \ - --web.listen-address=0.0.0.0:{{ haproxy_exporter_listen_port }} \ - --haproxy.scrape-uri={{ haproxy_exporter_scrape_uri }} - -SyslogIdentifier=haproxy_exporter -Restart=always - -[Install] -WantedBy=multi-user.target