feat!: modernize for haproxy 2.8/3.0 and current platforms

.gitignore

@@ -0,0 +1,7 @@
+.claude/
+*.retry
+*.pyc
+__pycache__/
+.vagrant/
+*.log
+.DS_Store

CHANGELOG.md

@@ -0,0 +1,102 @@
+# Changelog
+
+## v1.0.0
+
+Modernize for current platforms and haproxy versions:
+
+- Drop CentOS 6 and 7 support
+- Add Amazon Linux 2023, AlmaLinux 9 and 10 support
+- Support haproxy 2.8 (alma9) and 3.0 (al2023, alma10)
+- Update Ansible syntax to 2.10+ (FQCN, dnf module, loop)
+- Add TLSv1.3 ciphersuite support
+- Replace deprecated reqadd with http_request_rules
+- Replace external haproxy_exporter with native Prometheus exporter (`haproxy_prometheus_enabled`, `haproxy_prometheus_port`)
+
+## v0.5.0
+
+Support haproxy_exporter for Prometheus
+
+## v0.4.0
+
+- Move Graylog logging to UDP
+- Correct issues with Graylog logging
+
+## v0.3.0
+
+Support custom server options for backends
+
+## v0.2.0
+
+- Fixes for haproxy RPM
+- Support Graylog exports via syslog
+
+## v0.1.3
+
+Support https redirect on frontends
+
+## v0.1.2
+
+Remove deprecation warnings
+
+## v0.1.1
+
+Syntax fixes.
+
+## v0.1.0
+
+- Added a veryhigh tls level
+- Updated medium cipher lists to remove weak ciphers
+- Refactored all cipher lists to use a more modern, dynamic string
+- Added support for two vars to override the cipher list or tls protocols regardless of the tls level
+  - haproxy_ciphers
+  - haproxy_ssllist
+- Update rsyslog configuration file to remove the stop verb in favor of the ~ action for wider compatibility
+
+## v0.0.11
+
+Made the medium cipher set more strict than the low cipher set. Previously, they were
+the same.
+
+## v0.0.10
+
+Add rsyslog support. Because rsyslog does not listen on UDP by default, at the moment this will set the listener
+and then redirect logs to /var/log/haproxy. In the future, we may want to make the listener be optional.
+
+## v0.0.9
+
+Reconfigure SSL settings to use one of low,med,high, defaulting to low.
+
+Removed vars:
+- haproxy_enable_strict_tls
+- haproxy_enable_reallystrict_tls
+
+Added vars:
+- haproxy_tls_level
+
+## v0.0.8
+
+Added more stringent SSL settings
+
+## v0.0.7
+
+Fixed ACL enforcement issue
+
+## v0.0.6
+
+Fixed "check" command when cookie validation isn't enabled
+
+## v0.0.5
+
+Added support for back-end mode
+
+## v0.0.3
+
+Added support for generic frontend block rules defined as a list
+
+## v0.0.2
+
+Substantial changes to add additional capabilities from other projects. May not be compatible with previous version.
+
+## v0.0.1
+
+Initial Commit - working version

README.md

@@ -6,10 +6,43 @@ Ansible Role for HAProxy.
 Requirements
 ------------
 
-This role require Ansible 2.0 or higher.
+This role requires Ansible 2.10 or higher.
 
-This role was designed for CentOS 6.x or CentOS 7.x
+This role supports:
+- Amazon Linux 2023 (haproxy 3.0)
+- AlmaLinux 9 (haproxy 2.8)
+- AlmaLinux 10 (haproxy 3.0)
 
 Role Variables
 --------------
 
+See `defaults/main.yml` for available variables.
+
+Breaking Changes
+----------------
+
+### v1.0.0
+
+- Dropped CentOS 6 and 7 support
+- Replaced `yum` module with `ansible.builtin.dnf`
+- The `reqadd` frontend option has been removed (deprecated in haproxy 2.1+). Use `http_request_rules` instead:
+
+  Before:
+  ```yaml
+  haproxy_frontends:
+    - name: web
+      reqadd:
+        - "X-Forwarded-Proto:\\ https"
+  ```
+
+  After:
+  ```yaml
+  haproxy_frontends:
+    - name: web
+      http_request_rules:
+        - "add-header X-Forwarded-Proto https"
+  ```
+
+- TLS configuration now includes TLSv1.3 ciphersuites (`ssl-default-bind-ciphersuites`)
+- TLS options use `ssl-min-ver` syntax instead of `no-tlsv1x` flags
+- Replaced external haproxy_exporter with native Prometheus exporter (`haproxy_prometheus_enabled`, `haproxy_prometheus_port`)

defaults/main.yml

@@ -12,7 +12,6 @@ haproxy_listen_port: 80
 
 haproxy_socket_options:
 
-
 # TLS levels derived from https://medium.com/@davetempleton/tls-configuration-cipher-suites-and-protocols-a01ee7005778
 # low is super-compatible but enables weaker ciphers to support IE8/XP. Should be avoided, particularly with SNI
 # med is conservative, widely compatible, and secure. meets BOD18-01
@@ -23,6 +22,7 @@ haproxy_socket_options:
 # specific cipher / ssl lists can be provided using the following undefined vars:
 #
 # haproxy_ciphers
+# haproxy_ciphersuites (TLSv1.3)
 # haproxy_ssllist
 #
 haproxy_tls_level: 'med'
@@ -31,14 +31,10 @@ haproxy_ssl_certs: []
 
 # Configure rsyslog udp logging and redirect logs to /var/log/haproxy
 haproxy_enable_syslog: false
-haproxy_use_graylog_json_logging: false
-haproxy_graylog_server:
-haproxy_graylog_server_port:
-
-# Prometheus exporter support for haproxy v1.8
-haproxy_external_exporter_enabled: false
-haproxy_exporter_download_url: https://github.com/prometheus/haproxy_exporter/releases/download/v0.12.0/haproxy_exporter-0.12.0.linux-amd64.tar.gz
-haproxy_exporter_listen_port: 9101
-haproxy_exporter_stats_user: admin
-haproxy_exporter_stats_password: password
-haproxy_exporter_scrape_uri: "http://{{ haproxy_exporter_stats_user }}:{{ haproxy_exporter_stats_password }}@localhost:1936/haproxy?stats;csv"
+haproxy_use_json_logging: false
+haproxy_log_forward_server:
+haproxy_log_forward_server_port:
+
+# Native Prometheus exporter (haproxy 2.x+)
+haproxy_prometheus_enabled: false
+haproxy_prometheus_port: 8405

handlers/main.yml

@@ -1,14 +1,15 @@
 ---
-# handlers for the haproxy role
 - name: restart haproxy
-  service: name=haproxy state=restarted
+  ansible.builtin.service:
+    name: haproxy
+    state: restarted
 
 - name: reload haproxy
-  service: name=haproxy state=reloaded
+  ansible.builtin.service:
+    name: haproxy
+    state: reloaded
 
 - name: restart rsyslog-haproxy
-  service: name=rsyslog state=restarted
-
-- name: reload systemd
-  systemd:
-    daemon_reload: yes
+  ansible.builtin.service:
+    name: rsyslog
+    state: restarted

meta/main.yml

@@ -5,10 +5,13 @@ galaxy_info:
   description: Ansible Role for HAProxy
   company: Rhythmic Technologies, Inc.
   license: Proprietary
-  min_ansible_version: 2.0
+  min_ansible_version: "2.10"
   platforms:
-    - name: CentOS
+    - name: Amazon
       versions:
-        - "6"
-        - "7"
+        - "2023"
+    - name: EL
+      versions:
+        - "9"
+        - "10"
 dependencies: []