forked from ISTI-ansible-roles/ansible-roles
b382db3b25
library/roles/haproxy/files: Fix to the acme scripts, the certificate path has become /etc/pki/haproxy/haproxy.pem. library/roles/openldap-server/tasks/openldap_initializazion.yml: Fix the certificates initialization. library/roles/ubuntu-deb-general/tasks/pki-basics.yml: Create a self signed certificate while waiting the letsencrypt one. |
||
---|---|---|
.. | ||
defaults | ||
files | ||
handlers | ||
tasks | ||
README |
README
# # The user of this role will need to write a haproxy.cfg template and install it with a dedicated task. Something like - name: Configure haproxy template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg owner=root group=haproxy mode=0440 notify: Reload haproxy tags: [ 'haproxy', 'haproxy_conf' ] # # Very complex setup that involves varnish. Taken here: # https://alohalb.wordpress.com/2012/08/25/haproxy-varnish-and-the-single-hostname-website/ # For a ssl setup, check here: # http://seanmcgary.com/posts/using-sslhttps-with-haproxy # https://alohalb.wordpress.com/haproxy/haproxy-and-ssl/ # https://alohalb.wordpress.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ # http://blog.haproxy.com/2015/05/06/haproxys-load-balancing-algorithm-for-static-content-delivery-with-varnish/ # http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ # https://serversforhackers.com/using-ssl-certificates-with-haproxy # # Session management workarounds: # http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/ # http://serverfault.com/questions/439445/haproxy-my-sessions-are-sort-of-sticky # # Hints to protect from DDOS or too many legitimate requests # http://www.loadbalancer.org/de/blog/black-friday-black-out-protection-with-haproxy # When letsencrypt is enabled, the haproxy configurazion file needs to contain not only the https configuration, but also something like: frontend http bind 80 acl letsencrypt-request path_beg -i /.well-known/acme-challenge/ use_backend letsencrypt if letsencrypt-request backend letsencrypt mode http server letsencrypt 127.0.0.1:9999 Where 9999 is the port where the letsencrypt standalone client will listen to.