ansible-roles/library/roles/haproxy
Andrea Dell'Amico 48b75eabe4 haproxy letsencrypt hook: Fix the path to the certificates. 2020-05-15 19:01:25 +02:00
..
defaults split library/roles 2019-05-15 00:37:24 +02:00
files split library/roles 2019-05-15 00:37:24 +02:00
handlers split library/roles 2019-05-15 00:37:24 +02:00
tasks nagios_isti_plugdir renamed into nagios_local_plugdir. 2019-05-31 17:45:44 +02:00
templates haproxy letsencrypt hook: Fix the path to the certificates. 2020-05-15 19:01:25 +02:00
README split library/roles 2019-05-15 00:37:24 +02:00

README

#
# The user of this role will need to write a haproxy.cfg template and install it with a dedicated task. Something like

- name: Configure haproxy
  template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg owner=root group=haproxy mode=0440
  notify: Reload haproxy
  tags: [ 'haproxy', 'haproxy_conf' ]
  
#
# Very complex setup that involves varnish. Taken here:
# https://alohalb.wordpress.com/2012/08/25/haproxy-varnish-and-the-single-hostname-website/
# For a ssl setup, check here:
# http://seanmcgary.com/posts/using-sslhttps-with-haproxy
# https://alohalb.wordpress.com/haproxy/haproxy-and-ssl/
# https://alohalb.wordpress.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/
# http://blog.haproxy.com/2015/05/06/haproxys-load-balancing-algorithm-for-static-content-delivery-with-varnish/
# http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
# https://serversforhackers.com/using-ssl-certificates-with-haproxy
#
# Session management workarounds:
# http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
# http://serverfault.com/questions/439445/haproxy-my-sessions-are-sort-of-sticky
#
# Hints to protect from DDOS or too many legitimate requests
# http://www.loadbalancer.org/de/blog/black-friday-black-out-protection-with-haproxy
#

When letsencrypt is enabled, the haproxy configurazion file needs to
contain not only the https configuration, but also something like:

frontend http
         bind 80
         acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
         use_backend letsencrypt if letsencrypt-request

backend letsencrypt
        mode http
        server letsencrypt 127.0.0.1:9999

Where 9999 is the port where the letsencrypt standalone client will listen to.