ansible-roles/haproxy
Andrea Dell'Amico e9392f9586 haproxy: the default and running version is now 1.8. No http/2 support though, the ubuntu 14.04 openssl version is too old. 2017-12-28 19:04:11 +01:00
..
defaults haproxy: the default and running version is now 1.8. No http/2 support though, the ubuntu 14.04 openssl version is too old. 2017-12-28 19:04:11 +01:00
files haproxy: Run the OCSP stapling script after a certificate has been renewed. See https://support.d4science.org/issues/10008 2017-10-30 15:41:33 +01:00
handlers library/roles/haproxy: reload rsyslog after having installed haproxy. A new rsyslog directive is installed and a reload is needed to activate it. 2015-12-11 16:43:53 +01:00
tasks haproxy: add a task that increases the dimension of the conntrack table. 2017-12-19 18:01:51 +01:00
templates haproxy-letsencrypt-acme.sh: Fix the logging commands. 2017-10-30 15:41:33 +01:00
README library/roles/letsencrypt-acmetool-client/defaults/main.yml: Fix the hooks path 2016-04-14 19:31:02 +02:00

README

#
# The user of this role will need to write a haproxy.cfg template and install it with a dedicated task. Something like

- name: Configure haproxy
  template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg owner=root group=haproxy mode=0440
  notify: Reload haproxy
  tags: [ 'haproxy', 'haproxy_conf' ]
  
#
# Very complex setup that involves varnish. Taken here:
# https://alohalb.wordpress.com/2012/08/25/haproxy-varnish-and-the-single-hostname-website/
# For a ssl setup, check here:
# http://seanmcgary.com/posts/using-sslhttps-with-haproxy
# https://alohalb.wordpress.com/haproxy/haproxy-and-ssl/
# https://alohalb.wordpress.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/
# http://blog.haproxy.com/2015/05/06/haproxys-load-balancing-algorithm-for-static-content-delivery-with-varnish/
# http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
# https://serversforhackers.com/using-ssl-certificates-with-haproxy
#
# Session management workarounds:
# http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
# http://serverfault.com/questions/439445/haproxy-my-sessions-are-sort-of-sticky
#
# Hints to protect from DDOS or too many legitimate requests
# http://www.loadbalancer.org/de/blog/black-friday-black-out-protection-with-haproxy
#

When letsencrypt is enabled, the haproxy configurazion file needs to
contain not only the https configuration, but also something like:

frontend http
         bind 80
         acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
         use_backend letsencrypt if letsencrypt-request

backend letsencrypt
        mode http
        server letsencrypt 127.0.0.1:9999

Where 9999 is the port where the letsencrypt standalone client will listen to.