ansible/roles/haproxy/templates/haproxy.cfg

# this config needs haproxy-1.1.28 or haproxy-1.2.1

global
    log 127.0.0.1   local0 warning
    # Set this to 4096 + 16384
    # 16384 for the fedmsg gateway and 4096 for everybody else.
    maxconn 20480
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon
    stats socket /var/run/haproxy-stat user haproxy group nrpe mode 0664
    stats socket /var/run/haproxy-admin level admin user root group root mode 0660
    #debug
    #quiet

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    option  httpclose
    option  redispatch
    retries 3
    maxconn 5000
    timeout connect 5s
    timeout client 500s
    timeout server 500s
    errorfile 503 /etc/haproxy/503.http

frontend stats-frontend
    bind 0.0.0.0:8080
    default_backend stats-backend

backend stats-backend
    balance hdr(appserver)
    stats enable
    stats uri /

{% if env == "production" and 'iad2' in inventory_hostname  %}
frontend ocp-masters-kapi
    mode tcp
    bind 0.0.0.0:6443
    default_backend ocp-masters-backend-kapi

backend ocp-masters-backend-kapi
    mode tcp
    server  ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
    server  ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
    server  ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
# temp bootstrap node
#    server  bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check

frontend ocp-masters-machineconfig
    mode tcp
    bind 0.0.0.0:22623
    default_backend ocp-masters-backend-machineconfig

backend ocp-masters-backend-machineconfig
    mode tcp
    server  ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
    server  ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
    server  ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
# temp bootstrap node
#    server  bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
{% endif %}

{% if env != "production" and 'iad2' in inventory_hostname  %}
frontend ocp-masters-kapi
    mode tcp
    bind 0.0.0.0:6443
    default_backend ocp-masters-backend-kapi

backend ocp-masters-backend-kapi
    mode tcp
    server  ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
    server  ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
    server  ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
# temp bootstrap node
#    server  bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check

frontend ocp-masters-machineconfig
    mode tcp
    bind 0.0.0.0:22623
    default_backend ocp-masters-backend-machineconfig

backend ocp-masters-backend-machineconfig
    mode tcp
    server  ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
    server  ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
    server  ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
# temp bootstrap node
#    server  bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
{% endif %}

frontend fp-wiki-frontend
    bind 0.0.0.0:10001
    default_backend fp-wiki-backend

backend fp-wiki-backend
    balance hdr(appserver)
    server  wiki01 wiki01:80 check inter 15s rise 2 fall 5
{% if env == "production" %}
    server  wiki02 wiki02:80 check inter 15s rise 2 fall 5
{% endif %}
    option  httpchk GET /wiki/Main_Page

frontend mirror-lists-frontend
    bind 0.0.0.0:10002
    default_backend mirror-lists-backend

backend mirror-lists-backend
    balance hdr(appserver)
    timeout connect 30s
    server  mirrorlist-local1 127.0.0.1:18081 check inter 1s rise 2 fall 3 weight 100
    server  mirrorlist-local2 127.0.0.1:18082 check inter 1s rise 2 fall 3 weight 100
    option  httpchk GET /metalink?repo=epel-7&arch=x86_64
    option  allbackups

frontend mirrormanager-frontend
    bind 0.0.0.0:10008
    default_backend mirrormanager-backend

backend mirrormanager-backend
    balance hdr(appserver)
    server  mm-frontend01 mm-frontend01:80 check inter 60s rise 2 fall 3
    option  httpchk GET /mirrormanager/static/mirrormanager2.css

frontend freemedia-frontend
    bind 0.0.0.0:10011
    default_backend freemedia-backend

backend freemedia-backend
    balance hdr(appserver)
    server  sundries01 sundries01:80 check inter 60s rise 2 fall 3
{% if env == "production" %}
    server  sundries02 sundries01:80 check inter 60s rise 2 fall 3
{% endif %}
    option  httpchk GET /freemedia/FreeMedia-form.html

#frontend packages-frontend
#    bind 0.0.0.0:10016
#    default_backend packages-backend
#
#backend packages-backend
#    balance hdr(appserver)
#    server  packages03 packages03:80 check inter 5s rise 2 fall 3
#{% if env == "production" %}
#    server  packages04 packages04:80 check inter 5s rise 2 fall 3
#{% endif %}
#    option  httpchk GET /packages/_heartbeat

frontend blockerbugs-frontend
    bind 0.0.0.0:10022
    default_backend blockerbugs-backend

backend blockerbugs-backend
    balance hdr(appserver)
    server  blockerbugs01 blockerbugs01:80 check inter 10s rise 1 fall 2
    option httpchk GET /blockerbugs

# IMPORTANT: 10023-10026 will NOT work because of selinux policies

frontend geoip-city-frontend
    bind 0.0.0.0:10029
    default_backend geoip-city-backend

backend geoip-city-backend
    balance hdr(appserver)
    server  sundries01 sundries01:80 check inter 30s rise 2 fall 3
{% if env == "production" %}
    server  sundries02 sundries02:80 check inter 30s rise 2 fall 3
{% endif %}
    option  httpchk GET /city?ip=18.0.0.1

# IMPORTANT: 10031 will NOT work because of selinux policies

frontend badges-frontend
    bind 0.0.0.0:10032
    default_backend badges-backend

backend badges-backend
    balance hdr(appserver)
    server  badges-web01 badges-web01:80 check inter 10s rise 1 fall 2
    option httpchk GET /heartbeat

frontend nuancier-frontend
    bind 0.0.0.0:10035
    default_backend nuancier-backend

backend nuancier-backend
    balance hdr(appserver)
    server  nuancier01 nuancier01:80 check inter 10s rise 1 fall 2
    server  nuancier02 nuancier02:80 check inter 10s rise 1 fall 2
    option  httpchk GET /nuancier/

frontend notifs-web-frontend
    bind 0.0.0.0:10036
    default_backend notifs-web-backend

backend notifs-web-backend
    balance hdr(appserver)
    server  notifs-web01 notifs-web01:80 check inter 10s rise 1 fall 2
{% if env == "production" %}
#    server  notifs-web02 notifs-web02:80 check inter 10s rise 1 fall 2
{% endif %}
    option  httpchk GET /notifications/_heartbeat

frontend github2fedmsg-frontend
    bind 0.0.0.0:10037
    default_backend github2fedmsg-backend

backend github2fedmsg-backend
    balance hdr(appserver)
    server  github2fedmsg01 github2fedmsg01:80 check inter 10s rise 1 fall 2
    option  httpchk GET /github2fedmsg/

frontend kerneltest-frontend
    bind 0.0.0.0:10038
    default_backend kerneltest-backend

backend kerneltest-backend
    balance hdr(appserver)
    server  kerneltest01 kerneltest01:80 check inter 10s rise 1 fall 2
    option httpchk GET /kerneltest

{% if env == "production" %}
frontend openqa-frontend
    bind 0.0.0.0:10044
    default_backend openqa-backend

backend openqa-backend
    balance hdr(appserver)
    server  openqa01 openqa01:80 check inter 10s rise 1 fall 2
    option  httpchk GET /api/v1/job_groups/1
{% endif %}

frontend pdc-frontend
    bind 0.0.0.0:10045
    default_backend pdc-backend

backend pdc-backend
    balance hdr(appserver)

{% if env != "staging" %}
    # Set session persistence with a cookie.
    # https://jdennis.fedorapeople.org/doc/rhsso-tripleo-federation/html/rhsso-tripleo-federation.html#step-18-use-proxy-persistence-for-keystone-on-each-controller
    cookie SERVERID insert indirect nocache
{% endif %}

    server  pdc-web01 pdc-web01:80 check inter 10s rise 1 fall 2 cookie pdc-web01
{% if env != "staging" %}
    server  pdc-web02 pdc-web02:80 check inter 10s rise 1 fall 2 cookie pdc-web02
{% endif %}

    option  httpchk GET /rest_api/v1/
    timeout server 3600000
    timeout connect 3600000

frontend osbs-frontend
    bind 0.0.0.0:10047
    default_backend osbs-backend

backend osbs-backend
    balance hdr(appserver)
    server osbs-master01 osbs-master01:8443 check inter 10s rise 1 fall 2 check ssl verify none

frontend oci-registry-frontend
    bind 0.0.0.0:10048
    default_backend oci-registry-backend

backend oci-registry-backend
    balance hdr(appserver)
    server oci-registry01 oci-registry01:5000 check inter 10s rise 1 fall 2
{% if env == "production" %}
    server oci-registry02 oci-registry02:5000 check inter 10s rise 1 fall 2
{% endif %}

{% if env == "staging" %}

frontend pps-frontend
    bind 0.0.0.0:10051
    default_backend pps-backend

backend pps-backend
    balance hdr(appserver)
    server  mdapi01 mdapi01:80 check inter 10s rise 1 fall 2
    option  httpchk GET /pps

{% endif %}

frontend ipsilon-frontend
    bind 0.0.0.0:10020
    default_backend ipsilon-backend

backend ipsilon-backend
    balance hdr(appserver)
    server  ipsilon01 ipsilon01:80 check inter 10s rise 1 fall 3
{% if env == "production" %}
    server  ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 3
{% endif %}
    option httpchk GET /

frontend ipa-frontend
    bind 0.0.0.0:10053
    default_backend ipa-backend

backend ipa-backend
    balance hdr(appserver)
    server  ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
{% if env != "staging" %}
    server  ipa02 ipa02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem backup
    server  ipa03 ipa03:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem backup
{% endif %}
    option  httpchk GET /ipa/ui/

frontend krb5-frontend
    mode tcp
    bind 0.0.0.0:1088
    default_backend krb5-backend

backend krb5-backend
    mode tcp
    option tcplog
    balance roundrobin
    maxconn 16384
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server  ipa01 ipa01:88 weight 1 maxconn 16384
{% if env == "production" %}
    server  ipa02 ipa02:88 weight 1 maxconn 16384
    server  ipa03 ipa03:88 weight 1 maxconn 16384
{% endif %}

frontend oci-candidate-registry-frontend
    bind 0.0.0.0:10054
    default_backend oci-candidate-registry-backend

backend oci-candidate-registry-backend
    balance hdr(appserver)
    server oci-candidate-registry01 oci-candidate-registry01:5000 check inter 10s rise 1 fall 2

{% if 'iad2' in inventory_hostname %}

# Only enable this on iad2 proxies
frontend src-frontend
    bind 0.0.0.0:10057
    default_backend src-backend

backend src-backend
    balance hdr(appserver)
{% if env == "staging" %}
    server pkgs01 pkgs01:80 check inter 10s rise 1 fall 2
{% elif datacenter == 'iad2' %}
    server pkgs01 pkgs01:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /

{% endif %}
# This is an endpoint using only ipa01. This is used for API access, since sessions
# are not synchronized.
frontend ipa01-frontend
    bind 0.0.0.0:10061
    default_backend ipa01-backend

backend ipa01-backend
    balance hdr(appserver)
    server  ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
    option  httpchk GET /ipa/ui/

{% if env == "production" and 'iad2' in inventory_hostname %}
frontend kojipkgs-frontend
    bind 0.0.0.0:10062
    default_backend kojipkgs-backend

backend kojipkgs-backend
    balance uri
    server kojipkgs01.{{ datacenter }}.fedoraproject.org kojipkgs01.{{ datacenter }}.fedoraproject.org:80 check inter 10s rise 1 fall 2
    server kojipkgs02.{{ datacenter }}.fedoraproject.org kojipkgs02.{{ datacenter }}.fedoraproject.org:80 check inter 10s rise 1 fall 2
    option httpchk GET /
{% endif %}

frontend mbs-frontend
    bind 0.0.0.0:10063
    default_backend mbs-backend

backend mbs-backend
    balance hdr(appserver)
    server  mbs-frontend01 mbs-frontend01:80 check inter 20s rise 2 fall 3
{% if env == "production" %}
    server  mbs-frontend02 mbs-frontend02:80 check inter 20s rise 2 fall 3
{% endif %}
    option  httpchk GET /module-build-service/1/component-builds/

frontend odcs-frontend
    bind 0.0.0.0:10066
    default_backend odcs-backend

backend odcs-backend
    balance hdr(appserver)
    server  odcs-frontend01 odcs-frontend01:80 check inter 20s rise 2 fall 3
    option  httpchk GET /api/1/composes/

{% if datacenter == "iad2" %}
# These ports are for proxying rabbitmq (AMQP) protocol through.
# At this moment, internal- and public-rabbitmq both point to the exact same set of
#  brokers on the backend, but the internal- is intended for applications we directly control.
# This allows us to move to a separate cluster for public access if that became necessary
#  on just the infra side, with no need to ask users to change anything.
frontend internal-rabbitmq
    mode tcp
    bind 0.0.0.0:15671
    default_backend rabbitmq

frontend public-rabbitmq
    mode tcp
    bind 0.0.0.0:5671
    default_backend rabbitmq

backend rabbitmq
    mode tcp
    option tcplog
    balance roundrobin
    maxconn 16384
    server rabbitmq01 rabbitmq01:5671 weight 1 maxconn 16384
    server rabbitmq02 rabbitmq02:5671 weight 1 maxconn 16384
    server rabbitmq03 rabbitmq03:5671 weight 1 maxconn 16384
{% endif %}

# Apache doesn't handle the initial connection here like the other proxy
# entries.  This proxy also doesn't use the http mode like the others.
# stunnel should be sitting on port 9939 (public) and redirecting
# connections from there to here, port 9938.  This then proxies to the
# fedmsg-hub's websocket server on busgateway01, port 9919.
frontend fedmsg-websockets-frontend
    mode tcp
    bind 0.0.0.0:9938
    default_backend fedmsg-websockets-backend

backend fedmsg-websockets-backend
    mode tcp
    option  tcplog
    balance roundrobin
    maxconn 16384
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server  busgateway01 busgateway01:9919 weight 1 maxconn 16384

# This, unlike the websockets entry just above, is listening directly to the
# outside world with no stunnel inbetween.
# Simply redirect tcp connections to a local fedmsg-gateway slave.  It should be
# forwarding messages from the master gateway on busgateway01.
frontend fedmsg-raw-zmq-outbound-frontend
    mode tcp
    bind 0.0.0.0:9940
    default_backend fedmsg-raw-zmq-outbound-backend

backend fedmsg-raw-zmq-outbound-backend
    mode tcp
    option tcplog
    balance roundrobin
    maxconn 16384
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server  localhost 127.0.0.1:9942 weight 1 maxconn 16384

# While the above fedmsg-raw-zmq-outbound forwards incoming connections to an
# instance of the "fedmsg-gateway" daemon (which pushes internal messages out),
# this entry forwards incoming connections to a secondary instance of the
# "fedmsg-relay" daemon (which pushes messages *onto* the internal bus).  We
# have a primary instance of fedmsg-relay running on app01 for most internal
# use.  Here we forward to a secondary one on busgateway01.
frontend fedmsg-raw-zmq-inbound-frontend
    mode tcp
    bind 0.0.0.0:9941
    default_backend fedmsg-raw-zmq-inbound-backend

backend fedmsg-raw-zmq-inbound-backend
    mode tcp
    option tcplog
    balance roundrobin
    maxconn 16384
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server  busgateway01 busgateway01:9941 weight 1 maxconn 16384

{% if env == "staging" %}
frontend zabbix-frontend
    bind 0.0.0.0:10068
    default_backend zabbix-backend

backend zabbix-backend
    balance hdr(appserver)
    server  zabbix01 zabbix01:80 check inter 10s rise 1 fall 2
#    option  httpchk GET /
#    http-check expect status 200,401,302
{% endif %}