ansible/roles/haproxy/templates/haproxy.cfg

# this config needs haproxy-1.1.28 or haproxy-1.2.1

global
    log 127.0.0.1   local0 warning
    # Set this to 4096 + 16384
    # 16384 for the fedmsg gateway and 4096 for everybody else.
    maxconn 20480
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon
    stats socket /var/run/haproxy-stat user haproxy group nrpe mode 0664
    stats socket /var/run/haproxy-admin level admin user root group root mode 0660
    #debug
    #quiet

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    option  httpclose
    option  redispatch
    retries 3
    maxconn 5000
    timeout connect 5s
    timeout client 500s
    timeout server 500s
    errorfile 503 /etc/haproxy/503.http

frontend stats-frontend
    bind 0.0.0.0:8080
    default_backend stats-backend

backend stats-backend
    balance hdr(appserver)
    stats enable
    stats uri /

frontend fp-wiki-frontend
    bind 0.0.0.0:10001
    default_backend fp-wiki-backend

backend fp-wiki-backend
    balance hdr(appserver)
    server  wiki01 wiki01:80 check inter 15s rise 2 fall 5
{% if env == "production" %}
    server  wiki02 wiki02:80 check inter 15s rise 2 fall 5
{% endif %}
    option  httpchk GET /wiki/Main_Page

frontend mirror-lists-frontend
    bind 0.0.0.0:10002
    default_backend mirror-lists-backend

backend mirror-lists-backend
    balance hdr(appserver)
    timeout connect 30s
    server  mirrorlist-local1 127.0.0.1:18081 check inter 1s rise 2 fall 3 weight 100
    server  mirrorlist-local2 127.0.0.1:18082 check inter 1s rise 2 fall 3 weight 100
{% if datacenter == 'phx2' %}
    server  mirrorlist-local3 127.0.0.1:18083 check inter 1s rise 2 fall 3 weight 100
{% endif %}
    option  httpchk GET /metalink?repo=epel-7&arch=x86_64
    option  allbackups

frontend fas-frontend
    bind 0.0.0.0:10004
    default_backend fas-backend

backend fas-backend
    # These values are set extremely low so any issues are recovered from very
    # quickly.  Setting these higher will cause odd behavior in apps that
    # depend on fas (like bodhi, etc)
    balance hdr(appserver)
    server  fas01 fas01:80 check inter 5s rise 1 fall 2
{% if env == "production" %}
    server  fas02 fas02:80 check inter 5s rise 1 fall 2
    server  fas03 fas03:80 check inter 5s rise 1 fall 2
{% endif %}
    option  httpchk GET /accounts/

frontend voting-frontend
    bind 0.0.0.0:10007
    default_backend voting-backend

backend voting-backend
    balance hdr(appserver)
    server  elections01 elections01:80 check inter 10s rise 2 fall 4
{% if env == "production" %}
    server  elections02 elections02:80 check inter 10s rise 2 fall 4
{% endif %}
    option  httpchk GET /voting/

frontend mirrormanager-frontend
    bind 0.0.0.0:10008
    default_backend mirrormanager-backend

backend mirrormanager-backend
    balance hdr(appserver)
    server  mm-frontend01 mm-frontend01:80 check inter 60s rise 2 fall 3
{% if env == "production" %}
    server  mm-frontend02 mm-frontend02:80 check inter 60s rise 2 fall 3
{% endif %}
    option  httpchk GET /mirrormanager/static/mirrormanager2.css

frontend freemedia-frontend
    bind 0.0.0.0:10011
    default_backend freemedia-backend

backend freemedia-backend
    balance hdr(appserver)
    server  sundries01 sundries01:80 check inter 60s rise 2 fall 3
{% if env == "production" %}
    server  sundries02 sundries01:80 check inter 60s rise 2 fall 3
{% endif %}
    option  httpchk GET /freemedia/FreeMedia-form.html

frontend packages-frontend
    bind 0.0.0.0:10016
    default_backend packages-backend

backend packages-backend
    balance hdr(appserver)
    server  packages03 packages03:80 check inter 5s rise 2 fall 3
{% if env == "production" %}
    server  packages04 packages04:80 check inter 5s rise 2 fall 3
{% endif %}
    option  httpchk GET /packages/_heartbeat

frontend totpcgiprovision-frontend
    bind 0.0.0.0:10019
    default_backend totpcgiprovision-backend

backend totpcgiprovision-backend
    balance hdr(appserver)
    http-check expect status 401
    server  fas01 fas01:8444 check inter 5s rise 1 fall 2
{% if env == "production" %}
    server  fas02 fas02:8444 check inter 5s rise 1 fall 2
    server  fas03 fas03:8444 check inter 5s rise 1 fall 2
{% endif %}
    option httpchk GET /index.cgi

frontend ipsilon-frontend
    bind 0.0.0.0:10020
    default_backend ipsilon-backend

backend ipsilon-backend
    balance hdr(appserver)
    server  ipsilon01 ipsilon01:80 check inter 10s rise 1 fall 2
{% if env == "production" %}
    server  ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /

frontend blockerbugs-frontend
    bind 0.0.0.0:10022
    default_backend blockerbugs-backend

backend blockerbugs-backend
    balance hdr(appserver)
    server  blockerbugs01 blockerbugs01:80 check inter 10s rise 1 fall 2
{% if env == "production" %}
    server  blockerbugs02 blockerbugs02:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /blockerbugs

frontend fedocal-frontend
    bind 0.0.0.0:10023
    default_backend fedocal-backend

backend fedocal-backend
    balance hdr(appserver)
    server  fedocal01 fedocal01:80 check inter 10s rise 1 fall 2
{% if env == "production" %}
    server  fedocal02 fedocal02:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /calendar

frontend hubs-frontend
    bind 0.0.0.0:10068
    default_backend hubs-backend

backend hubs-backend
    balance hdr(appserver)
{% if env != "production" %}
    server  hubs01 hubs01:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /

# IMPORTANT: 10023-10026 will NOT work because of selinux policies

frontend datagrepper-frontend
    bind 0.0.0.0:10028
    default_backend datagrepper-backend

backend datagrepper-backend
    balance hdr(appserver)
    server  datagrepper01 datagrepper01:80 check inter 10s rise 1 fall 2
{% if env == "production" %}
    server  datagrepper02 datagrepper02:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /datagrepper/reference/

frontend geoip-city-frontend
    bind 0.0.0.0:10029
    default_backend geoip-city-backend

backend geoip-city-backend
    balance hdr(appserver)
    server  sundries01 sundries01:80 check inter 30s rise 2 fall 3
{% if env == "production" %}
    server  sundries02 sundries02:80 check inter 30s rise 2 fall 3
{% endif %}
    option  httpchk GET /city?ip=18.0.0.1

# IMPORTANT: 10031 will NOT work because of selinux policies

frontend badges-frontend
    bind 0.0.0.0:10032
    default_backend badges-backend

backend badges-backend
    balance hdr(appserver)
    server  badges-web01 badges-web01:80 check inter 10s rise 1 fall 2
{% if env == "production" %}
    server  badges-web02 badges-web02:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /heartbeat

frontend nuancier-frontend
    bind 0.0.0.0:10035
    default_backend nuancier-backend

backend nuancier-backend
    balance hdr(appserver)
    server  nuancier01 nuancier01:80 check inter 10s rise 1 fall 2
    server  nuancier02 nuancier02:80 check inter 10s rise 1 fall 2
    option  httpchk GET /nuancier/

frontend notifs-web-frontend
    bind 0.0.0.0:10036
    default_backend notifs-web-backend

backend notifs-web-backend
    balance hdr(appserver)
    server  notifs-web01 notifs-web01:80 check inter 10s rise 1 fall 2
    server  notifs-web02 notifs-web02:80 check inter 10s rise 1 fall 2
    option  httpchk GET /notifications/_heartbeat

frontend github2fedmsg-frontend
    bind 0.0.0.0:10037
    default_backend github2fedmsg-backend

backend github2fedmsg-backend
    balance hdr(appserver)
    server  github2fedmsg01 github2fedmsg01:80 check inter 10s rise 1 fall 2
    option  httpchk GET /github2fedmsg/

frontend kerneltest-frontend
    bind 0.0.0.0:10038
    default_backend kerneltest-backend

backend kerneltest-backend
    balance hdr(appserver)
    server  kerneltest01 kerneltest01:80 check inter 10s rise 1 fall 2
    option httpchk GET /kerneltest

frontend koschei-frontend
    bind 0.0.0.0:10040
    default_backend koschei-backend

backend koschei-backend
    balance hdr(appserver)
    server  koschei-web01 koschei-web01:80 check inter 10s rise 1 fall 2
    server  koschei-web02 koschei-web02:80 check inter 10s rise 1 fall 2
    option  httpchk GET /koschei/

frontend autocloud-frontend
    bind 0.0.0.0:10041
    default_backend autocloud-backend

backend autocloud-backend
    balance hdr(appserver)
    server  autocloud-web01 autocloud-web01:80 check inter 10s rise 1 fall 2
    server  autocloud-web02 autocloud-web02:80 check inter 10s rise 1 fall 2
    option  httpchk GET /autocloud/

frontend mdapi-frontend
    bind 0.0.0.0:10043
    default_backend mdapi-backend

backend mdapi-backend
    balance hdr(appserver)
    server  mdapi01 mdapi01:8080 check inter 10s rise 1 fall 2
    option  httpchk GET /mdapi

frontend openqa-frontend
    bind 0.0.0.0:10044
    default_backend openqa-backend

backend openqa-backend
    balance hdr(appserver)
{% if env == "production" %}
    server  openqa01 openqa01:80 check inter 10s rise 1 fall 2
{% else %}
    server  openqa-stg01.qa.fedoraproject.org openqa-stg01.qa.fedoraproject.org:80 check inter 10s rise 1 fall 2
{% endif %}
    option  httpchk GET /api/v1/job_groups/1

frontend pdc-frontend
    bind 0.0.0.0:10045
    default_backend pdc-backend

backend pdc-backend
    balance hdr(appserver)

{% if env != "staging" %}
    # Set session persistence with a cookie.
    # https://jdennis.fedorapeople.org/doc/rhsso-tripleo-federation/html/rhsso-tripleo-federation.html#step-18-use-proxy-persistence-for-keystone-on-each-controller
    cookie SERVERID insert indirect nocache
{% endif %}

    server  pdc-web01 pdc-web01:80 check inter 10s rise 1 fall 2 cookie pdc-web01
{% if env != "staging" %}
    server  pdc-web02 pdc-web02:80 check inter 10s rise 1 fall 2 cookie pdc-web02
{% endif %}

    option  httpchk GET /rest_api/v1/
    timeout server 3600000
    timeout connect 3600000

frontend zanata2fedmsg-frontend
    bind 0.0.0.0:10046
    default_backend zanata2fedmsg-backend

backend zanata2fedmsg-backend
    balance hdr(appserver)
    server  zanata2fedmsg01 zanata2fedmsg01:80 check inter 10s rise 1 fall 2

frontend osbs-frontend
    bind 0.0.0.0:10047
    default_backend osbs-backend

backend osbs-backend
    balance hdr(appserver)
    server osbs-master01 osbs-master01:8443 check inter 10s rise 1 fall 2 check ssl verify none

frontend oci-registry-frontend
    bind 0.0.0.0:10048
    default_backend oci-registry-backend

backend oci-registry-backend
    balance hdr(appserver)
    server oci-registry01 oci-registry01:5000 check inter 10s rise 1 fall 2
{% if env == "production" %}
    server oci-registry02 oci-registry02:5000 check inter 10s rise 1 fall 2
{% endif %}

{% if env == "staging" %}

frontend retrace-frontend
    bind 0.0.0.0:10049
    default_backend retrace-backend

backend retrace-backend
    balance hdr(appserver)
    server retrace02.qa.fedoraproject.org retrace02.qa.fedoraproject.org:80 check inter 10s rise 1 fall 2

{% endif %}
{% if env == "staging" %}

frontend faf-frontend
    bind 0.0.0.0:10050
    default_backend faf-backend

backend faf-backend
    balance hdr(appserver)
    server faf01 faf01:80 check inter 10s rise 1 fall 2

{% endif %}
{% if env == "staging" %}

frontend pps-frontend
    bind 0.0.0.0:10051
    default_backend pps-backend

backend pps-backend
    balance hdr(appserver)
    server  mdapi01 mdapi01:80 check inter 10s rise 1 fall 2
    option  httpchk GET /pps

{% endif %}

frontend ipa-frontend
    bind 0.0.0.0:10053
    default_backend ipa-backend

backend ipa-backend
    balance hdr(appserver)
    server  ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
{% if env != "staging" %}
    server  ipa02 ipa02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem backup
{% endif %}
    option  httpchk GET /ipa/ui/

frontend krb5-frontend
    mode tcp
    bind 0.0.0.0:1088
    default_backend krb5-backend

backend krb5-backend
    mode tcp
    option tcplog
    balance roundrobin
    maxconn 16384
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server  ipa01 ipa01:88 weight 1 maxconn 16384
{% if env == "production" %}
    # server  ipa02 ipa02:88 weight 1 maxconn 16384
{% endif %}

frontend oci-candidate-registry-frontend
    bind 0.0.0.0:10054
    default_backend oci-candidate-registry-backend

backend oci-candidate-registry-backend
    balance hdr(appserver)
    server oci-candidate-registry01 oci-candidate-registry01:5000 check inter 10s rise 1 fall 2

frontend modernpaste-frontend
    bind 0.0.0.0:10055
    default_backend modernpaste-backend

backend modernpaste-backend
    balance hdr(appserver)
    server modernpaste01 modernpaste01:80 check inter 10s rise 1 fall 2
{% if env == "production" %}
    server modernpaste02 modernpaste02:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /

{% if 'phx2' in inventory_hostname %}

frontend koji-frontend
    bind 0.0.0.0:10056
    default_backend koji-backend

backend koji-backend
    # This needs to be massive due to koji's completeBuild with texlive (https://pagure.io/koji/issue/259)
    timeout server 3h
    balance hdr(appserver)
    server koji01 koji01:80 check inter 10s rise 1 fall 2
    option httpchk GET /

# Only enable this on phx2 proxies
frontend src-frontend
    bind 0.0.0.0:10057
    default_backend src-backend

backend src-backend
    balance hdr(appserver)
{% if env == "staging" %}
    server pkgs01 pkgs01:80 check inter 10s rise 1 fall 2
{% else %}
    server pkgs02 pkgs02:80 check inter 10s rise 1 fall 2
{% endif %}
    option httpchk GET /

{% endif %}

{% if env == "production" and 'phx2' in inventory_hostname %}
frontend ppckoji-frontend
    bind 0.0.0.0:10058
    default_backend ppckoji-backend

backend ppckoji-backend
    balance hdr(appserver)
    server ppc-koji01.ppc.fedoraproject.org ppc-koji01.ppc.fedoraproject.org:80 check inter 10s rise 1 fall 2
    option httpchk GET /

frontend s390koji-frontend
    bind 0.0.0.0:10059
    default_backend s390koji-backend

backend s390koji-backend
    balance hdr(appserver)
    server s390-koji01.s390.fedoraproject.org s390-koji01.s390.fedoraproject.org:80 check inter 10s rise 1 fall 2
    option httpchk GET /

frontend armkoji-frontend
    bind 0.0.0.0:10060
    default_backend armkoji-backend

backend armkoji-backend
    balance hdr(appserver)
    server arm-koji01.qa.fedoraproject.org arm-koji01.qa.fedoraproject.org:80 check inter 10s rise 1 fall 2
    option httpchk GET /

{% endif %}
# This is an endpoint using only ipa01. This is used for API access, since sessions
# are not synchronized.
frontend ipa01-frontend
    bind 0.0.0.0:10061
    default_backend ipa01-backend

backend ipa01-backend
    balance hdr(appserver)
    server  ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
    option  httpchk GET /ipa/ui/

{% if env == "production" and 'phx2' in inventory_hostname %}
frontend kojipkgs-frontend
    bind 0.0.0.0:10062
    default_backend kojipkgs-backend

backend kojipkgs-backend
    balance hdr(appserver)
    server kojipkgs01.phx2.fedoraproject.org kojipkgs01.phx2.fedoraproject.org:80 check inter 10s rise 1 fall 2
    server kojipkgs02.phx2.fedoraproject.org kojipkgs02.phx2.fedoraproject.org:80 check inter 10s rise 1 fall 2
    option httpchk GET /
{% endif %}

frontend mbs-frontend
    bind 0.0.0.0:10063
    default_backend mbs-backend

backend mbs-backend
    balance hdr(appserver)
    server  mbs-frontend01 mbs-frontend01:80 check inter 20s rise 2 fall 3
    server  mbs-frontend02 mbs-frontend02:80 check inter 20s rise 2 fall 3
    option  httpchk GET /module-build-service/1/component-builds/

frontend odcs-frontend
    bind 0.0.0.0:10066
    default_backend odcs-backend

backend odcs-backend
    balance hdr(appserver)
    server  odcs-frontend01 odcs-frontend01:80 check inter 20s rise 2 fall 3
    option  httpchk GET /api/1/composes/

frontend freshmaker-frontend
    bind 0.0.0.0:10067
    default_backend freshmaker-backend

backend freshmaker-backend
    balance hdr(appserver)
    server  freshmaker-frontend01 freshmaker-frontend01:80 check inter 20s rise 2 fall 3
    option  httpchk GET /api/1/builds/

{% if env == "staging" %}
frontend copr-frontend
    bind 0.0.0.0:10070
    default_backend copr-backend

backend copr-backend
    balance hdr(appserver)
    cookie SERVERID insert indirect nocache
    server  copr-frontend01 copr-frontend01:80 check inter 10s rise 1 fall 2 cookie copr-frontend01
    server  copr-frontend02 copr-frontend02:80 check inter 10s rise 1 fall 2 cookie copr-frontend02
    option  httpchk GET /api_3/
{% endif %}

# Apache doesn't handle the initial connection here like the other proxy
# entries.  This proxy also doesn't use the http mode like the others.
# stunnel should be sitting on port 9939 (public) and redirecting
# connections from there to here, port 9938.  This then proxies to the
# fedmsg-hub's websocket server on busgateway01, port 9919.
frontend fedmsg-websockets-frontend
    mode tcp
    bind 0.0.0.0:9938
    default_backend fedmsg-websockets-backend

backend fedmsg-websockets-backend
    mode tcp
    option  tcplog
    balance roundrobin
    maxconn 16384
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server  busgateway01 busgateway01:9919 weight 1 maxconn 16384

# This, unlike the websockets entry just above, is listening directly to the
# outside world with no stunnel inbetween.
# Simply redirect tcp connections to a local fedmsg-gateway slave.  It should be
# forwarding messages from the master gateway on busgateway01.
frontend fedmsg-raw-zmq-outbound-frontend
    mode tcp
    bind 0.0.0.0:9940
    default_backend fedmsg-raw-zmq-outbound-backend

backend fedmsg-raw-zmq-outbound-backend
    mode tcp
    option tcplog
    balance roundrobin
    maxconn 16384
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server  localhost 127.0.0.1:9942 weight 1 maxconn 16384

# While the above fedmsg-raw-zmq-outbound forwards incoming connections to an
# instance of the "fedmsg-gateway" daemon (which pushes internal messages out),
# this entry forwards incoming connections to a secondary instance of the
# "fedmsg-relay" daemon (which pushes messages *onto* the internal bus).  We
# have a primary instance of fedmsg-relay running on app01 for most internal
# use.  Here we forward to a secondary one on busgateway01.
frontend fedmsg-raw-zmq-inbound-frontend
    mode tcp
    bind 0.0.0.0:9941
    default_backend fedmsg-raw-zmq-inbound-backend

backend fedmsg-raw-zmq-inbound-backend
    mode tcp
    option tcplog
    balance roundrobin
    maxconn 16384
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server  busgateway01 busgateway01:9941 weight 1 maxconn 16384