9eed96e3d6
This fixes ticket 10521. Basically we want to just open the api. It requires auth to do anything and other openshift instances have it available, so it shouldn't hopefully expose us to too much risk. With ocp3 the api was part of the normal port/web flow, but with ocp4 it's a seperate port. This also adds new workers to haproxy. I can drop that part if it's controversal, but it should be fine I would think. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
509 lines
17 KiB
INI
509 lines
17 KiB
INI
# this config needs haproxy-1.1.28 or haproxy-1.2.1
|
|
|
|
global
|
|
log 127.0.0.1 local0 warning
|
|
# Set this to 4096 + 16384
|
|
# 16384 for the fedmsg gateway and 4096 for everybody else.
|
|
maxconn 20480
|
|
chroot /var/lib/haproxy
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
stats socket /var/run/haproxy-stat user haproxy group nrpe mode 0664
|
|
stats socket /var/run/haproxy-admin level admin user root group root mode 0660
|
|
#debug
|
|
#quiet
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
option httpclose
|
|
option redispatch
|
|
retries 3
|
|
maxconn 5000
|
|
timeout connect 5s
|
|
timeout client 500s
|
|
timeout server 500s
|
|
errorfile 503 /etc/haproxy/503.http
|
|
|
|
frontend stats-frontend
|
|
bind 0.0.0.0:8080
|
|
default_backend stats-backend
|
|
|
|
backend stats-backend
|
|
balance hdr(appserver)
|
|
stats enable
|
|
stats uri /
|
|
|
|
{% if env == "production" and 'iad2' in inventory_hostname %}
|
|
frontend ocp-masters-kapi
|
|
mode tcp
|
|
bind 0.0.0.0:6443
|
|
default_backend ocp-masters-backend-kapi
|
|
|
|
backend ocp-masters-backend-kapi
|
|
mode tcp
|
|
server ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp04.ocp.iad2.fedoraproject.org ocp04.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp05.ocp.iad2.fedoraproject.org ocp05.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp06.ocp.iad2.fedoraproject.org ocp06.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
# temp bootstrap node
|
|
# server bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
|
|
frontend ocp-masters-machineconfig
|
|
mode tcp
|
|
bind 0.0.0.0:22623
|
|
default_backend ocp-masters-backend-machineconfig
|
|
|
|
backend ocp-masters-backend-machineconfig
|
|
mode tcp
|
|
server ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp04.ocp.iad2.fedoraproject.org ocp04.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp05.ocp.iad2.fedoraproject.org ocp05.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp06.ocp.iad2.fedoraproject.org ocp06.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
# temp bootstrap node
|
|
# server bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
{% endif %}
|
|
|
|
{% if env != "production" and 'iad2' in inventory_hostname %}
|
|
frontend ocp-masters-kapi
|
|
mode tcp
|
|
bind 0.0.0.0:6443
|
|
default_backend ocp-masters-backend-kapi
|
|
|
|
backend ocp-masters-backend-kapi
|
|
mode tcp
|
|
server ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
server ocp04.ocp.stg.iad2.fedoraproject.org ocp04.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
# temp bootstrap node
|
|
# server bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
|
|
|
frontend ocp-masters-machineconfig
|
|
mode tcp
|
|
bind 0.0.0.0:22623
|
|
default_backend ocp-masters-backend-machineconfig
|
|
|
|
backend ocp-masters-backend-machineconfig
|
|
mode tcp
|
|
server ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
server ocp04.ocp.stg.iad2.fedoraproject.org ocp04.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
# temp bootstrap node
|
|
# server bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
|
{% endif %}
|
|
|
|
frontend fp-wiki-frontend
|
|
bind 0.0.0.0:10001
|
|
default_backend fp-wiki-backend
|
|
|
|
backend fp-wiki-backend
|
|
balance hdr(appserver)
|
|
server wiki01 wiki01:80 check inter 15s rise 2 fall 5
|
|
{% if env == "production" %}
|
|
server wiki02 wiki02:80 check inter 15s rise 2 fall 5
|
|
{% endif %}
|
|
option httpchk GET /wiki/Main_Page
|
|
|
|
frontend mirror-lists-frontend
|
|
bind 0.0.0.0:10002
|
|
default_backend mirror-lists-backend
|
|
|
|
backend mirror-lists-backend
|
|
balance hdr(appserver)
|
|
timeout connect 30s
|
|
server mirrorlist-local1 127.0.0.1:18081 check inter 1s rise 2 fall 3 weight 100
|
|
server mirrorlist-local2 127.0.0.1:18082 check inter 1s rise 2 fall 3 weight 100
|
|
option httpchk GET /metalink?repo=epel-7&arch=x86_64
|
|
option allbackups
|
|
|
|
frontend mirrormanager-frontend
|
|
bind 0.0.0.0:10008
|
|
default_backend mirrormanager-backend
|
|
|
|
backend mirrormanager-backend
|
|
balance hdr(appserver)
|
|
server mm-frontend01 mm-frontend01:80 check inter 60s rise 2 fall 3
|
|
option httpchk GET /mirrormanager/static/mirrormanager2.css
|
|
|
|
frontend freemedia-frontend
|
|
bind 0.0.0.0:10011
|
|
default_backend freemedia-backend
|
|
|
|
backend freemedia-backend
|
|
balance hdr(appserver)
|
|
server sundries01 sundries01:80 check inter 60s rise 2 fall 3
|
|
{% if env == "production" %}
|
|
server sundries02 sundries01:80 check inter 60s rise 2 fall 3
|
|
{% endif %}
|
|
option httpchk GET /freemedia/FreeMedia-form.html
|
|
|
|
#frontend packages-frontend
|
|
# bind 0.0.0.0:10016
|
|
# default_backend packages-backend
|
|
#
|
|
#backend packages-backend
|
|
# balance hdr(appserver)
|
|
# server packages03 packages03:80 check inter 5s rise 2 fall 3
|
|
#{% if env == "production" %}
|
|
# server packages04 packages04:80 check inter 5s rise 2 fall 3
|
|
#{% endif %}
|
|
# option httpchk GET /packages/_heartbeat
|
|
|
|
frontend blockerbugs-frontend
|
|
bind 0.0.0.0:10022
|
|
default_backend blockerbugs-backend
|
|
|
|
backend blockerbugs-backend
|
|
balance hdr(appserver)
|
|
server blockerbugs01 blockerbugs01:80 check inter 10s rise 1 fall 2
|
|
option httpchk GET /blockerbugs
|
|
|
|
# IMPORTANT: 10023-10026 will NOT work because of selinux policies
|
|
|
|
frontend geoip-city-frontend
|
|
bind 0.0.0.0:10029
|
|
default_backend geoip-city-backend
|
|
|
|
backend geoip-city-backend
|
|
balance hdr(appserver)
|
|
server sundries01 sundries01:80 check inter 30s rise 2 fall 3
|
|
{% if env == "production" %}
|
|
server sundries02 sundries02:80 check inter 30s rise 2 fall 3
|
|
{% endif %}
|
|
option httpchk GET /city?ip=18.0.0.1
|
|
|
|
# IMPORTANT: 10031 will NOT work because of selinux policies
|
|
|
|
frontend badges-frontend
|
|
bind 0.0.0.0:10032
|
|
default_backend badges-backend
|
|
|
|
backend badges-backend
|
|
balance hdr(appserver)
|
|
server badges-web01 badges-web01:80 check inter 10s rise 1 fall 2
|
|
option httpchk GET /heartbeat
|
|
|
|
frontend nuancier-frontend
|
|
bind 0.0.0.0:10035
|
|
default_backend nuancier-backend
|
|
|
|
backend nuancier-backend
|
|
balance hdr(appserver)
|
|
server nuancier01 nuancier01:80 check inter 10s rise 1 fall 2
|
|
server nuancier02 nuancier02:80 check inter 10s rise 1 fall 2
|
|
option httpchk GET /nuancier/
|
|
|
|
frontend notifs-web-frontend
|
|
bind 0.0.0.0:10036
|
|
default_backend notifs-web-backend
|
|
|
|
backend notifs-web-backend
|
|
balance hdr(appserver)
|
|
server notifs-web01 notifs-web01:80 check inter 10s rise 1 fall 2
|
|
{% if env == "production" %}
|
|
# server notifs-web02 notifs-web02:80 check inter 10s rise 1 fall 2
|
|
{% endif %}
|
|
option httpchk GET /notifications/_heartbeat
|
|
|
|
frontend github2fedmsg-frontend
|
|
bind 0.0.0.0:10037
|
|
default_backend github2fedmsg-backend
|
|
|
|
backend github2fedmsg-backend
|
|
balance hdr(appserver)
|
|
server github2fedmsg01 github2fedmsg01:80 check inter 10s rise 1 fall 2
|
|
option httpchk GET /github2fedmsg/
|
|
|
|
frontend kerneltest-frontend
|
|
bind 0.0.0.0:10038
|
|
default_backend kerneltest-backend
|
|
|
|
backend kerneltest-backend
|
|
balance hdr(appserver)
|
|
server kerneltest01 kerneltest01:80 check inter 10s rise 1 fall 2
|
|
option httpchk GET /kerneltest
|
|
|
|
{% if env == "production" %}
|
|
frontend openqa-frontend
|
|
bind 0.0.0.0:10044
|
|
default_backend openqa-backend
|
|
|
|
backend openqa-backend
|
|
balance hdr(appserver)
|
|
server openqa01 openqa01:80 check inter 10s rise 1 fall 2
|
|
option httpchk GET /api/v1/job_groups/1
|
|
{% endif %}
|
|
|
|
frontend pdc-frontend
|
|
bind 0.0.0.0:10045
|
|
default_backend pdc-backend
|
|
|
|
backend pdc-backend
|
|
balance hdr(appserver)
|
|
|
|
{% if env != "staging" %}
|
|
# Set session persistence with a cookie.
|
|
# https://jdennis.fedorapeople.org/doc/rhsso-tripleo-federation/html/rhsso-tripleo-federation.html#step-18-use-proxy-persistence-for-keystone-on-each-controller
|
|
cookie SERVERID insert indirect nocache
|
|
{% endif %}
|
|
|
|
server pdc-web01 pdc-web01:80 check inter 10s rise 1 fall 2 cookie pdc-web01
|
|
{% if env != "staging" %}
|
|
server pdc-web02 pdc-web02:80 check inter 10s rise 1 fall 2 cookie pdc-web02
|
|
{% endif %}
|
|
|
|
option httpchk GET /rest_api/v1/
|
|
timeout server 3600000
|
|
timeout connect 3600000
|
|
|
|
frontend osbs-frontend
|
|
bind 0.0.0.0:10047
|
|
default_backend osbs-backend
|
|
|
|
backend osbs-backend
|
|
balance hdr(appserver)
|
|
server osbs-master01 osbs-master01:8443 check inter 10s rise 1 fall 2 check ssl verify none
|
|
|
|
frontend oci-registry-frontend
|
|
bind 0.0.0.0:10048
|
|
default_backend oci-registry-backend
|
|
|
|
backend oci-registry-backend
|
|
balance hdr(appserver)
|
|
server oci-registry01 oci-registry01:5000 check inter 10s rise 1 fall 2
|
|
{% if env == "production" %}
|
|
server oci-registry02 oci-registry02:5000 check inter 10s rise 1 fall 2
|
|
{% endif %}
|
|
|
|
{% if env == "staging" %}
|
|
|
|
frontend pps-frontend
|
|
bind 0.0.0.0:10051
|
|
default_backend pps-backend
|
|
|
|
backend pps-backend
|
|
balance hdr(appserver)
|
|
server mdapi01 mdapi01:80 check inter 10s rise 1 fall 2
|
|
option httpchk GET /pps
|
|
|
|
{% endif %}
|
|
|
|
frontend ipsilon-frontend
|
|
bind 0.0.0.0:10020
|
|
default_backend ipsilon-backend
|
|
|
|
backend ipsilon-backend
|
|
balance hdr(appserver)
|
|
server ipsilon01 ipsilon01:80 check inter 10s rise 1 fall 3
|
|
{% if env == "production" %}
|
|
server ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 3
|
|
{% endif %}
|
|
option httpchk GET /
|
|
|
|
frontend ipa-frontend
|
|
bind 0.0.0.0:10053
|
|
default_backend ipa-backend
|
|
|
|
backend ipa-backend
|
|
balance hdr(appserver)
|
|
server ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
|
|
{% if env != "staging" %}
|
|
server ipa02 ipa02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem backup
|
|
server ipa03 ipa03:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem backup
|
|
{% endif %}
|
|
option httpchk GET /ipa/ui/
|
|
|
|
frontend krb5-frontend
|
|
mode tcp
|
|
bind 0.0.0.0:1088
|
|
default_backend krb5-backend
|
|
|
|
backend krb5-backend
|
|
mode tcp
|
|
option tcplog
|
|
balance roundrobin
|
|
maxconn 16384
|
|
timeout queue 5000
|
|
timeout server 86400000
|
|
timeout connect 86400000
|
|
server ipa01 ipa01:88 weight 1 maxconn 16384
|
|
{% if env == "production" %}
|
|
server ipa02 ipa02:88 weight 1 maxconn 16384
|
|
server ipa03 ipa03:88 weight 1 maxconn 16384
|
|
{% endif %}
|
|
|
|
frontend oci-candidate-registry-frontend
|
|
bind 0.0.0.0:10054
|
|
default_backend oci-candidate-registry-backend
|
|
|
|
backend oci-candidate-registry-backend
|
|
balance hdr(appserver)
|
|
server oci-candidate-registry01 oci-candidate-registry01:5000 check inter 10s rise 1 fall 2
|
|
|
|
{% if 'iad2' in inventory_hostname %}
|
|
|
|
# Only enable this on iad2 proxies
|
|
frontend src-frontend
|
|
bind 0.0.0.0:10057
|
|
default_backend src-backend
|
|
|
|
backend src-backend
|
|
balance hdr(appserver)
|
|
{% if env == "staging" %}
|
|
server pkgs01 pkgs01:80 check inter 10s rise 1 fall 2
|
|
{% elif datacenter == 'iad2' %}
|
|
server pkgs01 pkgs01:80 check inter 10s rise 1 fall 2
|
|
{% endif %}
|
|
option httpchk GET /
|
|
|
|
{% endif %}
|
|
# This is an endpoint using only ipa01. This is used for API access, since sessions
|
|
# are not synchronized.
|
|
frontend ipa01-frontend
|
|
bind 0.0.0.0:10061
|
|
default_backend ipa01-backend
|
|
|
|
backend ipa01-backend
|
|
balance hdr(appserver)
|
|
server ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
|
|
option httpchk GET /ipa/ui/
|
|
|
|
{% if env == "production" and 'iad2' in inventory_hostname %}
|
|
frontend kojipkgs-frontend
|
|
bind 0.0.0.0:10062
|
|
default_backend kojipkgs-backend
|
|
|
|
backend kojipkgs-backend
|
|
balance uri
|
|
server kojipkgs01.{{ datacenter }}.fedoraproject.org kojipkgs01.{{ datacenter }}.fedoraproject.org:80 check inter 10s rise 1 fall 2
|
|
server kojipkgs02.{{ datacenter }}.fedoraproject.org kojipkgs02.{{ datacenter }}.fedoraproject.org:80 check inter 10s rise 1 fall 2
|
|
option httpchk GET /
|
|
{% endif %}
|
|
|
|
frontend mbs-frontend
|
|
bind 0.0.0.0:10063
|
|
default_backend mbs-backend
|
|
|
|
backend mbs-backend
|
|
balance hdr(appserver)
|
|
server mbs-frontend01 mbs-frontend01:80 check inter 20s rise 2 fall 3
|
|
{% if env == "production" %}
|
|
server mbs-frontend02 mbs-frontend02:80 check inter 20s rise 2 fall 3
|
|
{% endif %}
|
|
option httpchk GET /module-build-service/1/component-builds/
|
|
|
|
frontend odcs-frontend
|
|
bind 0.0.0.0:10066
|
|
default_backend odcs-backend
|
|
|
|
backend odcs-backend
|
|
balance hdr(appserver)
|
|
server odcs-frontend01 odcs-frontend01:80 check inter 20s rise 2 fall 3
|
|
option httpchk GET /api/1/composes/
|
|
|
|
{% if datacenter == "iad2" %}
|
|
# These ports are for proxying rabbitmq (AMQP) protocol through.
|
|
# At this moment, internal- and public-rabbitmq both point to the exact same set of
|
|
# brokers on the backend, but the internal- is intended for applications we directly control.
|
|
# This allows us to move to a separate cluster for public access if that became necessary
|
|
# on just the infra side, with no need to ask users to change anything.
|
|
frontend internal-rabbitmq
|
|
mode tcp
|
|
bind 0.0.0.0:15671
|
|
default_backend rabbitmq
|
|
|
|
frontend public-rabbitmq
|
|
mode tcp
|
|
bind 0.0.0.0:5671
|
|
default_backend rabbitmq
|
|
|
|
backend rabbitmq
|
|
mode tcp
|
|
option tcplog
|
|
balance roundrobin
|
|
maxconn 16384
|
|
server rabbitmq01 rabbitmq01:5671 weight 1 maxconn 16384
|
|
server rabbitmq02 rabbitmq02:5671 weight 1 maxconn 16384
|
|
server rabbitmq03 rabbitmq03:5671 weight 1 maxconn 16384
|
|
{% endif %}
|
|
|
|
# Apache doesn't handle the initial connection here like the other proxy
|
|
# entries. This proxy also doesn't use the http mode like the others.
|
|
# stunnel should be sitting on port 9939 (public) and redirecting
|
|
# connections from there to here, port 9938. This then proxies to the
|
|
# fedmsg-hub's websocket server on busgateway01, port 9919.
|
|
frontend fedmsg-websockets-frontend
|
|
mode tcp
|
|
bind 0.0.0.0:9938
|
|
default_backend fedmsg-websockets-backend
|
|
|
|
backend fedmsg-websockets-backend
|
|
mode tcp
|
|
option tcplog
|
|
balance roundrobin
|
|
maxconn 16384
|
|
timeout queue 5000
|
|
timeout server 86400000
|
|
timeout connect 86400000
|
|
server busgateway01 busgateway01:9919 weight 1 maxconn 16384
|
|
|
|
# This, unlike the websockets entry just above, is listening directly to the
|
|
# outside world with no stunnel inbetween.
|
|
# Simply redirect tcp connections to a local fedmsg-gateway slave. It should be
|
|
# forwarding messages from the master gateway on busgateway01.
|
|
frontend fedmsg-raw-zmq-outbound-frontend
|
|
mode tcp
|
|
bind 0.0.0.0:9940
|
|
default_backend fedmsg-raw-zmq-outbound-backend
|
|
|
|
backend fedmsg-raw-zmq-outbound-backend
|
|
mode tcp
|
|
option tcplog
|
|
balance roundrobin
|
|
maxconn 16384
|
|
timeout queue 5000
|
|
timeout server 86400000
|
|
timeout connect 86400000
|
|
server localhost 127.0.0.1:9942 weight 1 maxconn 16384
|
|
|
|
# While the above fedmsg-raw-zmq-outbound forwards incoming connections to an
|
|
# instance of the "fedmsg-gateway" daemon (which pushes internal messages out),
|
|
# this entry forwards incoming connections to a secondary instance of the
|
|
# "fedmsg-relay" daemon (which pushes messages *onto* the internal bus). We
|
|
# have a primary instance of fedmsg-relay running on app01 for most internal
|
|
# use. Here we forward to a secondary one on busgateway01.
|
|
frontend fedmsg-raw-zmq-inbound-frontend
|
|
mode tcp
|
|
bind 0.0.0.0:9941
|
|
default_backend fedmsg-raw-zmq-inbound-backend
|
|
|
|
backend fedmsg-raw-zmq-inbound-backend
|
|
mode tcp
|
|
option tcplog
|
|
balance roundrobin
|
|
maxconn 16384
|
|
timeout queue 5000
|
|
timeout server 86400000
|
|
timeout connect 86400000
|
|
server busgateway01 busgateway01:9941 weight 1 maxconn 16384
|
|
|
|
{% if env == "staging" %}
|
|
frontend zabbix-frontend
|
|
bind 0.0.0.0:10068
|
|
default_backend zabbix-backend
|
|
|
|
backend zabbix-backend
|
|
balance hdr(appserver)
|
|
server zabbix01 zabbix01:80 check inter 10s rise 1 fall 2
|
|
# option httpchk GET /
|
|
# http-check expect status 200,401,302
|
|
{% endif %}
|