2022-09-14 08:47:49 +02:00
|
|
|
{ stdenv
|
|
|
|
, pkgs
|
|
|
|
, lib
|
|
|
|
, utils
|
|
|
|
}:
|
|
|
|
{ configDir ? "/etc/haproxy"
|
|
|
|
, configFile ? "haproxy.cfg"
|
2022-10-09 08:52:41 +02:00
|
|
|
, frontends ? []
|
2022-09-14 08:47:49 +02:00
|
|
|
, backends ? []
|
|
|
|
, certPath
|
|
|
|
, user ? "haproxy"
|
|
|
|
, group ? "haproxy"
|
|
|
|
|
|
|
|
, statsEnable ? false
|
|
|
|
, statsPort ? 8404
|
|
|
|
, statsUri ? "/stats"
|
|
|
|
, statsRefresh ? "10s"
|
|
|
|
, prometheusStatsUri ? null
|
|
|
|
}:
|
|
|
|
|
2022-10-26 07:02:51 +02:00
|
|
|
with builtins;
|
|
|
|
with lib.strings;
|
2022-09-14 08:47:49 +02:00
|
|
|
let
|
|
|
|
|
|
|
|
stats = if statsEnable then "" else ''
|
|
|
|
frontend stats
|
2022-10-26 07:02:51 +02:00
|
|
|
bind localhost:${toString statsPort}
|
2022-09-14 08:47:49 +02:00
|
|
|
mode http
|
|
|
|
stats enable
|
|
|
|
# stats hide-version
|
|
|
|
stats uri ${statsUri}
|
|
|
|
stats refresh ${statsRefresh}
|
|
|
|
'' + (if prometheusStatsUri == null then "" else ''
|
|
|
|
http-request use-service prometheus-exporter if { path ${prometheusStatsUri} }
|
|
|
|
'');
|
|
|
|
|
|
|
|
indent = spaces: content:
|
2022-10-26 07:02:51 +02:00
|
|
|
concatMapStrings
|
2022-09-14 08:47:49 +02:00
|
|
|
(x: spaces + x + "\n")
|
2022-10-26 07:02:51 +02:00
|
|
|
(splitString "\n" content);
|
2022-09-14 08:47:49 +02:00
|
|
|
|
2022-10-26 07:02:51 +02:00
|
|
|
frontends_str = concatMapStrings (acl: indent " " acl) frontends;
|
|
|
|
backends_str = concatStringsSep "\n" backends;
|
2022-09-14 08:47:49 +02:00
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
utils.mkConfigFile {
|
|
|
|
name = configFile;
|
|
|
|
dir = configDir;
|
|
|
|
content = ''
|
|
|
|
global
|
|
|
|
# Load the plugin handling Let's Encrypt request
|
|
|
|
# lua-load /etc/haproxy/plugins/haproxy-acme-validation-plugin-0.1.1/acme-http01-webroot.lua
|
|
|
|
|
|
|
|
# Silence a warning issued by haproxy. Using 2048
|
|
|
|
# instead of the default 1024 makes the connection stronger.
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
|
|
|
|
maxconn 20000
|
|
|
|
|
|
|
|
user ${user}
|
|
|
|
group ${group}
|
|
|
|
|
|
|
|
log /dev/log local0 info
|
2022-09-29 08:34:14 +02:00
|
|
|
|
|
|
|
# Include ssl cipher in log output.
|
|
|
|
# tune.ssl.capture-cipherlist-size 800
|
2022-09-14 08:47:49 +02:00
|
|
|
|
|
|
|
defaults
|
|
|
|
log global
|
|
|
|
option httplog
|
|
|
|
|
|
|
|
timeout connect 10s
|
|
|
|
timeout client 15s
|
|
|
|
timeout server 30s
|
|
|
|
timeout queue 100s
|
|
|
|
|
|
|
|
frontend http-to-https
|
|
|
|
mode http
|
|
|
|
bind *:80
|
|
|
|
redirect scheme https code 301 if !{ ssl_fc }
|
|
|
|
|
|
|
|
${stats}
|
|
|
|
|
|
|
|
frontend https
|
|
|
|
mode http
|
|
|
|
|
2022-09-29 08:34:14 +02:00
|
|
|
# log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %sslv %sslc %[ssl_fc_cipherlist_str]"
|
|
|
|
|
2022-09-14 08:47:49 +02:00
|
|
|
bind *:443 ssl crt ${certPath}
|
|
|
|
http-request set-header X-Forwarded-Port %[dst_port]
|
|
|
|
http-request set-header X-Forwarded-For %[src]
|
|
|
|
http-request add-header X-Forwarded-Proto https
|
|
|
|
http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
|
|
|
|
|
2022-10-09 08:52:41 +02:00
|
|
|
${frontends_str}
|
2022-09-14 08:47:49 +02:00
|
|
|
|
|
|
|
${backends_str}
|
|
|
|
'';
|
|
|
|
}
|