From afd602cc178090d224ab73698eb19cdd5fe23420 Mon Sep 17 00:00:00 2001
From: admin <garrysmod57@bk.ru>
Date: Mon, 6 Apr 2026 03:50:09 +0000
Subject: [PATCH] =?UTF-8?q?=D0=9E=D0=B1=D0=BD=D0=BE=D0=B2=D0=B8=D1=82?=
 =?UTF-8?q?=D1=8C=20playbook3=5Fhaproxy.yml?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 playbook3_haproxy.yml | 70 +++++++++++--------------------------------
 1 file changed, 18 insertions(+), 52 deletions(-)

diff --git a/playbook3_haproxy.yml b/playbook3_haproxy.yml
index 00fa849..7a0547a 100644
--- a/playbook3_haproxy.yml
+++ b/playbook3_haproxy.yml
@@ -1,5 +1,5 @@
 ---
-- name: Configure HAProxy Load Balancer
+- name: Configure HAProxy Load Balancer (ALT Linux)
   hosts: proxy
   become: true
   vars:
@@ -8,19 +8,18 @@
     backend_port: 443
     stats_port: 9000
     stats_uri: "/haproxy_stats"
-    stats_realm: "HAProxy Statistics"
     stats_user: "admin"
     stats_password: "haproxy_secure_pass"
     ssl_cert_path: "/etc/haproxy/ssl/www.au.team.pem"
     server_name: "www.au.team"
 
   tasks:
-    - name: Install HAProxy package
-      ansible.builtin.apt:
+    - name: Install HAProxy package (ALT Linux)
+      ansible.builtin.package:
         name: haproxy
         state: present
-        update_cache: true
-      tags: haproxy
+      tags:
+        - haproxy
 
     - name: Create SSL directory for HAProxy
       ansible.builtin.file:
@@ -29,18 +28,20 @@
         mode: '0755'
         owner: root
         group: root
-      tags: ssl
+      tags:
+        - ssl
 
-    - name: Generate combined PEM certificate for HAProxy
+    - name: Copy SSL certificate to HAProxy (from web server)
       ansible.builtin.shell: |
         cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > {{ ssl_cert_path }}
         chmod 600 {{ ssl_cert_path }}
       args:
         creates: "{{ ssl_cert_path }}"
-      tags: ssl
+      tags:
+        - ssl
 
-    - name: Configure HAProxy with SSL termination and roundrobin
-      ansible.builtin.template:
+    - name: Configure HAProxy with SSL termination
+      ansible.builtin.copy:
         content: |
           global
             log /dev/log local0
@@ -51,9 +52,6 @@
             user haproxy
             group haproxy
             daemon
-            ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
-            ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-            ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 
           defaults
             log     global
@@ -63,74 +61,42 @@
             timeout connect 5000
             timeout client  50000
             timeout server  50000
-            errorfile 400 /etc/haproxy/errors/400.http
-            errorfile 403 /etc/haproxy/errors/403.http
-            errorfile 408 /etc/haproxy/errors/408.http
-            errorfile 500 /etc/haproxy/errors/500.http
-            errorfile 502 /etc/haproxy/errors/502.http
-            errorfile 503 /etc/haproxy/errors/503.http
-            errorfile 504 /etc/haproxy/errors/504.http
 
-          # Frontend: HTTPS with SNI support
           frontend https_front
-            bind {{ vip_address }}:443 ssl crt {{ ssl_cert_path }} alpn h2,http/1.1
+            bind {{ vip_address }}:443 ssl crt {{ ssl_cert_path }}
             bind {{ vip_address }}:80
             server_name {{ server_name }}
-            
-            # HTTP to HTTPS redirect
             http-request redirect scheme https unless { ssl_fc }
-            
-            # HSTS header
-            http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
-            
-            # ACL for stats
-            acl is_stats path_beg {{ stats_uri }}
-            use_backend stats_backend if is_stats
-            
             default_backend web_backend
 
-          # Backend: Web servers with roundrobin
           backend web_backend
             balance roundrobin
             option httpchk GET / HTTP/1.1\r\nHost:\ {{ server_name }}
-            http-check expect status 200
             {% for server in backend_servers %}
             server {{ server }} {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} check ssl verify none
             {% endfor %}
 
-          # Stats backend
           backend stats_backend
             stats enable
             stats uri {{ stats_uri }}
-            stats realm {{ stats_realm }}
             stats auth {{ stats_user }}:{{ stats_password }}
-            stats admin if TRUE
         dest: /etc/haproxy/haproxy.cfg
         mode: '0644'
         backup: true
-        validate: "haproxy -c -f %s"
       notify: Reload haproxy
-      tags: haproxy
-
-    - name: Add www.au.team to /etc/hosts for local resolution
-      ansible.builtin.lineinfile:
-        path: /etc/hosts
-        regexp: '^127\.0\.1\.1\s+www\.au\.team'
-        line: "127.0.1.1 {{ server_name }}"
-        state: present
-      tags: dns
+      tags:
+        - haproxy
 
     - name: Enable and start HAProxy service
       ansible.builtin.systemd:
         name: haproxy
         enabled: true
         state: started
-        daemon_reload: true
-      tags: haproxy
+      tags:
+        - haproxy
 
   handlers:
     - name: Reload haproxy
       ansible.builtin.systemd:
         name: haproxy
-        state: reloaded
-        daemon_reload: true
\ No newline at end of file
+        state: reloaded
\ No newline at end of file