admin/ansiblerazvert
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Обновить playbook3_haproxy.yml

Browse Source
This commit is contained in:
admin
2026-04-06 04:14:45 +00:00
parent cac365d915
commit b81aac98d7
1 changed files with 130 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

190
playbook3_haproxy.yml
View File

@@ -1,5 +1,5 @@
---
- name: Configure HAProxy Load Balancer (ALT Linux)
- name: Configure Nginx Load Balancer (ALT Linux)
hosts: proxy
become: true
vars:
@@ -7,23 +7,28 @@
backend_servers: "{{ groups['server'] }}"
backend_port: 443
stats_port: 9000
stats_uri: "/haproxy_stats"
stats_user: "admin"
stats_password: "haproxy_secure_pass"
ssl_cert_path: "/etc/haproxy/ssl/www.au.team.pem"
server_name: "www.au.team"
ssl_cert_path: "/etc/nginx/ssl/www.au.team.crt"
ssl_key_path: "/etc/nginx/ssl/www.au.team.key"
tasks:
- name: Install HAProxy package (ALT Linux)
- name: Update package cache (ALT Linux)
ansible.builtin.command:
cmd: apt-rpm update
changed_when: false
tags:
- nginx
- name: Install Nginx package (ALT Linux)
ansible.builtin.package:
name: haproxy
name: nginx
state: present
tags:
- haproxy
- nginx
- name: Create SSL directory for HAProxy
- name: Create SSL directory for Nginx
ansible.builtin.file:
path: /etc/haproxy/ssl
path: /etc/nginx/ssl
state: directory
mode: '0755'
owner: root
@@ -31,72 +36,137 @@
tags:
- ssl
- name: Copy SSL certificate to HAProxy (from web server)
- name: Copy SSL certificate to Nginx (from web server)
ansible.builtin.shell: |
cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > {{ ssl_cert_path }}
chmod 600 {{ ssl_cert_path }}
cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > /etc/nginx/ssl/www.au.team.pem
chmod 600 /etc/nginx/ssl/www.au.team.pem
args:
creates: "{{ ssl_cert_path }}"
creates: /etc/nginx/ssl/www.au.team.pem
tags:
- ssl
- name: Configure HAProxy with SSL termination
- name: Create directories for Nginx config
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0755'
owner: root
group: root
loop:
- /etc/nginx/conf.d
- /etc/nginx/sites-available
- /etc/nginx/sites-enabled
tags:
- nginx
- name: Configure Nginx upstream for backend servers
ansible.builtin.copy:
content: |
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend https_front
bind {{ vip_address }}:443 ssl crt {{ ssl_cert_path }}
bind {{ vip_address }}:80
server_name {{ server_name }}
http-request redirect scheme https unless { ssl_fc }
default_backend web_backend
backend web_backend
balance roundrobin
option httpchk GET / HTTP/1.1\r\nHost:\ {{ server_name }}
{% for server in backend_servers %}
server {{ server }} {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} check ssl verify none
{% endfor %}
backend stats_backend
stats enable
stats uri {{ stats_uri }}
stats auth {{ stats_user }}:{{ stats_password }}
dest: /etc/haproxy/haproxy.cfg
upstream backend_servers {
balance roundrobin;
{% for server in backend_servers %}
server {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} weight=1 max_fails=3 fail_timeout=30s;
{% endfor %}
}
dest: /etc/nginx/conf.d/upstream.conf
mode: '0644'
backup: true
notify: Reload haproxy
notify: Reload nginx
tags:
- haproxy
- nginx
- name: Enable and start HAProxy service
- name: Configure Nginx vhost with SSL and load balancing
ansible.builtin.copy:
content: |
# HTTP server - redirect to HTTPS
server {
listen {{ vip_address }}:80;
listen [::]:80;
server_name {{ server_name }};
return 301 https://$host$request_uri;
}
# HTTPS server with load balancing
server {
listen {{ vip_address }}:443 ssl;
listen [::]:443 ssl;
server_name {{ server_name }};
ssl_certificate /etc/nginx/ssl/www.au.team.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Proxy to backend servers
location / {
proxy_pass https://backend_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off;
proxy_connect_timeout 10s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
# HSTS header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
# Stats server
server {
listen {{ vip_address }}:{{ stats_port }};
server_name {{ server_name }};
location / {
stub_status on;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}
location /haproxy_stats {
return 200 "Nginx Stats\nActive connections: $connections_active\n";
add_header Content-Type text/plain;
}
}
dest: /etc/nginx/sites-available/www.au.team.conf
mode: '0644'
backup: true
notify: Reload nginx
tags:
- nginx
- name: Enable site configuration
ansible.builtin.file:
src: /etc/nginx/sites-available/www.au.team.conf
dest: /etc/nginx/sites-enabled/www.au.team.conf
state: link
notify: Reload nginx
tags:
- nginx
- name: Remove default Nginx site
ansible.builtin.file:
path: /etc/nginx/sites-enabled/default
state: absent
ignore_errors: true
tags:
- nginx
- name: Enable and start Nginx service
ansible.builtin.systemd:
name: haproxy
name: nginx
enabled: true
state: started
tags:
- haproxy
- nginx
handlers:
- name: Reload haproxy
- name: Reload nginx
ansible.builtin.systemd:
name: haproxy
name: nginx
state: reloaded