102 lines
2.8 KiB
YAML
102 lines
2.8 KiB
YAML
---
|
|
- name: Configure HAProxy Load Balancer (ALT Linux)
|
|
hosts: proxy
|
|
become: true
|
|
vars:
|
|
vip_address: "172.16.1.253"
|
|
backend_servers: "{{ groups['server'] }}"
|
|
backend_port: 443
|
|
stats_port: 9000
|
|
stats_uri: "/haproxy_stats"
|
|
stats_user: "admin"
|
|
stats_password: "haproxy_secure_pass"
|
|
ssl_cert_path: "/etc/haproxy/ssl/www.au.team.pem"
|
|
server_name: "www.au.team"
|
|
|
|
tasks:
|
|
- name: Install HAProxy package (ALT Linux)
|
|
ansible.builtin.package:
|
|
name: haproxy
|
|
state: present
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: Create SSL directory for HAProxy
|
|
ansible.builtin.file:
|
|
path: /etc/haproxy/ssl
|
|
state: directory
|
|
mode: '0755'
|
|
owner: root
|
|
group: root
|
|
tags:
|
|
- ssl
|
|
|
|
- name: Copy SSL certificate to HAProxy (from web server)
|
|
ansible.builtin.shell: |
|
|
cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > {{ ssl_cert_path }}
|
|
chmod 600 {{ ssl_cert_path }}
|
|
args:
|
|
creates: "{{ ssl_cert_path }}"
|
|
tags:
|
|
- ssl
|
|
|
|
- name: Configure HAProxy with SSL termination
|
|
ansible.builtin.copy:
|
|
content: |
|
|
global
|
|
log /dev/log local0
|
|
log /dev/log local1 notice
|
|
chroot /var/lib/haproxy
|
|
stats socket /run/haproxy/admin.sock mode 660 level admin
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
|
|
frontend https_front
|
|
bind {{ vip_address }}:443 ssl crt {{ ssl_cert_path }}
|
|
bind {{ vip_address }}:80
|
|
server_name {{ server_name }}
|
|
http-request redirect scheme https unless { ssl_fc }
|
|
default_backend web_backend
|
|
|
|
backend web_backend
|
|
balance roundrobin
|
|
option httpchk GET / HTTP/1.1\r\nHost:\ {{ server_name }}
|
|
{% for server in backend_servers %}
|
|
server {{ server }} {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} check ssl verify none
|
|
{% endfor %}
|
|
|
|
backend stats_backend
|
|
stats enable
|
|
stats uri {{ stats_uri }}
|
|
stats auth {{ stats_user }}:{{ stats_password }}
|
|
dest: /etc/haproxy/haproxy.cfg
|
|
mode: '0644'
|
|
backup: true
|
|
notify: Reload haproxy
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: Enable and start HAProxy service
|
|
ansible.builtin.systemd:
|
|
name: haproxy
|
|
enabled: true
|
|
state: started
|
|
tags:
|
|
- haproxy
|
|
|
|
handlers:
|
|
- name: Reload haproxy
|
|
ansible.builtin.systemd:
|
|
name: haproxy
|
|
state: reloaded |