all applications to be exposed on http or https frontends

itewk · itewk · commit 6845450de14a · 2018-01-20T17:23:21.000-05:00
diff --git a/README.md b/README.md
@@ -28,62 +28,77 @@ Information about the expected role parameters.
 ### haproxy_applications
 The `haproxy_applications` parameter is a list of hashes defining the applications to load balance. Each item in the list may contain the following parameters.
 
-| parameter             | required | default | choices     | comments 
-| --------------------- |:--------:|:-------:| ----------- |:-------- 
-| name                  | yes      |         |             | Name of the application. Used in defining frontend and backend servers. Should be descriptive as will show up in HAProxy stats. Must match `/a-zA-Z0-9-_/`
-| domain                | yes      |         |             | FQDN which will resolve to the HAProxy server(s) to then load balance the `servers`. Can either just be a simple FQDN or a regex statement to match a domain.
-| domain\_is\_regex     | no       | false   | true, false | `true` if the given `domain` is regex, `false` to treat as plane FQDN.
-| http\_redirect        | no       | false   | true, false | `true` to automatically redirect http to https, `false` not to redirect.
-| servers               | yes      |         |             | List of hashes defining servers to load balance.
+| parameter              | required | default | choices     | comments 
+| ---------------------- |:--------:|:-------:| ----------- |:-------- 
+| name                   | yes      |         |             | Name of the application. Used in defining frontend and backend servers. Should be descriptive as will show up in HAProxy stats. Must match `/a-zA-Z0-9-_/`
+| domain                 | yes      |         |             | FQDN which will resolve to the HAProxy server(s) to then load balance the `servers`. Can either just be a simple FQDN or a regex statement to match a domain.
+| domain\_is\_regex      | no       | false   | true, false | `true` if the given `domain` is regex, `false` to treat as plane FQDN.
+| expose_http            | no       | false   | true, false | `true` to expose this application on http, `false` to not expose on http.
+| expose_https           | no       | false   | true, false | `true` to expose this application on https, `false` to not expose on https.
+| redirect_http_to_https | no       | false   | true, false | `true` to automatically redirect http to https, `false` not to redirect.
+| servers                | yes      |         |             | List of hashes defining servers to load balance.
 
 #### servers
 Each element in the `haproxy_applications` list must contain a `servers` key which is a list of hashes defining the servers to load balance for the respective application. Each item in the list may contain the following parameters.
 
-| parameter | required | default | choices         | comments 
-| --------- |:--------:|:-------:| --------------- |:-------- 
-| name      | yes      |         |                 | Name used to reference the server. Will be displayed in the HAProxy stats. Must match `/a-zA-Z0-9-_/`
-| address   | yes      |         |                 | FQDN or IP of server to load balance.
-| port      | yes      |         |                 | Port of server at `address` to load balance.
+| parameter  | required | default | choices         | comments 
+| ---------- |:--------:|:-------:| --------------- |:-------- 
+| name       | yes      |         |                 | Name used to reference the server. Will be displayed in the HAProxy stats. Must match `/a-zA-Z0-9-_/`
+| address    | yes      |         |                 | FQDN or IP of server to load balance.
+| port_http  | no       | 80      |                 | Port of server at `address` to load balance when `expose_http` is `true`.
+| port_https | no       | 443     |                 | Port of server at `address` to load balance when `expose_https` is `true`.
 
 ## Example Playbooks
 
-### Load balance Ansible Tower and OpenShift Container Platform (OCP) with same HAProxy server(s)
-
+## Load balance Ansible Tower
     - name: HAProxy
       hosts: haproxy
       roles:
         - role: haproxy
           haproxy_applications:
             - name: ansible-tower
               domain: tower.example.com
-              http_redirect: true
+              expose_https: True
+              redirect_http_to_https: True
               servers:
                 - name: tower0002
                   address: tower0002.example.com
-                  port: 443
                 - name: tower0003
                   address: tower0003.example.com
-                  port: 443
                 - name: tower0004
                   address: tower0004.example.com
-                  port: 443
-            - name: ocp
+
+## Load balance OpenShift Container Platform (OCP) masters and routers
+    - name: HAProxy
+      hosts: haproxy
+      roles:
+        - role: haproxy
+          haproxy_applications:
+            - name: ocp-admin
               domain: ocp.example.com
-              http_redirect: true
+              expose_https: True
+              redirect_http_to_https: True
               servers:
-                - name: ocp0002
+                - name: ocp0002-master
                   address: ocp0002.example.com
-                  port: 443
-                - name: ocp0003
+                - name: ocp0003-master
                   address: ocp0003.example.com
-                  port: 443
-                - name: ocp0004
+                - name: ocp0004-master
                   address: ocp0004.example.com
-                  port: 443
-
-## License
+            - name: ocp-router
+              domain: .*.apps.example.com
+              domain_is_regex: True
+              expose_https: True
+              expose_http: True
+              redirect_http_to_https: False
+              servers:
+                - name: ocp0005-infra
+                  address: ocp0005.example.com
+                - name: ocp0006-infra
+                  address: ocp0006.example.com
+                - name: ocp0007-infra
+                  address: ocp0007.example.com
 
-Apache
 
 ## Author Information
 
diff --git a/tasks/configure.yml b/tasks/configure.yml
@@ -9,30 +9,40 @@
   tags:
     - haproxy-configure
 
-- name: HAProxy | Configure | Update http_redirect.map
+- name: HAProxy | Configure | Update redirect_http_to_https.map
   template:
-    src: templates/http_redirect.map.j2
-    dest: /etc/haproxy/http_redirect.map
+    src: templates/redirect_http_to_https.map.j2
+    dest: /etc/haproxy/redirect_http_to_https.map
     owner: haproxy
     group: haproxy
-  register: http_redirect_result
+  register: redirect_http_to_https_result
   tags:
     - haproxy-configure
 
-- name: HAProxy | Configure | Update be_tcp.map
+- name: HAProxy | Configure | Update expose_http.map
   template:
-    src: templates/be_tcp.map.j2
-    dest: /etc/haproxy/be_tcp.map
+    src: templates/expose_http.map.j2
+    dest: /etc/haproxy/expose_http.map
     owner: haproxy
     group: haproxy
-  register: be_tcp_result
+  register: expose_http_result
+  tags:
+    - haproxy-configure
+
+- name: HAProxy | Configure | Update expose_https.map
+  template:
+    src: templates/expose_https.map.j2
+    dest: /etc/haproxy/expose_https.map
+    owner: haproxy
+    group: haproxy
+  register: expose_https_result
   tags:
     - haproxy-configure
 
 - name: HAProxy | Configure | Restart Service
   service:
     name: haproxy
     state: restarted
-  when: haproxy_cfg_result.changed or http_redirect_result.changed or be_tcp_result.changed
+  when: haproxy_cfg_result.changed or redirect_http_to_https_result.changed or expose_http_result.changed or expose_https_result.changed
   tags:
     - haproxy-configure
diff --git a/templates/.haproxy.cfg.j2.swp b/templates/.haproxy.cfg.j2.swp
diff --git a/templates/expose_http.map.j2 b/templates/expose_http.map.j2
@@ -1,7 +1,9 @@
 {% for application in haproxy_applications %}
-{%   if application.domain_is_regex | default(false) %}
+{%   if application.expose_http | default(false) %}
+{%     if application.domain_is_regex | default(false) %}
 ^{{ application.domain }}(:[0-9]+)?(/.*)?$ {{application.name}}
-{%   else %}
+{%     else %}
 ^{{ application.domain | regex_escape() }}(:[0-9]+)?(/.*)?$ {{application.name}}
+{%     endif %}
 {%   endif %}
 {% endfor %}
diff --git a/templates/expose_https.map.j2 b/templates/expose_https.map.j2
@@ -0,0 +1,9 @@
+{% for application in haproxy_applications %}
+{%   if application.expose_https | default(false) %}
+{%     if application.domain_is_regex | default(false) %}
+^{{ application.domain }}(:[0-9]+)?(/.*)?$ {{application.name}}
+{%     else %}
+^{{ application.domain | regex_escape() }}(:[0-9]+)?(/.*)?$ {{application.name}}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
@@ -58,21 +58,49 @@ frontend public
   http-request set-header Host %[req.hdr(Host),lower]
 
   # check if we need to redirect/force using https.
-  acl secure_redirect base,map_reg(/etc/haproxy/http_redirect.map) -m found
+  acl secure_redirect base,map_reg(/etc/haproxy/redirect_http_to_https.map) -m found
   redirect scheme https if secure_redirect
 
+  # determine if should expose http
+  acl http_expose base,map_reg(/etc/haproxy/expose_http.map) -m found
+
+  # use http backend if not https redirect and expose http
+  use_backend be_http:%[base,map_reg(/etc/haproxy/expose_http.map) if !secure_redirect http_expose
+
 frontend public_ssl
   bind :443
   tcp-request inspect-delay 5s
   tcp-request content accept if { req_ssl_hello_type 1 }
+
+  # determine if the conneciton is SNI
   acl sni req.ssl_sni -m found
-  use_backend be_tcp:%[req.ssl_sni,lower,map_reg(/etc/haproxy/be_tcp.map)] if sni
 
+  # determien if should expose https
+  acl https_expose req.ssl_sni,lower,map_reg(/etc/haproxy/expose_https.map) -m found
+  
+  # use tcp backend if SNI connection and expose https
+  use_backend be_tcp:%[req.ssl_sni,lower,map_reg(/etc/haproxy/expose_https.map)] if sni https_expose
+
+# create TCP backends
 {% for application in haproxy_applications %}
+{%   if application.expose_https | default(false) %}
 backend be_tcp:{{ application.name }}
   balance source
   mode tcp
-  {% for server in application.servers %}
-  server {{ server.name }} {{ server.address }}:{{ server.port }} check
-  {% endfor %}
+{%     for server in application.servers %}
+  server {{ server.name }} {{ server.address }}:{{ server.port_https | default(443) }} check
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+
+# create HTTP backends
+{% for application in haproxy_applications %}
+{%   if application.expose_http | default(false) %}
+backend be_http:{{ application.name }}
+  balance source
+  mode http
+{%     for server in application.servers %}
+  server {{ server.name }} {{ server.address }}:{{ server.port_http | default(80) }} check
+{%     endfor %}
+{%   endif %}
 {% endfor %}
diff --git a/templates/http_redirect.map.j2 b/templates/http_redirect.map.j2
diff --git a/templates/redirect_http_to_https.map.j2 b/templates/redirect_http_to_https.map.j2
@@ -0,0 +1,9 @@
+{% for application in haproxy_applications %}
+{%   if application.redirect_http_to_https | default(false) %}
+{%     if application.domain_is_regex | default(false) %}
+^{{ application.domain }}(:[0-9]+)?(/.*)?$ {{application.name}}
+{%     else %}
+^{{ application.domain | regex_escape() }}(:[0-9]+)?(/.*)?$ {{application.name}}
+{%     endif %}
+{%   endif %}
+{% endfor %}
