hifis.haproxy

HAProxy Role

:warning: This project is archived! :warning:

This role has been migrated to our hifis.toolkit collection:

A role to set up HAProxy to be used as a load balancer in a high availability and scalability context.

Ubuntu 22.04 LTS
Ubuntu 20.04 LTS

This role is tested against the two latest LTS versions of HAProxy. Currently, this results in official support for the HAProxy release series:

2.6
2.4

Other versions are known to work as well but are not automatically tested.

Requirements

None.

Role Variables

Compulsory variables which are not set by default

Backend GitLab IP addresses

Specify a list of backends with name and IP address (Port is optional, defaults to 80):

haproxy_backends:
  - backend_name: 'backend_server_1'
    backend_ip: '192.168.33.10'
    backend_port: '80'

Frontend floating IP address

Specify the floating IP address of the frontend:

haproxy_frontend_ip: '192.168.33.100'

Compulsory variables which are set by default but need to be adapted

Number of processors used by HAProxy

Sets number of processors used by HAProxy:

haproxy_nbproc: '1'

Number of threads used by HAProxy

Sets number of threads used by HAProxy:

haproxy_nbthread: '2'

HAProxy CPU Map for Multithreading

Mapping threads to CPU cores:

haproxy_cpumap: 'auto:1/1-2 0-1'

Enable/disable stats

Variable to enable or disable the stats:

haproxy_stats_enable: 'enable'

Stats admin username

Variable to hold the stats admin username:

haproxy_stats_admin_user: 'admin'

Stats admin user password

Variable to hold the stats admin user password:

haproxy_stats_admin_user_password: 'changeme'

All other default variables

Path to the executable of HAProxy

Path variable pointing to the location of the HAProxy executable:

haproxy_executable_path: '/usr/sbin/haproxy'

HAProxy PPA version

Variable to pin the PPA version to a certain value:

haproxy_ppa_version: 'ppa:vbernat/haproxy-2.6'

HAProxy version

Variable to pin the HAProxy version to a certain value:

haproxy_version: '2.6.*'

HAProxy user

Variable to specify the HAProxy system user:

haproxy_user: 'haproxy'

HAProxy group

Variable to specify the HAProxy system group:

haproxy_group: 'haproxy'

HAProxy dependencies to be installed

List of HAProxy dependencies to be installed:

haproxy_dependencies:
  - 'software-properties-common'

HAProxy binary name

Name of the HAProxy binary:

haproxy_name: 'haproxy'

HAProxy configuration template

Provide the path to the HAProxy configuration template:

haproxy_config_template: 'haproxy.cfg.j2'

HAProxy configuration directory path

Give the path to the HAProxy configuration directory:

haproxy_conf_dir: '/etc/haproxy/'

HAProxy configuration file path

Give the path to the HAProxy configuration file:

haproxy_conf_file_path: "/etc/haproxy/haproxy.cfg"

HAProxy logging socket path

Give the path to the HAProxy logging socket:

haproxy_log_socket: '/dev/log'

HAProxy log level

Specify the log level of HAProxy. Possible values are: emerg, alert, crit, err, warning, notice, info, debug.

haproxy_log_level: 'info'

HAProxy socket file path

Give the path to the HAProxy socket file:

haproxy_socket: '/run/haproxy/admin.sock'

HAProxy self-signed SSL certificate creation

Whether to create a self-signed SSL certificate:

haproxy_create_self_signed_cert: true

Country Name for SSL certificate

Set country to be used for the SSL certificate:

haproxy_country_name: 'DE'

State name for SSL certificate

Set state to be used for the SSL certificate:

haproxy_state_or_province_name: 'Saxony'

Locality Name for SSL certificate

Set locality to be used for the SSL certificate:

haproxy_locality_name: 'Dresden'

Organization name for SSL certificate

Set organization to be used for the SSL certificate:

haproxy_organization_name: 'Helmholtz-Zentrum Dresden-Rossendorf (HZDR)'

Organization Unit Name for SSL certificate

Set organization unit to be used for the SSL certificate:

haproxy_organizational_unit_name: 'FWCC / Computational Science'

Email address for SSL certificate

Set email address to be used for the SSL certificate:

haproxy_email_address: '[email protected]'

Common Name for SSL certificate

Set common name to be used for the SSL certificate:

haproxy_common_name: 'Helmholtz Association'

HAProxy SSL directory path

Give the path to the HAProxy SSL directory:

haproxy_ssl_certificate_dir: '/etc/haproxy/ssl'

HAProxy Private Key file path

Give the path to the HAProxy Private Key file:

haproxy_ssl_certificate_key_file: "/etc/haproxy/ssl/haproxy.key"

HAProxy Certificate Signing Request file path

Give the path to the HAProxy Certificate Signing Request file:

haproxy_ssl_certificate_csr_file: '/etc/haproxy/ssl/haproxy.csr'

HAProxy Certificate file path

Give the path to the HAProxy Certificate file:

haproxy_ssl_certificate_crt_file: "/etc/haproxy/ssl/haproxy.crt"

HAProxy PKCS12 file path

Give the path to the HAProxy PKCS12 file:

haproxy_ssl_certificate_pkcs12_file: "/etc/haproxy/ssl/haproxy.p12"

HAProxy Certificate Chain file path

Give the path to the HAProxy Certificate Chain file:

haproxy_ssl_certificate_chain_file: "/etc/haproxy/ssl/haproxy.pem"

HAProxy Certificate Chain source file path

Give the path to the HAProxy Certificate Chain source file on the control node which will be copied to the remote host:

haproxy_ssl_cert_chain_src_file_path: "haproxy.pem"

Note: This variable is mandatory when haproxy_create_self_signed_cert is set to false. The file should be PEM formatted and include at least the public certificate and the private key.

HAProxy DH Parameter file path

Give the path to the DH Parameter file:

haproxy_ssl_dhparam_file: "/etc/haproxy/ssl/dhparam.pem"

HAProxy DH Parameter size

Size (in bits) of the generated DH-params:

haproxy_ssl_dhparam_size: 4096

Dependencies

None.

Note: This role is intended for use with, but not limited to, the hifis.keepalived role.

Example playbook

- hosts: loadbalancers
  roles:
    - role: hifis.haproxy
      vars:
        haproxy_frontend_ip: '192.168.33.100'
        haproxy_backends:
          - backend_name: 'backend_server_1'
            backend_ip: '192.168.33.10'
            backend_port: 80