From 02fdf86327a418e8aaec9c71ee6012aae115e647 Mon Sep 17 00:00:00 2001 From: genofire Date: Sat, 3 Oct 2020 03:04:44 +0200 Subject: [PATCH] Add SNI support as requested in #1 --- host_vars/emma.ccchb.de | 6 +++- roles/haproxy/tasks/main.yml | 39 +++++++++++++++++++++---- roles/haproxy/templates/sni.cfg.j2 | 9 ++++++ roles/haproxy/templates/sni_host.cfg.j2 | 11 +++++++ 4 files changed, 58 insertions(+), 7 deletions(-) create mode 100644 roles/haproxy/templates/sni.cfg.j2 create mode 100644 roles/haproxy/templates/sni_host.cfg.j2 diff --git a/host_vars/emma.ccchb.de b/host_vars/emma.ccchb.de index 740cc7a..9032aba 100644 --- a/host_vars/emma.ccchb.de +++ b/host_vars/emma.ccchb.de @@ -9,14 +9,18 @@ haproxy_http: addr: '2a01:238:4246:1e00:2207:546f:6a47:6050' - host: 'cloud.ccchb.de' addr: '2a01:4f8:150:926f::5' + - host: 'dev.ccchb.de' + addr: '2a01:4f8:150:926f::9' -haproxy_https: +haproxy_sni: - host: 'ccchb.de' addr: '2a01:238:4246:1e00:2207:546f:6a47:6050' - host: 'www.ccchb.de' addr: '2a01:238:4246:1e00:2207:546f:6a47:6050' - host: 'cloud.ccchb.de' addr: '2a01:4f8:150:926f::5' + - host: 'dev.ccchb.de' + addr: '2a01:4f8:150:926f::9' bhyve_ipv4: 10.0.0.0 bhyve_ipv6: 2a01:4f8:150:926f::4 diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 9651f51..e90b346 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -122,8 +122,9 @@ - defaults.cfg - global.cfg - http.cfg + - sni.cfg -- name: Config HAProxy HTTP backends +- name: Configure HAProxy HTTP backends template: dest: '/usr/local/etc/haproxy/http_{{ item.host }}.cfg' src: http_host.cfg.j2 @@ -134,6 +135,31 @@ - Reload HAProxy with_items: '{{ haproxy_http }}' +- name: Configure HAProxy SNI backends + template: + dest: '/usr/local/etc/haproxy/sni_{{ item.host }}.cfg' + src: sni_host.cfg.j2 + owner: root + group: wheel + mode: 0444 + notify: + - Reload HAProxy + with_items: '{{ haproxy_sni }}' + +- name: Make sure the HTTP map exists + command: env touch /usr/local/etc/haproxy/http.map + args: + creates: /usr/local/etc/haproxy/http.map + notify: + - Reload HAProxy + +- name: Make sure the SNI map exists + command: env touch /usr/local/etc/haproxy/sni.map + args: + creates: /usr/local/etc/haproxy/sni.map + notify: + - Reload HAProxy + - name: Enable HAProxy HTTP backends lineinfile: path: /usr/local/etc/haproxy/http.map @@ -143,13 +169,14 @@ - Reload HAProxy with_items: '{{ haproxy_http }}' -- name: Make sure the http map exists - command: env touch /usr/local/etc/haproxy/http.map - args: - creates: - /usr/local/etc/haproxy/http.map +- name: Enable HAProxy SNI backends + lineinfile: + path: /usr/local/etc/haproxy/sni.map + regex: '^{{ item.host }} ' + line: '{{ item.host }} sni_{{ item.host }}' notify: - Reload HAProxy + with_items: '{{ haproxy_sni }}' - name: Flush handlers meta: flush_handlers diff --git a/roles/haproxy/templates/sni.cfg.j2 b/roles/haproxy/templates/sni.cfg.j2 new file mode 100644 index 0000000..ded6144 --- /dev/null +++ b/roles/haproxy/templates/sni.cfg.j2 @@ -0,0 +1,9 @@ +frontend sni + log global + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + + bind ${BIND_V4}:443 + bind ${BIND_V6}:443 + use_backend %[req_ssl_sni,lower,map(/usr/local/etc/haproxy/sni.map)] diff --git a/roles/haproxy/templates/sni_host.cfg.j2 b/roles/haproxy/templates/sni_host.cfg.j2 new file mode 100644 index 0000000..f1d1553 --- /dev/null +++ b/roles/haproxy/templates/sni_host.cfg.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +backend sni_{{ item.host }} + mode tcp + acl clienthello req_ssl_hello_type 1 + acl serverhello rep_ssl_hello_type 2 + tcp-request inspect-delay 5s + tcp-request content accept if clienthello + tcp-response content accept if serverhello + option ssl-hello-chk + server {{ item.host }} {{ item.addr }}:{{ item.port | default("443") }} check