From 49245793bff98f83a4ce51ceffd5d34b7dbee711 Mon Sep 17 00:00:00 2001 From: stdweird Date: Thu, 27 Jan 2022 15:18:32 +0100 Subject: [PATCH 1/4] ncm-metaconfig: haproxy: support frontend errorfile and use_backend --- ncm-metaconfig/src/main/metaconfig/haproxy/frontend.tt | 10 ++++++++++ .../src/main/metaconfig/haproxy/pan/schema.pan | 7 +++++++ .../main/metaconfig/haproxy/tests/profiles/config.pan | 5 +++++ .../main/metaconfig/haproxy/tests/regexps/config/base | 2 ++ 4 files changed, 24 insertions(+) diff --git a/ncm-metaconfig/src/main/metaconfig/haproxy/frontend.tt b/ncm-metaconfig/src/main/metaconfig/haproxy/frontend.tt index f4470de38e..98d0868575 100644 --- a/ncm-metaconfig/src/main/metaconfig/haproxy/frontend.tt +++ b/ncm-metaconfig/src/main/metaconfig/haproxy/frontend.tt @@ -20,3 +20,13 @@ http-request [% httpr %] [% END -%] [% END -%] default_backend [% fte.default_backend %] +[% IF fte.item('use_backend').defined -%] +[% FOREACH ub IN fte.item('use_backend') -%] +use_backend [% ub %] +[% END -%] +[% END -%] +[% IF fte.errorfile.defined -%] +[% FOREACH ef IN fte.errorfile -%] +errorfile [% ef.code %] [% ef.filename %] +[% END -%] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan index 1eb19c181a..3c87761007 100644 --- a/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan @@ -208,13 +208,20 @@ type haproxy_service_bind = { 'port' ? type_port }; +type haproxy_service_frontend_errorfile = { + 'code' : long(200..600) + 'filename' : absolute_file_path +}; + type haproxy_service_frontend = { 'acl' ? dict() 'bind' : haproxy_service_bind[] 'default_backend' : string + 'use_backend' ? string[] 'mode' ? choice("tcp", "http") 'tcp-request' ? string[] 'http-request' ? string[] + 'errorfile' ? haproxy_service_frontend_errorfile[] }; type haproxy_service_backend_server = { diff --git a/ncm-metaconfig/src/main/metaconfig/haproxy/tests/profiles/config.pan b/ncm-metaconfig/src/main/metaconfig/haproxy/tests/profiles/config.pan index 68f8b399f9..3506660cbd 100644 --- a/ncm-metaconfig/src/main/metaconfig/haproxy/tests/profiles/config.pan +++ b/ncm-metaconfig/src/main/metaconfig/haproxy/tests/profiles/config.pan @@ -78,6 +78,11 @@ prefix 'frontends/irods-in'; "acl/network_allowed" = "src -f /etc/haproxy/whitelist.static"; "tcp-request" = list("connection reject if !network_allowed"); "http-request" = list("redirect scheme https unless { ssl_fc }"); +"use_backend/0" = "some-bk if some_acl"; +"errorfile" = append(dict( + 'code', 403, + 'filename', "/some/abs/path.code.http", + )); prefix 'backends/irods-bk'; "options/0" = "tcp-check"; diff --git a/ncm-metaconfig/src/main/metaconfig/haproxy/tests/regexps/config/base b/ncm-metaconfig/src/main/metaconfig/haproxy/tests/regexps/config/base index dd54a2e144..0b29669473 100644 --- a/ncm-metaconfig/src/main/metaconfig/haproxy/tests/regexps/config/base +++ b/ncm-metaconfig/src/main/metaconfig/haproxy/tests/regexps/config/base @@ -60,6 +60,8 @@ Test for config ^\s{4}tcp-request\sconnection\sreject\sif\s\!network_allowed$ ^\s{4}http-request\sredirect\sscheme\shttps\sunless\s\{\sssl_fc\s\}$ ^\s{4}default_backend\sirods-bk$ +^\s{4}use_backend some-bk if some_acl$ +^\s{4}errorfile 403 /some/abs/path.code.http$ ^backend\sirods-bk$ ^\s{4}option\stcp-check$ ^\s{4}acl\swhatif\smatch$ From da25a5ea885743a25478ba5eae6ba50d81b1150e Mon Sep 17 00:00:00 2001 From: James Adams Date: Mon, 3 Jul 2023 14:29:25 +0100 Subject: [PATCH 2/4] ncm-metaconfig: haproxy: Restrict use_backend to string_trimmed --- ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan index 3c87761007..b17d96d431 100644 --- a/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan @@ -217,7 +217,7 @@ type haproxy_service_frontend = { 'acl' ? dict() 'bind' : haproxy_service_bind[] 'default_backend' : string - 'use_backend' ? string[] + 'use_backend' ? string_trimmed[] 'mode' ? choice("tcp", "http") 'tcp-request' ? string[] 'http-request' ? string[] From 6659f7bb0e9807234a9cfe72caa8dcd76409d3f7 Mon Sep 17 00:00:00 2001 From: James Adams Date: Fri, 21 Jul 2023 16:16:47 +0100 Subject: [PATCH 3/4] ncm-metaconfig: haproxy: Fix indentation in schema --- ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan index b17d96d431..31499656f2 100644 --- a/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/haproxy/pan/schema.pan @@ -160,7 +160,7 @@ type haproxy_service_peer = { configuration of peers } type haproxy_service_peers = { - 'peers': haproxy_service_peer[] + 'peers': haproxy_service_peer[] }; @documentation { From 49d1fa0cbe2a5df3fba4420074d5a57d255a5854 Mon Sep 17 00:00:00 2001 From: James Adams Date: Fri, 21 Jul 2023 16:17:27 +0100 Subject: [PATCH 4/4] ncm-metaconfig: haproxy: Fix lint in test profile --- .../haproxy/tests/profiles/config.pan | 85 ++++++++++++++----- 1 file changed, 62 insertions(+), 23 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/haproxy/tests/profiles/config.pan b/ncm-metaconfig/src/main/metaconfig/haproxy/tests/profiles/config.pan index 3506660cbd..9fe5bc04a7 100644 --- a/ncm-metaconfig/src/main/metaconfig/haproxy/tests/profiles/config.pan +++ b/ncm-metaconfig/src/main/metaconfig/haproxy/tests/profiles/config.pan @@ -3,7 +3,7 @@ object template config; include 'metaconfig/haproxy/config'; prefix '/software/components/metaconfig/services/{/etc/haproxy/haproxy.cfg}/contents'; -'proxys' = append(dict()); +'proxys' = append(SELF, dict()); prefix 'global'; 'logs/{/dev/log}' = list('local0', 'notice'); @@ -21,11 +21,13 @@ prefix 'global'; "config/ssl-default-server-options" = list('no-sslv3', 'no-tlsv10', 'no-tlsv11'); 'stats/socket' = '/var/lib/haproxy/stats'; 'logs/{127.0.0.1}' = list('local2'); + prefix 'stats'; 'mode' = 'http'; 'options/enabled' = ''; 'options/hide-version' = ''; 'options/refresh' = 5; + prefix 'defaults'; 'config/log' = 'global'; 'config/retries' = 3; @@ -39,6 +41,7 @@ prefix 'defaults'; 'timeouts/server-fin' = 30000; 'timeouts/tunnel' = 3600 * 1000; 'config/option' = 'tcpka'; + prefix 'proxys/-1'; 'name' = 'webserver'; 'port' = 80; @@ -50,19 +53,19 @@ prefix 'proxys/-1'; 'config/balance' = 'source'; 'options' = list('tcpka', 'httplog', 'httpchk', 'forwardfor', 'httpclose'); 'defaultoptions' = dict( - 'inter' , 2, - 'downinter' , 5, - 'rise' , 3, - 'fall' , 2, - 'slowstart' , 60, - 'maxqueue' , 128, - 'weight' , 100, - ); + 'inter', 2, + 'downinter', 5, + 'rise', 3, + 'fall', 2, + 'slowstart', 60, + 'maxqueue', 128, + 'weight', 100, +); 'serveroptions/cookie' = 'control'; 'servers' = dict( 'server1' , '192.168.0.11', 'server2', '192.168.0.12', - ); +); prefix 'frontends/irods-in'; "bind" = list( @@ -73,16 +76,18 @@ prefix 'frontends/irods-in'; "ssl", true, "crt", "/some/file", "alpn", "h2,http/1.1", - ))); + ), + ), +); "default_backend" = "irods-bk"; "acl/network_allowed" = "src -f /etc/haproxy/whitelist.static"; "tcp-request" = list("connection reject if !network_allowed"); "http-request" = list("redirect scheme https unless { ssl_fc }"); "use_backend/0" = "some-bk if some_acl"; -"errorfile" = append(dict( +"errorfile" = append(SELF, dict( 'code', 403, 'filename', "/some/abs/path.code.http", - )); +)); prefix 'backends/irods-bk'; "options/0" = "tcp-check"; @@ -92,14 +97,34 @@ prefix 'backends/irods-bk'; "reqrep/0" = dict( "pattern", 'abc\ def', # need escaped space, so single quotes "replace", '\1 \2', - ); +); "reqrep/1" = dict( "pattern", 'ghi\ jkl', "replace", '\3 \4', - ); -"servers/0" = dict('name', 'localhost', 'ip', '127.0.0.1', 'port', 1247); -"servers/1" = dict('name', 'other.host', 'ip', '10.20.30.1', 'params', dict('ssl', true, 'ca-file', '/other/file')); -"servers/2" = dict('name', 'othername', 'ip', '10.20.30.1', 'port', 1247, 'params', dict('check', true, 'port', 1247, 'inter', 1234)); +); +"servers/0" = dict( + 'name', 'localhost', + 'ip', '127.0.0.1', + 'port', 1247, +); +"servers/1" = dict( + 'name', 'other.host', + 'ip', '10.20.30.1', + 'params', dict( + 'ssl', true, + 'ca-file', '/other/file', + ), +); +"servers/2" = dict( + 'name', 'othername', + 'ip', '10.20.30.1', + 'port', 1247, + 'params', dict( + 'check', true, + 'port', 1247, + 'inter', 1234, + ), +); prefix 'backends/sshproxy'; "balance" = 'leastconn'; @@ -110,13 +135,27 @@ prefix 'backends/sshproxy'; 'inverse', true, 'match', 'status', 'pattern', '404', - ); +); "sticktable" = dict( 'type', 'ip', 'size', '1m', - 'peers', 'mypeers'); - -'servers/0' = dict('name', 'othername', 'ip', '10.20.30.1', 'port', 1247, 'params', dict('check', true, 'port', 1247)); + 'peers', 'mypeers', +); +'servers/0' = dict( + 'name', 'othername', + 'ip', '10.20.30.1', + 'port', 1247, + 'params', dict( + 'check', true, + 'port', 1247, + ), +); prefix 'peers'; -'mypeers/peers' = list(dict('name', 'testhost', 'ip', '10.20.30.4', 'port', 1024)); +'mypeers/peers' = list( + dict( + 'name', 'testhost', + 'ip', '10.20.30.4', + 'port', 1024, + ), +);