Content Cache Charm

Merge ~hloeung/content-cache-charm:cleanup into content-cache-charm:master

  1. Git
  2. lp:~hloeung/content-cache-charm
  3. cleanup
  4. Merge into master
Proposed by Haw Loeung
Status: Merged
Approved by: Haw Loeung
Approved revision: 51c5baff7265d57177de0966bfa8d0c9f89e0e11
Merged at revision: 3774c254f111422a5f61c2b592af906be9da33dc
Proposed branch: ~hloeung/content-cache-charm:cleanup
Merge into: content-cache-charm:master
Prerequisite: ~hloeung/content-cache-charm:request-unique-id
Diff against target: 1889 lines (+832/-832)
13 files modified
lib/haproxy.py (+1/-1)
templates/haproxy_cfg.tmpl (+67/-67)
tests/unit/files/content_cache_rendered_haproxy_test_output.txt (+71/-71)
tests/unit/files/content_cache_rendered_haproxy_test_output2.txt (+66/-66)
tests/unit/files/content_cache_rendered_haproxy_test_output3.txt (+66/-66)
tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt (+71/-71)
tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt (+66/-66)
tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt (+71/-71)
tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt (+72/-72)
tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt (+71/-71)
tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt (+66/-66)
tests/unit/files/haproxy_config_rendered_test_output.txt (+72/-72)
tests/unit/files/haproxy_config_rendered_test_output2.txt (+72/-72)
Reviewer Review Type Date Requested Status
Barry Price Approve
Canonical IS Reviewers Pending
Review via email: mp+396636@code.launchpad.net

Commit message

Fix indentation so it's consistent

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Barry Price (barryprice) wrote :

LGTM +1

review: Approve
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 3774c254f111422a5f61c2b592af906be9da33dc

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/lib/haproxy.py b/lib/haproxy.py
2index 7c0eabf..f76e083 100644
3--- a/lib/haproxy.py
4+++ b/lib/haproxy.py
5@@ -116,7 +116,7 @@ class HAProxyConf:
6 listen_stanza = """
7 listen {name}
8 {bind_config}
9- capture request header X-Cache-Request-ID len 60
10+{indent}capture request header X-Cache-Request-ID len 60
11 {redirect_config}{backend_config}{default_backend}"""
12 backend_conf = '{indent}use_backend backend-{backend} if {{ hdr(Host) -i {site_name} }}\n'
13 redirect_conf = '{indent}redirect scheme https code 301 if {{ hdr(Host) -i {site_name} }} !{{ ssl_fc }}\n'
14diff --git a/templates/haproxy_cfg.tmpl b/templates/haproxy_cfg.tmpl
15index c59938c..4b8bdcd 100644
16--- a/templates/haproxy_cfg.tmpl
17+++ b/templates/haproxy_cfg.tmpl
18@@ -1,91 +1,91 @@
19 global
20 {%- if num_procs %}
21- nbproc {{num_procs}}
22+ nbproc {{num_procs}}
23 {%- endif %}
24 {%- if num_threads %}
25- nbthread {{num_threads}}
26+ nbthread {{num_threads}}
27 {%- endif %}
28- maxconn {{global_max_connections}}
29- log /dev/log local0
30- log /dev/log local1 notice
31- chroot /var/lib/haproxy
32- stats socket {{socket_path}} mode 660 level admin expose-fd listeners
33- stats timeout 30s
34- server-state-file {{saved_server_state_path}}
35- user haproxy
36- group haproxy
37- daemon
38+ maxconn {{global_max_connections}}
39+ log /dev/log local0
40+ log /dev/log local1 notice
41+ chroot /var/lib/haproxy
42+ stats socket {{socket_path}} mode 660 level admin expose-fd listeners
43+ stats timeout 30s
44+ server-state-file {{saved_server_state_path}}
45+ user haproxy
46+ group haproxy
47+ daemon
48
49- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
50- # and kill them off.
51- hard-stop-after {{hard_stop_after}}
52+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
53+ # and kill them off.
54+ hard-stop-after {{hard_stop_after}}
55
56- # Default SSL material locations
57- ca-base /etc/ssl/certs
58- crt-base /etc/ssl/private
59+ # Default SSL material locations
60+ ca-base /etc/ssl/certs
61+ crt-base /etc/ssl/private
62
63- # Default ciphers to use on SSL-enabled listening sockets.
64- # For more information, see ciphers(1SSL). This list is from:
65- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
66- # An alternative list with additional directives can be obtained from
67- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
68- ssl-default-bind-ciphers {{tls_cipher_suites}}
69- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
70- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
71- tune.ssl.default-dh-param 2048
72+ # Default ciphers to use on SSL-enabled listening sockets.
73+ # For more information, see ciphers(1SSL). This list is from:
74+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
75+ # An alternative list with additional directives can be obtained from
76+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
77+ ssl-default-bind-ciphers {{tls_cipher_suites}}
78+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
79+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
80+ tune.ssl.default-dh-param 2048
81
82- # Increase the SSL/TLS session cache from the default 20k. But
83- # rather than hardcode values, let's just set it to match
84- # global_max_connections (which by default is calculated using
85- # num. of CPU cores and num. of configured sites). Each entry
86- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
87- # each with 2000 max conns will only consume around 122 Mbytes
88- # (32 * 10 * 2000 * 200), which is not much.
89- tune.ssl.cachesize {{global_max_connections}}
90+ # Increase the SSL/TLS session cache from the default 20k. But
91+ # rather than hardcode values, let's just set it to match
92+ # global_max_connections (which by default is calculated using
93+ # num. of CPU cores and num. of configured sites). Each entry
94+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
95+ # each with 2000 max conns will only consume around 122 Mbytes
96+ # (32 * 10 * 2000 * 200), which is not much.
97+ tune.ssl.cachesize {{global_max_connections}}
98
99 defaults
100- log global
101- maxconn {{max_connections}}
102- mode http
103- option dontlognull
104- timeout connect 5s
105- timeout client 50s
106- timeout server 50s
107- errorfile 400 /etc/haproxy/errors/400.http
108- errorfile 403 /etc/haproxy/errors/403.http
109- errorfile 408 /etc/haproxy/errors/408.http
110- errorfile 500 /etc/haproxy/errors/500.http
111- errorfile 502 /etc/haproxy/errors/502.http
112- errorfile 503 /etc/haproxy/errors/503.http
113- errorfile 504 /etc/haproxy/errors/504.http
114- load-server-state-from-file global
115- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
116- unique-id-header X-Cache-Request-ID
117- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
118+ log global
119+ maxconn {{max_connections}}
120+ mode http
121+ option dontlognull
122+ timeout connect 5s
123+ timeout client 50s
124+ timeout server 50s
125+ errorfile 400 /etc/haproxy/errors/400.http
126+ errorfile 403 /etc/haproxy/errors/403.http
127+ errorfile 408 /etc/haproxy/errors/408.http
128+ errorfile 500 /etc/haproxy/errors/500.http
129+ errorfile 502 /etc/haproxy/errors/502.http
130+ errorfile 503 /etc/haproxy/errors/503.http
131+ errorfile 504 /etc/haproxy/errors/504.http
132+ load-server-state-from-file global
133+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
134+ unique-id-header X-Cache-Request-ID
135+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
136
137 {%- if dns_servers %}
138
139 resolvers dns
140 {%- for resolver in dns_servers %}
141- nameserver dns{{loop.index}} {{resolver}}:53
142+ nameserver dns{{loop.index}} {{resolver}}:53
143 {%- endfor %}
144- resolve_retries 3
145- timeout resolve 3s
146- timeout retry 3s
147- accepted_payload_size 8192
148+ resolve_retries 3
149+ timeout resolve 3s
150+ timeout retry 3s
151+ accepted_payload_size 8192
152 {%- endif %}
153
154 listen stats
155- bind 127.0.0.1:10000
156- acl allowed_cidr src 127.0.0.0/8
157- http-request deny unless allowed_cidr
158+ bind 127.0.0.1:10000
159+ acl allowed_cidr src 127.0.0.0/8
160+ http-request deny unless allowed_cidr
161
162- mode http
163- stats enable
164- stats uri /
165- stats realm Haproxy\ Statistics
166- stats auth haproxy:{{monitoring_password}}
167- stats refresh 3
168+ mode http
169+ stats enable
170+ stats uri /
171+ stats realm Haproxy\ Statistics
172+ stats auth haproxy:{{monitoring_password}}
173+ stats refresh 3
174
175 {% for stanza in listen -%}
176 {{stanza}}
177diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
178index d187ca5..72bc2d3 100644
179--- a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
180+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
181@@ -1,81 +1,81 @@
182 global
183- nbthread 4
184- maxconn 106496
185- log /dev/log local0
186- log /dev/log local1 notice
187- chroot /var/lib/haproxy
188- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
189- stats timeout 30s
190- server-state-file /run/haproxy/saved-server-state
191- user haproxy
192- group haproxy
193- daemon
194-
195- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
196- # and kill them off.
197- hard-stop-after 15m
198-
199- # Default SSL material locations
200- ca-base /etc/ssl/certs
201- crt-base /etc/ssl/private
202-
203- # Default ciphers to use on SSL-enabled listening sockets.
204- # For more information, see ciphers(1SSL). This list is from:
205- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
206- # An alternative list with additional directives can be obtained from
207- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
208- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
209- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
210- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
211- tune.ssl.default-dh-param 2048
212-
213- # Increase the SSL/TLS session cache from the default 20k. But
214- # rather than hardcode values, let's just set it to match
215- # global_max_connections (which by default is calculated using
216- # num. of CPU cores and num. of configured sites). Each entry
217- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
218- # each with 2000 max conns will only consume around 122 Mbytes
219- # (32 * 10 * 2000 * 200), which is not much.
220- tune.ssl.cachesize 106496
221+ nbthread 4
222+ maxconn 106496
223+ log /dev/log local0
224+ log /dev/log local1 notice
225+ chroot /var/lib/haproxy
226+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
227+ stats timeout 30s
228+ server-state-file /run/haproxy/saved-server-state
229+ user haproxy
230+ group haproxy
231+ daemon
232+
233+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
234+ # and kill them off.
235+ hard-stop-after 15m
236+
237+ # Default SSL material locations
238+ ca-base /etc/ssl/certs
239+ crt-base /etc/ssl/private
240+
241+ # Default ciphers to use on SSL-enabled listening sockets.
242+ # For more information, see ciphers(1SSL). This list is from:
243+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
244+ # An alternative list with additional directives can be obtained from
245+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
246+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
247+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
248+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
249+ tune.ssl.default-dh-param 2048
250+
251+ # Increase the SSL/TLS session cache from the default 20k. But
252+ # rather than hardcode values, let's just set it to match
253+ # global_max_connections (which by default is calculated using
254+ # num. of CPU cores and num. of configured sites). Each entry
255+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
256+ # each with 2000 max conns will only consume around 122 Mbytes
257+ # (32 * 10 * 2000 * 200), which is not much.
258+ tune.ssl.cachesize 106496
259
260 defaults
261- log global
262- maxconn 8192
263- mode http
264- option dontlognull
265- timeout connect 5s
266- timeout client 50s
267- timeout server 50s
268- errorfile 400 /etc/haproxy/errors/400.http
269- errorfile 403 /etc/haproxy/errors/403.http
270- errorfile 408 /etc/haproxy/errors/408.http
271- errorfile 500 /etc/haproxy/errors/500.http
272- errorfile 502 /etc/haproxy/errors/502.http
273- errorfile 503 /etc/haproxy/errors/503.http
274- errorfile 504 /etc/haproxy/errors/504.http
275- load-server-state-from-file global
276- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
277- unique-id-header X-Cache-Request-ID
278- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
279+ log global
280+ maxconn 8192
281+ mode http
282+ option dontlognull
283+ timeout connect 5s
284+ timeout client 50s
285+ timeout server 50s
286+ errorfile 400 /etc/haproxy/errors/400.http
287+ errorfile 403 /etc/haproxy/errors/403.http
288+ errorfile 408 /etc/haproxy/errors/408.http
289+ errorfile 500 /etc/haproxy/errors/500.http
290+ errorfile 502 /etc/haproxy/errors/502.http
291+ errorfile 503 /etc/haproxy/errors/503.http
292+ errorfile 504 /etc/haproxy/errors/504.http
293+ load-server-state-from-file global
294+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
295+ unique-id-header X-Cache-Request-ID
296+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
297
298 resolvers dns
299- nameserver dns1 127.0.0.53:53
300- resolve_retries 3
301- timeout resolve 3s
302- timeout retry 3s
303- accepted_payload_size 8192
304+ nameserver dns1 127.0.0.53:53
305+ resolve_retries 3
306+ timeout resolve 3s
307+ timeout retry 3s
308+ accepted_payload_size 8192
309
310 listen stats
311- bind 127.0.0.1:10000
312- acl allowed_cidr src 127.0.0.0/8
313- http-request deny unless allowed_cidr
314-
315- mode http
316- stats enable
317- stats uri /
318- stats realm Haproxy\ Statistics
319- stats auth haproxy:biometricsarenotsecret
320- stats refresh 3
321+ bind 127.0.0.1:10000
322+ acl allowed_cidr src 127.0.0.0/8
323+ http-request deny unless allowed_cidr
324+
325+ mode http
326+ stats enable
327+ stats uri /
328+ stats realm Haproxy\ Statistics
329+ stats auth haproxy:biometricsarenotsecret
330+ stats refresh 3
331
332
333 listen combined-80
334diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt
335index 15403b6..a618ceb 100644
336--- a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt
337+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt
338@@ -1,81 +1,81 @@
339 global
340- nbthread 4
341- maxconn 16384
342- log /dev/log local0
343- log /dev/log local1 notice
344- chroot /var/lib/haproxy
345- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
346- stats timeout 30s
347- server-state-file /run/haproxy/saved-server-state
348- user haproxy
349- group haproxy
350- daemon
351+ nbthread 4
352+ maxconn 16384
353+ log /dev/log local0
354+ log /dev/log local1 notice
355+ chroot /var/lib/haproxy
356+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
357+ stats timeout 30s
358+ server-state-file /run/haproxy/saved-server-state
359+ user haproxy
360+ group haproxy
361+ daemon
362
363- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
364- # and kill them off.
365- hard-stop-after 15m
366+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
367+ # and kill them off.
368+ hard-stop-after 15m
369
370- # Default SSL material locations
371- ca-base /etc/ssl/certs
372- crt-base /etc/ssl/private
373+ # Default SSL material locations
374+ ca-base /etc/ssl/certs
375+ crt-base /etc/ssl/private
376
377- # Default ciphers to use on SSL-enabled listening sockets.
378- # For more information, see ciphers(1SSL). This list is from:
379- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
380- # An alternative list with additional directives can be obtained from
381- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
382- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
383- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
384- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
385- tune.ssl.default-dh-param 2048
386+ # Default ciphers to use on SSL-enabled listening sockets.
387+ # For more information, see ciphers(1SSL). This list is from:
388+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
389+ # An alternative list with additional directives can be obtained from
390+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
391+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
392+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
393+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
394+ tune.ssl.default-dh-param 2048
395
396- # Increase the SSL/TLS session cache from the default 20k. But
397- # rather than hardcode values, let's just set it to match
398- # global_max_connections (which by default is calculated using
399- # num. of CPU cores and num. of configured sites). Each entry
400- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
401- # each with 2000 max conns will only consume around 122 Mbytes
402- # (32 * 10 * 2000 * 200), which is not much.
403- tune.ssl.cachesize 16384
404+ # Increase the SSL/TLS session cache from the default 20k. But
405+ # rather than hardcode values, let's just set it to match
406+ # global_max_connections (which by default is calculated using
407+ # num. of CPU cores and num. of configured sites). Each entry
408+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
409+ # each with 2000 max conns will only consume around 122 Mbytes
410+ # (32 * 10 * 2000 * 200), which is not much.
411+ tune.ssl.cachesize 16384
412
413 defaults
414- log global
415- maxconn 8192
416- mode http
417- option dontlognull
418- timeout connect 5s
419- timeout client 50s
420- timeout server 50s
421- errorfile 400 /etc/haproxy/errors/400.http
422- errorfile 403 /etc/haproxy/errors/403.http
423- errorfile 408 /etc/haproxy/errors/408.http
424- errorfile 500 /etc/haproxy/errors/500.http
425- errorfile 502 /etc/haproxy/errors/502.http
426- errorfile 503 /etc/haproxy/errors/503.http
427- errorfile 504 /etc/haproxy/errors/504.http
428- load-server-state-from-file global
429- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
430- unique-id-header X-Cache-Request-ID
431- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
432+ log global
433+ maxconn 8192
434+ mode http
435+ option dontlognull
436+ timeout connect 5s
437+ timeout client 50s
438+ timeout server 50s
439+ errorfile 400 /etc/haproxy/errors/400.http
440+ errorfile 403 /etc/haproxy/errors/403.http
441+ errorfile 408 /etc/haproxy/errors/408.http
442+ errorfile 500 /etc/haproxy/errors/500.http
443+ errorfile 502 /etc/haproxy/errors/502.http
444+ errorfile 503 /etc/haproxy/errors/503.http
445+ errorfile 504 /etc/haproxy/errors/504.http
446+ load-server-state-from-file global
447+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
448+ unique-id-header X-Cache-Request-ID
449+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
450
451 resolvers dns
452- nameserver dns1 127.0.0.53:53
453- resolve_retries 3
454- timeout resolve 3s
455- timeout retry 3s
456- accepted_payload_size 8192
457+ nameserver dns1 127.0.0.53:53
458+ resolve_retries 3
459+ timeout resolve 3s
460+ timeout retry 3s
461+ accepted_payload_size 8192
462
463 listen stats
464- bind 127.0.0.1:10000
465- acl allowed_cidr src 127.0.0.0/8
466- http-request deny unless allowed_cidr
467+ bind 127.0.0.1:10000
468+ acl allowed_cidr src 127.0.0.0/8
469+ http-request deny unless allowed_cidr
470
471- mode http
472- stats enable
473- stats uri /
474- stats realm Haproxy\ Statistics
475- stats auth haproxy:biometricsarenotsecret
476- stats refresh 3
477+ mode http
478+ stats enable
479+ stats uri /
480+ stats realm Haproxy\ Statistics
481+ stats auth haproxy:biometricsarenotsecret
482+ stats refresh 3
483
484
485 listen cached-site1-local
486diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt
487index d87592f..af75f2c 100644
488--- a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt
489+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt
490@@ -1,81 +1,81 @@
491 global
492- nbthread 4
493- maxconn 24576
494- log /dev/log local0
495- log /dev/log local1 notice
496- chroot /var/lib/haproxy
497- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
498- stats timeout 30s
499- server-state-file /run/haproxy/saved-server-state
500- user haproxy
501- group haproxy
502- daemon
503+ nbthread 4
504+ maxconn 24576
505+ log /dev/log local0
506+ log /dev/log local1 notice
507+ chroot /var/lib/haproxy
508+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
509+ stats timeout 30s
510+ server-state-file /run/haproxy/saved-server-state
511+ user haproxy
512+ group haproxy
513+ daemon
514
515- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
516- # and kill them off.
517- hard-stop-after 15m
518+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
519+ # and kill them off.
520+ hard-stop-after 15m
521
522- # Default SSL material locations
523- ca-base /etc/ssl/certs
524- crt-base /etc/ssl/private
525+ # Default SSL material locations
526+ ca-base /etc/ssl/certs
527+ crt-base /etc/ssl/private
528
529- # Default ciphers to use on SSL-enabled listening sockets.
530- # For more information, see ciphers(1SSL). This list is from:
531- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
532- # An alternative list with additional directives can be obtained from
533- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
534- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
535- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
536- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
537- tune.ssl.default-dh-param 2048
538+ # Default ciphers to use on SSL-enabled listening sockets.
539+ # For more information, see ciphers(1SSL). This list is from:
540+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
541+ # An alternative list with additional directives can be obtained from
542+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
543+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
544+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
545+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
546+ tune.ssl.default-dh-param 2048
547
548- # Increase the SSL/TLS session cache from the default 20k. But
549- # rather than hardcode values, let's just set it to match
550- # global_max_connections (which by default is calculated using
551- # num. of CPU cores and num. of configured sites). Each entry
552- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
553- # each with 2000 max conns will only consume around 122 Mbytes
554- # (32 * 10 * 2000 * 200), which is not much.
555- tune.ssl.cachesize 24576
556+ # Increase the SSL/TLS session cache from the default 20k. But
557+ # rather than hardcode values, let's just set it to match
558+ # global_max_connections (which by default is calculated using
559+ # num. of CPU cores and num. of configured sites). Each entry
560+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
561+ # each with 2000 max conns will only consume around 122 Mbytes
562+ # (32 * 10 * 2000 * 200), which is not much.
563+ tune.ssl.cachesize 24576
564
565 defaults
566- log global
567- maxconn 8192
568- mode http
569- option dontlognull
570- timeout connect 5s
571- timeout client 50s
572- timeout server 50s
573- errorfile 400 /etc/haproxy/errors/400.http
574- errorfile 403 /etc/haproxy/errors/403.http
575- errorfile 408 /etc/haproxy/errors/408.http
576- errorfile 500 /etc/haproxy/errors/500.http
577- errorfile 502 /etc/haproxy/errors/502.http
578- errorfile 503 /etc/haproxy/errors/503.http
579- errorfile 504 /etc/haproxy/errors/504.http
580- load-server-state-from-file global
581- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
582- unique-id-header X-Cache-Request-ID
583- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
584+ log global
585+ maxconn 8192
586+ mode http
587+ option dontlognull
588+ timeout connect 5s
589+ timeout client 50s
590+ timeout server 50s
591+ errorfile 400 /etc/haproxy/errors/400.http
592+ errorfile 403 /etc/haproxy/errors/403.http
593+ errorfile 408 /etc/haproxy/errors/408.http
594+ errorfile 500 /etc/haproxy/errors/500.http
595+ errorfile 502 /etc/haproxy/errors/502.http
596+ errorfile 503 /etc/haproxy/errors/503.http
597+ errorfile 504 /etc/haproxy/errors/504.http
598+ load-server-state-from-file global
599+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
600+ unique-id-header X-Cache-Request-ID
601+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
602
603 resolvers dns
604- nameserver dns1 127.0.0.53:53
605- resolve_retries 3
606- timeout resolve 3s
607- timeout retry 3s
608- accepted_payload_size 8192
609+ nameserver dns1 127.0.0.53:53
610+ resolve_retries 3
611+ timeout resolve 3s
612+ timeout retry 3s
613+ accepted_payload_size 8192
614
615 listen stats
616- bind 127.0.0.1:10000
617- acl allowed_cidr src 127.0.0.0/8
618- http-request deny unless allowed_cidr
619+ bind 127.0.0.1:10000
620+ acl allowed_cidr src 127.0.0.0/8
621+ http-request deny unless allowed_cidr
622
623- mode http
624- stats enable
625- stats uri /
626- stats realm Haproxy\ Statistics
627- stats auth haproxy:biometricsarenotsecret
628- stats refresh 3
629+ mode http
630+ stats enable
631+ stats uri /
632+ stats realm Haproxy\ Statistics
633+ stats auth haproxy:biometricsarenotsecret
634+ stats refresh 3
635
636
637 listen redirect-site1-local
638diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt
639index 070f1b7..25b27e5 100644
640--- a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt
641+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt
642@@ -1,81 +1,81 @@
643 global
644- nbthread 4
645- maxconn 104000
646- log /dev/log local0
647- log /dev/log local1 notice
648- chroot /var/lib/haproxy
649- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
650- stats timeout 30s
651- server-state-file /run/haproxy/saved-server-state
652- user haproxy
653- group haproxy
654- daemon
655-
656- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
657- # and kill them off.
658- hard-stop-after 15m
659-
660- # Default SSL material locations
661- ca-base /etc/ssl/certs
662- crt-base /etc/ssl/private
663-
664- # Default ciphers to use on SSL-enabled listening sockets.
665- # For more information, see ciphers(1SSL). This list is from:
666- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
667- # An alternative list with additional directives can be obtained from
668- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
669- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
670- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
671- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
672- tune.ssl.default-dh-param 2048
673-
674- # Increase the SSL/TLS session cache from the default 20k. But
675- # rather than hardcode values, let's just set it to match
676- # global_max_connections (which by default is calculated using
677- # num. of CPU cores and num. of configured sites). Each entry
678- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
679- # each with 2000 max conns will only consume around 122 Mbytes
680- # (32 * 10 * 2000 * 200), which is not much.
681- tune.ssl.cachesize 104000
682+ nbthread 4
683+ maxconn 104000
684+ log /dev/log local0
685+ log /dev/log local1 notice
686+ chroot /var/lib/haproxy
687+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
688+ stats timeout 30s
689+ server-state-file /run/haproxy/saved-server-state
690+ user haproxy
691+ group haproxy
692+ daemon
693+
694+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
695+ # and kill them off.
696+ hard-stop-after 15m
697+
698+ # Default SSL material locations
699+ ca-base /etc/ssl/certs
700+ crt-base /etc/ssl/private
701+
702+ # Default ciphers to use on SSL-enabled listening sockets.
703+ # For more information, see ciphers(1SSL). This list is from:
704+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
705+ # An alternative list with additional directives can be obtained from
706+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
707+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
708+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
709+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
710+ tune.ssl.default-dh-param 2048
711+
712+ # Increase the SSL/TLS session cache from the default 20k. But
713+ # rather than hardcode values, let's just set it to match
714+ # global_max_connections (which by default is calculated using
715+ # num. of CPU cores and num. of configured sites). Each entry
716+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
717+ # each with 2000 max conns will only consume around 122 Mbytes
718+ # (32 * 10 * 2000 * 200), which is not much.
719+ tune.ssl.cachesize 104000
720
721 defaults
722- log global
723- maxconn 8000
724- mode http
725- option dontlognull
726- timeout connect 5s
727- timeout client 50s
728- timeout server 50s
729- errorfile 400 /etc/haproxy/errors/400.http
730- errorfile 403 /etc/haproxy/errors/403.http
731- errorfile 408 /etc/haproxy/errors/408.http
732- errorfile 500 /etc/haproxy/errors/500.http
733- errorfile 502 /etc/haproxy/errors/502.http
734- errorfile 503 /etc/haproxy/errors/503.http
735- errorfile 504 /etc/haproxy/errors/504.http
736- load-server-state-from-file global
737- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
738- unique-id-header X-Cache-Request-ID
739- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
740+ log global
741+ maxconn 8000
742+ mode http
743+ option dontlognull
744+ timeout connect 5s
745+ timeout client 50s
746+ timeout server 50s
747+ errorfile 400 /etc/haproxy/errors/400.http
748+ errorfile 403 /etc/haproxy/errors/403.http
749+ errorfile 408 /etc/haproxy/errors/408.http
750+ errorfile 500 /etc/haproxy/errors/500.http
751+ errorfile 502 /etc/haproxy/errors/502.http
752+ errorfile 503 /etc/haproxy/errors/503.http
753+ errorfile 504 /etc/haproxy/errors/504.http
754+ load-server-state-from-file global
755+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
756+ unique-id-header X-Cache-Request-ID
757+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
758
759 resolvers dns
760- nameserver dns1 127.0.0.53:53
761- resolve_retries 3
762- timeout resolve 3s
763- timeout retry 3s
764- accepted_payload_size 8192
765+ nameserver dns1 127.0.0.53:53
766+ resolve_retries 3
767+ timeout resolve 3s
768+ timeout retry 3s
769+ accepted_payload_size 8192
770
771 listen stats
772- bind 127.0.0.1:10000
773- acl allowed_cidr src 127.0.0.0/8
774- http-request deny unless allowed_cidr
775-
776- mode http
777- stats enable
778- stats uri /
779- stats realm Haproxy\ Statistics
780- stats auth haproxy:biometricsarenotsecret
781- stats refresh 3
782+ bind 127.0.0.1:10000
783+ acl allowed_cidr src 127.0.0.0/8
784+ http-request deny unless allowed_cidr
785+
786+ mode http
787+ stats enable
788+ stats uri /
789+ stats realm Haproxy\ Statistics
790+ stats auth haproxy:biometricsarenotsecret
791+ stats refresh 3
792
793
794 listen combined-80
795diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt
796index 4ad1982..d42878a 100644
797--- a/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt
798+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt
799@@ -1,81 +1,81 @@
800 global
801- nbthread 4
802- maxconn 24576
803- log /dev/log local0
804- log /dev/log local1 notice
805- chroot /var/lib/haproxy
806- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
807- stats timeout 30s
808- server-state-file /run/haproxy/saved-server-state
809- user haproxy
810- group haproxy
811- daemon
812+ nbthread 4
813+ maxconn 24576
814+ log /dev/log local0
815+ log /dev/log local1 notice
816+ chroot /var/lib/haproxy
817+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
818+ stats timeout 30s
819+ server-state-file /run/haproxy/saved-server-state
820+ user haproxy
821+ group haproxy
822+ daemon
823
824- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
825- # and kill them off.
826- hard-stop-after 15m
827+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
828+ # and kill them off.
829+ hard-stop-after 15m
830
831- # Default SSL material locations
832- ca-base /etc/ssl/certs
833- crt-base /etc/ssl/private
834+ # Default SSL material locations
835+ ca-base /etc/ssl/certs
836+ crt-base /etc/ssl/private
837
838- # Default ciphers to use on SSL-enabled listening sockets.
839- # For more information, see ciphers(1SSL). This list is from:
840- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
841- # An alternative list with additional directives can be obtained from
842- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
843- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
844- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
845- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
846- tune.ssl.default-dh-param 2048
847+ # Default ciphers to use on SSL-enabled listening sockets.
848+ # For more information, see ciphers(1SSL). This list is from:
849+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
850+ # An alternative list with additional directives can be obtained from
851+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
852+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
853+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
854+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
855+ tune.ssl.default-dh-param 2048
856
857- # Increase the SSL/TLS session cache from the default 20k. But
858- # rather than hardcode values, let's just set it to match
859- # global_max_connections (which by default is calculated using
860- # num. of CPU cores and num. of configured sites). Each entry
861- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
862- # each with 2000 max conns will only consume around 122 Mbytes
863- # (32 * 10 * 2000 * 200), which is not much.
864- tune.ssl.cachesize 24576
865+ # Increase the SSL/TLS session cache from the default 20k. But
866+ # rather than hardcode values, let's just set it to match
867+ # global_max_connections (which by default is calculated using
868+ # num. of CPU cores and num. of configured sites). Each entry
869+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
870+ # each with 2000 max conns will only consume around 122 Mbytes
871+ # (32 * 10 * 2000 * 200), which is not much.
872+ tune.ssl.cachesize 24576
873
874 defaults
875- log global
876- maxconn 8192
877- mode http
878- option dontlognull
879- timeout connect 5s
880- timeout client 50s
881- timeout server 50s
882- errorfile 400 /etc/haproxy/errors/400.http
883- errorfile 403 /etc/haproxy/errors/403.http
884- errorfile 408 /etc/haproxy/errors/408.http
885- errorfile 500 /etc/haproxy/errors/500.http
886- errorfile 502 /etc/haproxy/errors/502.http
887- errorfile 503 /etc/haproxy/errors/503.http
888- errorfile 504 /etc/haproxy/errors/504.http
889- load-server-state-from-file global
890- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
891- unique-id-header X-Cache-Request-ID
892- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
893+ log global
894+ maxconn 8192
895+ mode http
896+ option dontlognull
897+ timeout connect 5s
898+ timeout client 50s
899+ timeout server 50s
900+ errorfile 400 /etc/haproxy/errors/400.http
901+ errorfile 403 /etc/haproxy/errors/403.http
902+ errorfile 408 /etc/haproxy/errors/408.http
903+ errorfile 500 /etc/haproxy/errors/500.http
904+ errorfile 502 /etc/haproxy/errors/502.http
905+ errorfile 503 /etc/haproxy/errors/503.http
906+ errorfile 504 /etc/haproxy/errors/504.http
907+ load-server-state-from-file global
908+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
909+ unique-id-header X-Cache-Request-ID
910+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
911
912 resolvers dns
913- nameserver dns1 127.0.0.53:53
914- resolve_retries 3
915- timeout resolve 3s
916- timeout retry 3s
917- accepted_payload_size 8192
918+ nameserver dns1 127.0.0.53:53
919+ resolve_retries 3
920+ timeout resolve 3s
921+ timeout retry 3s
922+ accepted_payload_size 8192
923
924 listen stats
925- bind 127.0.0.1:10000
926- acl allowed_cidr src 127.0.0.0/8
927- http-request deny unless allowed_cidr
928+ bind 127.0.0.1:10000
929+ acl allowed_cidr src 127.0.0.0/8
930+ http-request deny unless allowed_cidr
931
932- mode http
933- stats enable
934- stats uri /
935- stats realm Haproxy\ Statistics
936- stats auth haproxy:biometricsarenotsecret
937- stats refresh 3
938+ mode http
939+ stats enable
940+ stats uri /
941+ stats realm Haproxy\ Statistics
942+ stats auth haproxy:biometricsarenotsecret
943+ stats refresh 3
944
945
946 listen cached-site1-local
947diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt
948index 14380ea..c17ee47 100644
949--- a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt
950+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt
951@@ -1,81 +1,81 @@
952 global
953- nbthread 4
954- maxconn 106496
955- log /dev/log local0
956- log /dev/log local1 notice
957- chroot /var/lib/haproxy
958- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
959- stats timeout 30s
960- server-state-file /run/haproxy/saved-server-state
961- user haproxy
962- group haproxy
963- daemon
964-
965- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
966- # and kill them off.
967- hard-stop-after 15m
968-
969- # Default SSL material locations
970- ca-base /etc/ssl/certs
971- crt-base /etc/ssl/private
972-
973- # Default ciphers to use on SSL-enabled listening sockets.
974- # For more information, see ciphers(1SSL). This list is from:
975- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
976- # An alternative list with additional directives can be obtained from
977- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
978- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
979- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
980- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
981- tune.ssl.default-dh-param 2048
982-
983- # Increase the SSL/TLS session cache from the default 20k. But
984- # rather than hardcode values, let's just set it to match
985- # global_max_connections (which by default is calculated using
986- # num. of CPU cores and num. of configured sites). Each entry
987- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
988- # each with 2000 max conns will only consume around 122 Mbytes
989- # (32 * 10 * 2000 * 200), which is not much.
990- tune.ssl.cachesize 106496
991+ nbthread 4
992+ maxconn 106496
993+ log /dev/log local0
994+ log /dev/log local1 notice
995+ chroot /var/lib/haproxy
996+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
997+ stats timeout 30s
998+ server-state-file /run/haproxy/saved-server-state
999+ user haproxy
1000+ group haproxy
1001+ daemon
1002+
1003+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1004+ # and kill them off.
1005+ hard-stop-after 15m
1006+
1007+ # Default SSL material locations
1008+ ca-base /etc/ssl/certs
1009+ crt-base /etc/ssl/private
1010+
1011+ # Default ciphers to use on SSL-enabled listening sockets.
1012+ # For more information, see ciphers(1SSL). This list is from:
1013+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1014+ # An alternative list with additional directives can be obtained from
1015+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1016+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
1017+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1018+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1019+ tune.ssl.default-dh-param 2048
1020+
1021+ # Increase the SSL/TLS session cache from the default 20k. But
1022+ # rather than hardcode values, let's just set it to match
1023+ # global_max_connections (which by default is calculated using
1024+ # num. of CPU cores and num. of configured sites). Each entry
1025+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1026+ # each with 2000 max conns will only consume around 122 Mbytes
1027+ # (32 * 10 * 2000 * 200), which is not much.
1028+ tune.ssl.cachesize 106496
1029
1030 defaults
1031- log global
1032- maxconn 8192
1033- mode http
1034- option dontlognull
1035- timeout connect 5s
1036- timeout client 50s
1037- timeout server 50s
1038- errorfile 400 /etc/haproxy/errors/400.http
1039- errorfile 403 /etc/haproxy/errors/403.http
1040- errorfile 408 /etc/haproxy/errors/408.http
1041- errorfile 500 /etc/haproxy/errors/500.http
1042- errorfile 502 /etc/haproxy/errors/502.http
1043- errorfile 503 /etc/haproxy/errors/503.http
1044- errorfile 504 /etc/haproxy/errors/504.http
1045- load-server-state-from-file global
1046- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1047- unique-id-header X-Cache-Request-ID
1048- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1049+ log global
1050+ maxconn 8192
1051+ mode http
1052+ option dontlognull
1053+ timeout connect 5s
1054+ timeout client 50s
1055+ timeout server 50s
1056+ errorfile 400 /etc/haproxy/errors/400.http
1057+ errorfile 403 /etc/haproxy/errors/403.http
1058+ errorfile 408 /etc/haproxy/errors/408.http
1059+ errorfile 500 /etc/haproxy/errors/500.http
1060+ errorfile 502 /etc/haproxy/errors/502.http
1061+ errorfile 503 /etc/haproxy/errors/503.http
1062+ errorfile 504 /etc/haproxy/errors/504.http
1063+ load-server-state-from-file global
1064+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1065+ unique-id-header X-Cache-Request-ID
1066+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1067
1068 resolvers dns
1069- nameserver dns1 127.0.0.53:53
1070- resolve_retries 3
1071- timeout resolve 3s
1072- timeout retry 3s
1073- accepted_payload_size 8192
1074+ nameserver dns1 127.0.0.53:53
1075+ resolve_retries 3
1076+ timeout resolve 3s
1077+ timeout retry 3s
1078+ accepted_payload_size 8192
1079
1080 listen stats
1081- bind 127.0.0.1:10000
1082- acl allowed_cidr src 127.0.0.0/8
1083- http-request deny unless allowed_cidr
1084-
1085- mode http
1086- stats enable
1087- stats uri /
1088- stats realm Haproxy\ Statistics
1089- stats auth haproxy:biometricsarenotsecret
1090- stats refresh 3
1091+ bind 127.0.0.1:10000
1092+ acl allowed_cidr src 127.0.0.0/8
1093+ http-request deny unless allowed_cidr
1094+
1095+ mode http
1096+ stats enable
1097+ stats uri /
1098+ stats realm Haproxy\ Statistics
1099+ stats auth haproxy:biometricsarenotsecret
1100+ stats refresh 3
1101
1102
1103 listen combined-80
1104diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt
1105index 72d1109..a27ff31 100644
1106--- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt
1107+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt
1108@@ -1,82 +1,82 @@
1109 global
1110- nbproc 3
1111- nbthread 10
1112- maxconn 260000
1113- log /dev/log local0
1114- log /dev/log local1 notice
1115- chroot /var/lib/haproxy
1116- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1117- stats timeout 30s
1118- server-state-file /run/haproxy/saved-server-state
1119- user haproxy
1120- group haproxy
1121- daemon
1122-
1123- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1124- # and kill them off.
1125- hard-stop-after 15m
1126-
1127- # Default SSL material locations
1128- ca-base /etc/ssl/certs
1129- crt-base /etc/ssl/private
1130-
1131- # Default ciphers to use on SSL-enabled listening sockets.
1132- # For more information, see ciphers(1SSL). This list is from:
1133- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1134- # An alternative list with additional directives can be obtained from
1135- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1136- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
1137- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1138- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1139- tune.ssl.default-dh-param 2048
1140-
1141- # Increase the SSL/TLS session cache from the default 20k. But
1142- # rather than hardcode values, let's just set it to match
1143- # global_max_connections (which by default is calculated using
1144- # num. of CPU cores and num. of configured sites). Each entry
1145- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1146- # each with 2000 max conns will only consume around 122 Mbytes
1147- # (32 * 10 * 2000 * 200), which is not much.
1148- tune.ssl.cachesize 260000
1149+ nbproc 3
1150+ nbthread 10
1151+ maxconn 260000
1152+ log /dev/log local0
1153+ log /dev/log local1 notice
1154+ chroot /var/lib/haproxy
1155+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1156+ stats timeout 30s
1157+ server-state-file /run/haproxy/saved-server-state
1158+ user haproxy
1159+ group haproxy
1160+ daemon
1161+
1162+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1163+ # and kill them off.
1164+ hard-stop-after 15m
1165+
1166+ # Default SSL material locations
1167+ ca-base /etc/ssl/certs
1168+ crt-base /etc/ssl/private
1169+
1170+ # Default ciphers to use on SSL-enabled listening sockets.
1171+ # For more information, see ciphers(1SSL). This list is from:
1172+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1173+ # An alternative list with additional directives can be obtained from
1174+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1175+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
1176+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1177+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1178+ tune.ssl.default-dh-param 2048
1179+
1180+ # Increase the SSL/TLS session cache from the default 20k. But
1181+ # rather than hardcode values, let's just set it to match
1182+ # global_max_connections (which by default is calculated using
1183+ # num. of CPU cores and num. of configured sites). Each entry
1184+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1185+ # each with 2000 max conns will only consume around 122 Mbytes
1186+ # (32 * 10 * 2000 * 200), which is not much.
1187+ tune.ssl.cachesize 260000
1188
1189 defaults
1190- log global
1191- maxconn 20000
1192- mode http
1193- option dontlognull
1194- timeout connect 5s
1195- timeout client 50s
1196- timeout server 50s
1197- errorfile 400 /etc/haproxy/errors/400.http
1198- errorfile 403 /etc/haproxy/errors/403.http
1199- errorfile 408 /etc/haproxy/errors/408.http
1200- errorfile 500 /etc/haproxy/errors/500.http
1201- errorfile 502 /etc/haproxy/errors/502.http
1202- errorfile 503 /etc/haproxy/errors/503.http
1203- errorfile 504 /etc/haproxy/errors/504.http
1204- load-server-state-from-file global
1205- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1206- unique-id-header X-Cache-Request-ID
1207- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1208+ log global
1209+ maxconn 20000
1210+ mode http
1211+ option dontlognull
1212+ timeout connect 5s
1213+ timeout client 50s
1214+ timeout server 50s
1215+ errorfile 400 /etc/haproxy/errors/400.http
1216+ errorfile 403 /etc/haproxy/errors/403.http
1217+ errorfile 408 /etc/haproxy/errors/408.http
1218+ errorfile 500 /etc/haproxy/errors/500.http
1219+ errorfile 502 /etc/haproxy/errors/502.http
1220+ errorfile 503 /etc/haproxy/errors/503.http
1221+ errorfile 504 /etc/haproxy/errors/504.http
1222+ load-server-state-from-file global
1223+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1224+ unique-id-header X-Cache-Request-ID
1225+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1226
1227 resolvers dns
1228- nameserver dns1 127.0.0.53:53
1229- resolve_retries 3
1230- timeout resolve 3s
1231- timeout retry 3s
1232- accepted_payload_size 8192
1233+ nameserver dns1 127.0.0.53:53
1234+ resolve_retries 3
1235+ timeout resolve 3s
1236+ timeout retry 3s
1237+ accepted_payload_size 8192
1238
1239 listen stats
1240- bind 127.0.0.1:10000
1241- acl allowed_cidr src 127.0.0.0/8
1242- http-request deny unless allowed_cidr
1243-
1244- mode http
1245- stats enable
1246- stats uri /
1247- stats realm Haproxy\ Statistics
1248- stats auth haproxy:biometricsarenotsecret
1249- stats refresh 3
1250+ bind 127.0.0.1:10000
1251+ acl allowed_cidr src 127.0.0.0/8
1252+ http-request deny unless allowed_cidr
1253+
1254+ mode http
1255+ stats enable
1256+ stats uri /
1257+ stats realm Haproxy\ Statistics
1258+ stats auth haproxy:biometricsarenotsecret
1259+ stats refresh 3
1260
1261
1262 listen combined-80
1263diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt
1264index 015bc9c..2a6ee1a 100644
1265--- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt
1266+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt
1267@@ -1,81 +1,81 @@
1268 global
1269- nbthread 30
1270- maxconn 524288
1271- log /dev/log local0
1272- log /dev/log local1 notice
1273- chroot /var/lib/haproxy
1274- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1275- stats timeout 30s
1276- server-state-file /run/haproxy/saved-server-state
1277- user haproxy
1278- group haproxy
1279- daemon
1280-
1281- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1282- # and kill them off.
1283- hard-stop-after 15m
1284-
1285- # Default SSL material locations
1286- ca-base /etc/ssl/certs
1287- crt-base /etc/ssl/private
1288-
1289- # Default ciphers to use on SSL-enabled listening sockets.
1290- # For more information, see ciphers(1SSL). This list is from:
1291- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1292- # An alternative list with additional directives can be obtained from
1293- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1294- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
1295- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1296- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1297- tune.ssl.default-dh-param 2048
1298-
1299- # Increase the SSL/TLS session cache from the default 20k. But
1300- # rather than hardcode values, let's just set it to match
1301- # global_max_connections (which by default is calculated using
1302- # num. of CPU cores and num. of configured sites). Each entry
1303- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1304- # each with 2000 max conns will only consume around 122 Mbytes
1305- # (32 * 10 * 2000 * 200), which is not much.
1306- tune.ssl.cachesize 524288
1307+ nbthread 30
1308+ maxconn 524288
1309+ log /dev/log local0
1310+ log /dev/log local1 notice
1311+ chroot /var/lib/haproxy
1312+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1313+ stats timeout 30s
1314+ server-state-file /run/haproxy/saved-server-state
1315+ user haproxy
1316+ group haproxy
1317+ daemon
1318+
1319+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1320+ # and kill them off.
1321+ hard-stop-after 15m
1322+
1323+ # Default SSL material locations
1324+ ca-base /etc/ssl/certs
1325+ crt-base /etc/ssl/private
1326+
1327+ # Default ciphers to use on SSL-enabled listening sockets.
1328+ # For more information, see ciphers(1SSL). This list is from:
1329+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1330+ # An alternative list with additional directives can be obtained from
1331+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1332+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
1333+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1334+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1335+ tune.ssl.default-dh-param 2048
1336+
1337+ # Increase the SSL/TLS session cache from the default 20k. But
1338+ # rather than hardcode values, let's just set it to match
1339+ # global_max_connections (which by default is calculated using
1340+ # num. of CPU cores and num. of configured sites). Each entry
1341+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1342+ # each with 2000 max conns will only consume around 122 Mbytes
1343+ # (32 * 10 * 2000 * 200), which is not much.
1344+ tune.ssl.cachesize 524288
1345
1346 defaults
1347- log global
1348- maxconn 60000
1349- mode http
1350- option dontlognull
1351- timeout connect 5s
1352- timeout client 50s
1353- timeout server 50s
1354- errorfile 400 /etc/haproxy/errors/400.http
1355- errorfile 403 /etc/haproxy/errors/403.http
1356- errorfile 408 /etc/haproxy/errors/408.http
1357- errorfile 500 /etc/haproxy/errors/500.http
1358- errorfile 502 /etc/haproxy/errors/502.http
1359- errorfile 503 /etc/haproxy/errors/503.http
1360- errorfile 504 /etc/haproxy/errors/504.http
1361- load-server-state-from-file global
1362- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1363- unique-id-header X-Cache-Request-ID
1364- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1365+ log global
1366+ maxconn 60000
1367+ mode http
1368+ option dontlognull
1369+ timeout connect 5s
1370+ timeout client 50s
1371+ timeout server 50s
1372+ errorfile 400 /etc/haproxy/errors/400.http
1373+ errorfile 403 /etc/haproxy/errors/403.http
1374+ errorfile 408 /etc/haproxy/errors/408.http
1375+ errorfile 500 /etc/haproxy/errors/500.http
1376+ errorfile 502 /etc/haproxy/errors/502.http
1377+ errorfile 503 /etc/haproxy/errors/503.http
1378+ errorfile 504 /etc/haproxy/errors/504.http
1379+ load-server-state-from-file global
1380+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1381+ unique-id-header X-Cache-Request-ID
1382+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1383
1384 resolvers dns
1385- nameserver dns1 127.0.0.53:53
1386- resolve_retries 3
1387- timeout resolve 3s
1388- timeout retry 3s
1389- accepted_payload_size 8192
1390+ nameserver dns1 127.0.0.53:53
1391+ resolve_retries 3
1392+ timeout resolve 3s
1393+ timeout retry 3s
1394+ accepted_payload_size 8192
1395
1396 listen stats
1397- bind 127.0.0.1:10000
1398- acl allowed_cidr src 127.0.0.0/8
1399- http-request deny unless allowed_cidr
1400-
1401- mode http
1402- stats enable
1403- stats uri /
1404- stats realm Haproxy\ Statistics
1405- stats auth haproxy:biometricsarenotsecret
1406- stats refresh 3
1407+ bind 127.0.0.1:10000
1408+ acl allowed_cidr src 127.0.0.0/8
1409+ http-request deny unless allowed_cidr
1410+
1411+ mode http
1412+ stats enable
1413+ stats uri /
1414+ stats realm Haproxy\ Statistics
1415+ stats auth haproxy:biometricsarenotsecret
1416+ stats refresh 3
1417
1418
1419 listen combined-80
1420diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt
1421index bc80f29..8a219b5 100644
1422--- a/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt
1423+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt
1424@@ -1,81 +1,81 @@
1425 global
1426- nbthread 4
1427- maxconn 16384
1428- log /dev/log local0
1429- log /dev/log local1 notice
1430- chroot /var/lib/haproxy
1431- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1432- stats timeout 30s
1433- server-state-file /run/haproxy/saved-server-state
1434- user haproxy
1435- group haproxy
1436- daemon
1437+ nbthread 4
1438+ maxconn 16384
1439+ log /dev/log local0
1440+ log /dev/log local1 notice
1441+ chroot /var/lib/haproxy
1442+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1443+ stats timeout 30s
1444+ server-state-file /run/haproxy/saved-server-state
1445+ user haproxy
1446+ group haproxy
1447+ daemon
1448
1449- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1450- # and kill them off.
1451- hard-stop-after 15m
1452+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1453+ # and kill them off.
1454+ hard-stop-after 15m
1455
1456- # Default SSL material locations
1457- ca-base /etc/ssl/certs
1458- crt-base /etc/ssl/private
1459+ # Default SSL material locations
1460+ ca-base /etc/ssl/certs
1461+ crt-base /etc/ssl/private
1462
1463- # Default ciphers to use on SSL-enabled listening sockets.
1464- # For more information, see ciphers(1SSL). This list is from:
1465- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1466- # An alternative list with additional directives can be obtained from
1467- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1468- ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
1469- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1470- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1471- tune.ssl.default-dh-param 2048
1472+ # Default ciphers to use on SSL-enabled listening sockets.
1473+ # For more information, see ciphers(1SSL). This list is from:
1474+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1475+ # An alternative list with additional directives can be obtained from
1476+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1477+ ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1
1478+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1479+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1480+ tune.ssl.default-dh-param 2048
1481
1482- # Increase the SSL/TLS session cache from the default 20k. But
1483- # rather than hardcode values, let's just set it to match
1484- # global_max_connections (which by default is calculated using
1485- # num. of CPU cores and num. of configured sites). Each entry
1486- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1487- # each with 2000 max conns will only consume around 122 Mbytes
1488- # (32 * 10 * 2000 * 200), which is not much.
1489- tune.ssl.cachesize 16384
1490+ # Increase the SSL/TLS session cache from the default 20k. But
1491+ # rather than hardcode values, let's just set it to match
1492+ # global_max_connections (which by default is calculated using
1493+ # num. of CPU cores and num. of configured sites). Each entry
1494+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1495+ # each with 2000 max conns will only consume around 122 Mbytes
1496+ # (32 * 10 * 2000 * 200), which is not much.
1497+ tune.ssl.cachesize 16384
1498
1499 defaults
1500- log global
1501- maxconn 8192
1502- mode http
1503- option dontlognull
1504- timeout connect 5s
1505- timeout client 50s
1506- timeout server 50s
1507- errorfile 400 /etc/haproxy/errors/400.http
1508- errorfile 403 /etc/haproxy/errors/403.http
1509- errorfile 408 /etc/haproxy/errors/408.http
1510- errorfile 500 /etc/haproxy/errors/500.http
1511- errorfile 502 /etc/haproxy/errors/502.http
1512- errorfile 503 /etc/haproxy/errors/503.http
1513- errorfile 504 /etc/haproxy/errors/504.http
1514- load-server-state-from-file global
1515- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1516- unique-id-header X-Cache-Request-ID
1517- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1518+ log global
1519+ maxconn 8192
1520+ mode http
1521+ option dontlognull
1522+ timeout connect 5s
1523+ timeout client 50s
1524+ timeout server 50s
1525+ errorfile 400 /etc/haproxy/errors/400.http
1526+ errorfile 403 /etc/haproxy/errors/403.http
1527+ errorfile 408 /etc/haproxy/errors/408.http
1528+ errorfile 500 /etc/haproxy/errors/500.http
1529+ errorfile 502 /etc/haproxy/errors/502.http
1530+ errorfile 503 /etc/haproxy/errors/503.http
1531+ errorfile 504 /etc/haproxy/errors/504.http
1532+ load-server-state-from-file global
1533+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1534+ unique-id-header X-Cache-Request-ID
1535+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1536
1537 resolvers dns
1538- nameserver dns1 127.0.0.53:53
1539- resolve_retries 3
1540- timeout resolve 3s
1541- timeout retry 3s
1542- accepted_payload_size 8192
1543+ nameserver dns1 127.0.0.53:53
1544+ resolve_retries 3
1545+ timeout resolve 3s
1546+ timeout retry 3s
1547+ accepted_payload_size 8192
1548
1549 listen stats
1550- bind 127.0.0.1:10000
1551- acl allowed_cidr src 127.0.0.0/8
1552- http-request deny unless allowed_cidr
1553+ bind 127.0.0.1:10000
1554+ acl allowed_cidr src 127.0.0.0/8
1555+ http-request deny unless allowed_cidr
1556
1557- mode http
1558- stats enable
1559- stats uri /
1560- stats realm Haproxy\ Statistics
1561- stats auth haproxy:biometricsarenotsecret
1562- stats refresh 3
1563+ mode http
1564+ stats enable
1565+ stats uri /
1566+ stats realm Haproxy\ Statistics
1567+ stats auth haproxy:biometricsarenotsecret
1568+ stats refresh 3
1569
1570
1571 listen cached-site1-local
1572diff --git a/tests/unit/files/haproxy_config_rendered_test_output.txt b/tests/unit/files/haproxy_config_rendered_test_output.txt
1573index 8badf52..dd6b279 100644
1574--- a/tests/unit/files/haproxy_config_rendered_test_output.txt
1575+++ b/tests/unit/files/haproxy_config_rendered_test_output.txt
1576@@ -1,82 +1,82 @@
1577 global
1578- nbproc 2
1579- nbthread 4
1580- maxconn 15000
1581- log /dev/log local0
1582- log /dev/log local1 notice
1583- chroot /var/lib/haproxy
1584- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1585- stats timeout 30s
1586- server-state-file /run/haproxy/saved-server-state
1587- user haproxy
1588- group haproxy
1589- daemon
1590-
1591- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1592- # and kill them off.
1593- hard-stop-after 5m
1594-
1595- # Default SSL material locations
1596- ca-base /etc/ssl/certs
1597- crt-base /etc/ssl/private
1598-
1599- # Default ciphers to use on SSL-enabled listening sockets.
1600- # For more information, see ciphers(1SSL). This list is from:
1601- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1602- # An alternative list with additional directives can be obtained from
1603- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1604- ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS
1605- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1606- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1607- tune.ssl.default-dh-param 2048
1608-
1609- # Increase the SSL/TLS session cache from the default 20k. But
1610- # rather than hardcode values, let's just set it to match
1611- # global_max_connections (which by default is calculated using
1612- # num. of CPU cores and num. of configured sites). Each entry
1613- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1614- # each with 2000 max conns will only consume around 122 Mbytes
1615- # (32 * 10 * 2000 * 200), which is not much.
1616- tune.ssl.cachesize 15000
1617+ nbproc 2
1618+ nbthread 4
1619+ maxconn 15000
1620+ log /dev/log local0
1621+ log /dev/log local1 notice
1622+ chroot /var/lib/haproxy
1623+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1624+ stats timeout 30s
1625+ server-state-file /run/haproxy/saved-server-state
1626+ user haproxy
1627+ group haproxy
1628+ daemon
1629+
1630+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1631+ # and kill them off.
1632+ hard-stop-after 5m
1633+
1634+ # Default SSL material locations
1635+ ca-base /etc/ssl/certs
1636+ crt-base /etc/ssl/private
1637+
1638+ # Default ciphers to use on SSL-enabled listening sockets.
1639+ # For more information, see ciphers(1SSL). This list is from:
1640+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1641+ # An alternative list with additional directives can be obtained from
1642+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1643+ ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS
1644+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1645+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1646+ tune.ssl.default-dh-param 2048
1647+
1648+ # Increase the SSL/TLS session cache from the default 20k. But
1649+ # rather than hardcode values, let's just set it to match
1650+ # global_max_connections (which by default is calculated using
1651+ # num. of CPU cores and num. of configured sites). Each entry
1652+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1653+ # each with 2000 max conns will only consume around 122 Mbytes
1654+ # (32 * 10 * 2000 * 200), which is not much.
1655+ tune.ssl.cachesize 15000
1656
1657 defaults
1658- log global
1659- maxconn 5000
1660- mode http
1661- option dontlognull
1662- timeout connect 5s
1663- timeout client 50s
1664- timeout server 50s
1665- errorfile 400 /etc/haproxy/errors/400.http
1666- errorfile 403 /etc/haproxy/errors/403.http
1667- errorfile 408 /etc/haproxy/errors/408.http
1668- errorfile 500 /etc/haproxy/errors/500.http
1669- errorfile 502 /etc/haproxy/errors/502.http
1670- errorfile 503 /etc/haproxy/errors/503.http
1671- errorfile 504 /etc/haproxy/errors/504.http
1672- load-server-state-from-file global
1673- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1674- unique-id-header X-Cache-Request-ID
1675- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1676+ log global
1677+ maxconn 5000
1678+ mode http
1679+ option dontlognull
1680+ timeout connect 5s
1681+ timeout client 50s
1682+ timeout server 50s
1683+ errorfile 400 /etc/haproxy/errors/400.http
1684+ errorfile 403 /etc/haproxy/errors/403.http
1685+ errorfile 408 /etc/haproxy/errors/408.http
1686+ errorfile 500 /etc/haproxy/errors/500.http
1687+ errorfile 502 /etc/haproxy/errors/502.http
1688+ errorfile 503 /etc/haproxy/errors/503.http
1689+ errorfile 504 /etc/haproxy/errors/504.http
1690+ load-server-state-from-file global
1691+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1692+ unique-id-header X-Cache-Request-ID
1693+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1694
1695 resolvers dns
1696- nameserver dns1 127.0.0.53:53
1697- resolve_retries 3
1698- timeout resolve 3s
1699- timeout retry 3s
1700- accepted_payload_size 8192
1701+ nameserver dns1 127.0.0.53:53
1702+ resolve_retries 3
1703+ timeout resolve 3s
1704+ timeout retry 3s
1705+ accepted_payload_size 8192
1706
1707 listen stats
1708- bind 127.0.0.1:10000
1709- acl allowed_cidr src 127.0.0.0/8
1710- http-request deny unless allowed_cidr
1711-
1712- mode http
1713- stats enable
1714- stats uri /
1715- stats realm Haproxy\ Statistics
1716- stats auth haproxy:biometricsarenotsecret
1717- stats refresh 3
1718+ bind 127.0.0.1:10000
1719+ acl allowed_cidr src 127.0.0.0/8
1720+ http-request deny unless allowed_cidr
1721+
1722+ mode http
1723+ stats enable
1724+ stats uri /
1725+ stats realm Haproxy\ Statistics
1726+ stats auth haproxy:biometricsarenotsecret
1727+ stats refresh 3
1728
1729
1730 listen combined-80
1731diff --git a/tests/unit/files/haproxy_config_rendered_test_output2.txt b/tests/unit/files/haproxy_config_rendered_test_output2.txt
1732index 61a329c..4620899 100644
1733--- a/tests/unit/files/haproxy_config_rendered_test_output2.txt
1734+++ b/tests/unit/files/haproxy_config_rendered_test_output2.txt
1735@@ -1,82 +1,82 @@
1736 global
1737- nbproc 2
1738- nbthread 4
1739- maxconn 8192
1740- log /dev/log local0
1741- log /dev/log local1 notice
1742- chroot /var/lib/haproxy
1743- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1744- stats timeout 30s
1745- server-state-file /run/haproxy/saved-server-state
1746- user haproxy
1747- group haproxy
1748- daemon
1749-
1750- # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1751- # and kill them off.
1752- hard-stop-after 5m
1753-
1754- # Default SSL material locations
1755- ca-base /etc/ssl/certs
1756- crt-base /etc/ssl/private
1757-
1758- # Default ciphers to use on SSL-enabled listening sockets.
1759- # For more information, see ciphers(1SSL). This list is from:
1760- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1761- # An alternative list with additional directives can be obtained from
1762- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1763- ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS
1764- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1765- # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1766- tune.ssl.default-dh-param 2048
1767-
1768- # Increase the SSL/TLS session cache from the default 20k. But
1769- # rather than hardcode values, let's just set it to match
1770- # global_max_connections (which by default is calculated using
1771- # num. of CPU cores and num. of configured sites). Each entry
1772- # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1773- # each with 2000 max conns will only consume around 122 Mbytes
1774- # (32 * 10 * 2000 * 200), which is not much.
1775- tune.ssl.cachesize 8192
1776+ nbproc 2
1777+ nbthread 4
1778+ maxconn 8192
1779+ log /dev/log local0
1780+ log /dev/log local1 notice
1781+ chroot /var/lib/haproxy
1782+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
1783+ stats timeout 30s
1784+ server-state-file /run/haproxy/saved-server-state
1785+ user haproxy
1786+ group haproxy
1787+ daemon
1788+
1789+ # LP#1874386: Work around lingering HAProxy processes as per LP:1874386
1790+ # and kill them off.
1791+ hard-stop-after 5m
1792+
1793+ # Default SSL material locations
1794+ ca-base /etc/ssl/certs
1795+ crt-base /etc/ssl/private
1796+
1797+ # Default ciphers to use on SSL-enabled listening sockets.
1798+ # For more information, see ciphers(1SSL). This list is from:
1799+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
1800+ # An alternative list with additional directives can be obtained from
1801+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
1802+ ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS
1803+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
1804+ # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
1805+ tune.ssl.default-dh-param 2048
1806+
1807+ # Increase the SSL/TLS session cache from the default 20k. But
1808+ # rather than hardcode values, let's just set it to match
1809+ # global_max_connections (which by default is calculated using
1810+ # num. of CPU cores and num. of configured sites). Each entry
1811+ # requires ~200 bytes so on a host with say 32 CPUs, 10 sites,
1812+ # each with 2000 max conns will only consume around 122 Mbytes
1813+ # (32 * 10 * 2000 * 200), which is not much.
1814+ tune.ssl.cachesize 8192
1815
1816 defaults
1817- log global
1818- maxconn 5000
1819- mode http
1820- option dontlognull
1821- timeout connect 5s
1822- timeout client 50s
1823- timeout server 50s
1824- errorfile 400 /etc/haproxy/errors/400.http
1825- errorfile 403 /etc/haproxy/errors/403.http
1826- errorfile 408 /etc/haproxy/errors/408.http
1827- errorfile 500 /etc/haproxy/errors/500.http
1828- errorfile 502 /etc/haproxy/errors/502.http
1829- errorfile 503 /etc/haproxy/errors/503.http
1830- errorfile 504 /etc/haproxy/errors/504.http
1831- load-server-state-from-file global
1832- unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1833- unique-id-header X-Cache-Request-ID
1834- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1835+ log global
1836+ maxconn 5000
1837+ mode http
1838+ option dontlognull
1839+ timeout connect 5s
1840+ timeout client 50s
1841+ timeout server 50s
1842+ errorfile 400 /etc/haproxy/errors/400.http
1843+ errorfile 403 /etc/haproxy/errors/403.http
1844+ errorfile 408 /etc/haproxy/errors/408.http
1845+ errorfile 500 /etc/haproxy/errors/500.http
1846+ errorfile 502 /etc/haproxy/errors/502.http
1847+ errorfile 503 /etc/haproxy/errors/503.http
1848+ errorfile 504 /etc/haproxy/errors/504.http
1849+ load-server-state-from-file global
1850+ unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
1851+ unique-id-header X-Cache-Request-ID
1852+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
1853
1854 resolvers dns
1855- nameserver dns1 127.0.0.53:53
1856- resolve_retries 3
1857- timeout resolve 3s
1858- timeout retry 3s
1859- accepted_payload_size 8192
1860+ nameserver dns1 127.0.0.53:53
1861+ resolve_retries 3
1862+ timeout resolve 3s
1863+ timeout retry 3s
1864+ accepted_payload_size 8192
1865
1866 listen stats
1867- bind 127.0.0.1:10000
1868- acl allowed_cidr src 127.0.0.0/8
1869- http-request deny unless allowed_cidr
1870-
1871- mode http
1872- stats enable
1873- stats uri /
1874- stats realm Haproxy\ Statistics
1875- stats auth haproxy:biometricsarenotsecret
1876- stats refresh 3
1877+ bind 127.0.0.1:10000
1878+ acl allowed_cidr src 127.0.0.0/8
1879+ http-request deny unless allowed_cidr
1880+
1881+ mode http
1882+ stats enable
1883+ stats uri /
1884+ stats realm Haproxy\ Statistics
1885+ stats auth haproxy:biometricsarenotsecret
1886+ stats refresh 3
1887
1888
1889 listen combined-80

Subscribers

People subscribed via source and target branches