Merge ~hloeung/content-cache-charm:cleanup into content-cache-charm:master
- Git
- lp:~hloeung/content-cache-charm
- cleanup
- Merge into master
Proposed by
Haw Loeung
Status: | Merged |
---|---|
Approved by: | Haw Loeung |
Approved revision: | 51c5baff7265d57177de0966bfa8d0c9f89e0e11 |
Merged at revision: | 3774c254f111422a5f61c2b592af906be9da33dc |
Proposed branch: | ~hloeung/content-cache-charm:cleanup |
Merge into: | content-cache-charm:master |
Prerequisite: | ~hloeung/content-cache-charm:request-unique-id |
Diff against target: |
1889 lines (+832/-832) 13 files modified
lib/haproxy.py (+1/-1) templates/haproxy_cfg.tmpl (+67/-67) tests/unit/files/content_cache_rendered_haproxy_test_output.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output2.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output3.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt (+72/-72) tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt (+66/-66) tests/unit/files/haproxy_config_rendered_test_output.txt (+72/-72) tests/unit/files/haproxy_config_rendered_test_output2.txt (+72/-72) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Barry Price | Approve | ||
Canonical IS Reviewers | Pending | ||
Review via email: mp+396636@code.launchpad.net |
Commit message
Fix indentation so it's consistent
Description of the change
To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : | # |
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : | # |
Change successfully merged at revision 3774c254f111422
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/lib/haproxy.py b/lib/haproxy.py | |||
2 | index 7c0eabf..f76e083 100644 | |||
3 | --- a/lib/haproxy.py | |||
4 | +++ b/lib/haproxy.py | |||
5 | @@ -116,7 +116,7 @@ class HAProxyConf: | |||
6 | 116 | listen_stanza = """ | 116 | listen_stanza = """ |
7 | 117 | listen {name} | 117 | listen {name} |
8 | 118 | {bind_config} | 118 | {bind_config} |
10 | 119 | capture request header X-Cache-Request-ID len 60 | 119 | {indent}capture request header X-Cache-Request-ID len 60 |
11 | 120 | {redirect_config}{backend_config}{default_backend}""" | 120 | {redirect_config}{backend_config}{default_backend}""" |
12 | 121 | backend_conf = '{indent}use_backend backend-{backend} if {{ hdr(Host) -i {site_name} }}\n' | 121 | backend_conf = '{indent}use_backend backend-{backend} if {{ hdr(Host) -i {site_name} }}\n' |
13 | 122 | redirect_conf = '{indent}redirect scheme https code 301 if {{ hdr(Host) -i {site_name} }} !{{ ssl_fc }}\n' | 122 | redirect_conf = '{indent}redirect scheme https code 301 if {{ hdr(Host) -i {site_name} }} !{{ ssl_fc }}\n' |
14 | diff --git a/templates/haproxy_cfg.tmpl b/templates/haproxy_cfg.tmpl | |||
15 | index c59938c..4b8bdcd 100644 | |||
16 | --- a/templates/haproxy_cfg.tmpl | |||
17 | +++ b/templates/haproxy_cfg.tmpl | |||
18 | @@ -1,91 +1,91 @@ | |||
19 | 1 | global | 1 | global |
20 | 2 | {%- if num_procs %} | 2 | {%- if num_procs %} |
22 | 3 | nbproc {{num_procs}} | 3 | nbproc {{num_procs}} |
23 | 4 | {%- endif %} | 4 | {%- endif %} |
24 | 5 | {%- if num_threads %} | 5 | {%- if num_threads %} |
26 | 6 | nbthread {{num_threads}} | 6 | nbthread {{num_threads}} |
27 | 7 | {%- endif %} | 7 | {%- endif %} |
38 | 8 | maxconn {{global_max_connections}} | 8 | maxconn {{global_max_connections}} |
39 | 9 | log /dev/log local0 | 9 | log /dev/log local0 |
40 | 10 | log /dev/log local1 notice | 10 | log /dev/log local1 notice |
41 | 11 | chroot /var/lib/haproxy | 11 | chroot /var/lib/haproxy |
42 | 12 | stats socket {{socket_path}} mode 660 level admin expose-fd listeners | 12 | stats socket {{socket_path}} mode 660 level admin expose-fd listeners |
43 | 13 | stats timeout 30s | 13 | stats timeout 30s |
44 | 14 | server-state-file {{saved_server_state_path}} | 14 | server-state-file {{saved_server_state_path}} |
45 | 15 | user haproxy | 15 | user haproxy |
46 | 16 | group haproxy | 16 | group haproxy |
47 | 17 | daemon | 17 | daemon |
48 | 18 | 18 | ||
52 | 19 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 19 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
53 | 20 | # and kill them off. | 20 | # and kill them off. |
54 | 21 | hard-stop-after {{hard_stop_after}} | 21 | hard-stop-after {{hard_stop_after}} |
55 | 22 | 22 | ||
59 | 23 | # Default SSL material locations | 23 | # Default SSL material locations |
60 | 24 | ca-base /etc/ssl/certs | 24 | ca-base /etc/ssl/certs |
61 | 25 | crt-base /etc/ssl/private | 25 | crt-base /etc/ssl/private |
62 | 26 | 26 | ||
72 | 27 | # Default ciphers to use on SSL-enabled listening sockets. | 27 | # Default ciphers to use on SSL-enabled listening sockets. |
73 | 28 | # For more information, see ciphers(1SSL). This list is from: | 28 | # For more information, see ciphers(1SSL). This list is from: |
74 | 29 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 29 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
75 | 30 | # An alternative list with additional directives can be obtained from | 30 | # An alternative list with additional directives can be obtained from |
76 | 31 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 31 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
77 | 32 | ssl-default-bind-ciphers {{tls_cipher_suites}} | 32 | ssl-default-bind-ciphers {{tls_cipher_suites}} |
78 | 33 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 33 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
79 | 34 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 34 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
80 | 35 | tune.ssl.default-dh-param 2048 | 35 | tune.ssl.default-dh-param 2048 |
81 | 36 | 36 | ||
90 | 37 | # Increase the SSL/TLS session cache from the default 20k. But | 37 | # Increase the SSL/TLS session cache from the default 20k. But |
91 | 38 | # rather than hardcode values, let's just set it to match | 38 | # rather than hardcode values, let's just set it to match |
92 | 39 | # global_max_connections (which by default is calculated using | 39 | # global_max_connections (which by default is calculated using |
93 | 40 | # num. of CPU cores and num. of configured sites). Each entry | 40 | # num. of CPU cores and num. of configured sites). Each entry |
94 | 41 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 41 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
95 | 42 | # each with 2000 max conns will only consume around 122 Mbytes | 42 | # each with 2000 max conns will only consume around 122 Mbytes |
96 | 43 | # (32 * 10 * 2000 * 200), which is not much. | 43 | # (32 * 10 * 2000 * 200), which is not much. |
97 | 44 | tune.ssl.cachesize {{global_max_connections}} | 44 | tune.ssl.cachesize {{global_max_connections}} |
98 | 45 | 45 | ||
99 | 46 | defaults | 46 | defaults |
118 | 47 | log global | 47 | log global |
119 | 48 | maxconn {{max_connections}} | 48 | maxconn {{max_connections}} |
120 | 49 | mode http | 49 | mode http |
121 | 50 | option dontlognull | 50 | option dontlognull |
122 | 51 | timeout connect 5s | 51 | timeout connect 5s |
123 | 52 | timeout client 50s | 52 | timeout client 50s |
124 | 53 | timeout server 50s | 53 | timeout server 50s |
125 | 54 | errorfile 400 /etc/haproxy/errors/400.http | 54 | errorfile 400 /etc/haproxy/errors/400.http |
126 | 55 | errorfile 403 /etc/haproxy/errors/403.http | 55 | errorfile 403 /etc/haproxy/errors/403.http |
127 | 56 | errorfile 408 /etc/haproxy/errors/408.http | 56 | errorfile 408 /etc/haproxy/errors/408.http |
128 | 57 | errorfile 500 /etc/haproxy/errors/500.http | 57 | errorfile 500 /etc/haproxy/errors/500.http |
129 | 58 | errorfile 502 /etc/haproxy/errors/502.http | 58 | errorfile 502 /etc/haproxy/errors/502.http |
130 | 59 | errorfile 503 /etc/haproxy/errors/503.http | 59 | errorfile 503 /etc/haproxy/errors/503.http |
131 | 60 | errorfile 504 /etc/haproxy/errors/504.http | 60 | errorfile 504 /etc/haproxy/errors/504.http |
132 | 61 | load-server-state-from-file global | 61 | load-server-state-from-file global |
133 | 62 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 62 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
134 | 63 | unique-id-header X-Cache-Request-ID | 63 | unique-id-header X-Cache-Request-ID |
135 | 64 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 64 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
136 | 65 | 65 | ||
137 | 66 | {%- if dns_servers %} | 66 | {%- if dns_servers %} |
138 | 67 | 67 | ||
139 | 68 | resolvers dns | 68 | resolvers dns |
140 | 69 | {%- for resolver in dns_servers %} | 69 | {%- for resolver in dns_servers %} |
142 | 70 | nameserver dns{{loop.index}} {{resolver}}:53 | 70 | nameserver dns{{loop.index}} {{resolver}}:53 |
143 | 71 | {%- endfor %} | 71 | {%- endfor %} |
148 | 72 | resolve_retries 3 | 72 | resolve_retries 3 |
149 | 73 | timeout resolve 3s | 73 | timeout resolve 3s |
150 | 74 | timeout retry 3s | 74 | timeout retry 3s |
151 | 75 | accepted_payload_size 8192 | 75 | accepted_payload_size 8192 |
152 | 76 | {%- endif %} | 76 | {%- endif %} |
153 | 77 | 77 | ||
154 | 78 | listen stats | 78 | listen stats |
158 | 79 | bind 127.0.0.1:10000 | 79 | bind 127.0.0.1:10000 |
159 | 80 | acl allowed_cidr src 127.0.0.0/8 | 80 | acl allowed_cidr src 127.0.0.0/8 |
160 | 81 | http-request deny unless allowed_cidr | 81 | http-request deny unless allowed_cidr |
161 | 82 | 82 | ||
168 | 83 | mode http | 83 | mode http |
169 | 84 | stats enable | 84 | stats enable |
170 | 85 | stats uri / | 85 | stats uri / |
171 | 86 | stats realm Haproxy\ Statistics | 86 | stats realm Haproxy\ Statistics |
172 | 87 | stats auth haproxy:{{monitoring_password}} | 87 | stats auth haproxy:{{monitoring_password}} |
173 | 88 | stats refresh 3 | 88 | stats refresh 3 |
174 | 89 | 89 | ||
175 | 90 | {% for stanza in listen -%} | 90 | {% for stanza in listen -%} |
176 | 91 | {{stanza}} | 91 | {{stanza}} |
177 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt | |||
178 | index d187ca5..72bc2d3 100644 | |||
179 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt | |||
180 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt | |||
181 | @@ -1,81 +1,81 @@ | |||
182 | 1 | global | 1 | global |
221 | 2 | nbthread 4 | 2 | nbthread 4 |
222 | 3 | maxconn 106496 | 3 | maxconn 106496 |
223 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
224 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
225 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
226 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
227 | 8 | stats timeout 30s | 8 | stats timeout 30s |
228 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
229 | 10 | user haproxy | 10 | user haproxy |
230 | 11 | group haproxy | 11 | group haproxy |
231 | 12 | daemon | 12 | daemon |
232 | 13 | 13 | ||
233 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
234 | 15 | # and kill them off. | 15 | # and kill them off. |
235 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
236 | 17 | 17 | ||
237 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
238 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
239 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
240 | 21 | 21 | ||
241 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
242 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
243 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
244 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
245 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
246 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
247 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
248 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
249 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
250 | 31 | 31 | ||
251 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
252 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
253 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
254 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
255 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
256 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
257 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
258 | 39 | tune.ssl.cachesize 106496 | 39 | tune.ssl.cachesize 106496 |
259 | 40 | 40 | ||
260 | 41 | defaults | 41 | defaults |
279 | 42 | log global | 42 | log global |
280 | 43 | maxconn 8192 | 43 | maxconn 8192 |
281 | 44 | mode http | 44 | mode http |
282 | 45 | option dontlognull | 45 | option dontlognull |
283 | 46 | timeout connect 5s | 46 | timeout connect 5s |
284 | 47 | timeout client 50s | 47 | timeout client 50s |
285 | 48 | timeout server 50s | 48 | timeout server 50s |
286 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
287 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
288 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
289 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
290 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
291 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
292 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
293 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
294 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
295 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
296 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
297 | 60 | 60 | ||
298 | 61 | resolvers dns | 61 | resolvers dns |
304 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
305 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
306 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
307 | 65 | timeout retry 3s | 65 | timeout retry 3s |
308 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
309 | 67 | 67 | ||
310 | 68 | listen stats | 68 | listen stats |
321 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
322 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
323 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
324 | 72 | 72 | ||
325 | 73 | mode http | 73 | mode http |
326 | 74 | stats enable | 74 | stats enable |
327 | 75 | stats uri / | 75 | stats uri / |
328 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
329 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
330 | 78 | stats refresh 3 | 78 | stats refresh 3 |
331 | 79 | 79 | ||
332 | 80 | 80 | ||
333 | 81 | listen combined-80 | 81 | listen combined-80 |
334 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt | |||
335 | index 15403b6..a618ceb 100644 | |||
336 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt | |||
337 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt | |||
338 | @@ -1,81 +1,81 @@ | |||
339 | 1 | global | 1 | global |
351 | 2 | nbthread 4 | 2 | nbthread 4 |
352 | 3 | maxconn 16384 | 3 | maxconn 16384 |
353 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
354 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
355 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
356 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
357 | 8 | stats timeout 30s | 8 | stats timeout 30s |
358 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
359 | 10 | user haproxy | 10 | user haproxy |
360 | 11 | group haproxy | 11 | group haproxy |
361 | 12 | daemon | 12 | daemon |
362 | 13 | 13 | ||
366 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
367 | 15 | # and kill them off. | 15 | # and kill them off. |
368 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
369 | 17 | 17 | ||
373 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
374 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
375 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
376 | 21 | 21 | ||
386 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
387 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
388 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
389 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
390 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
391 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
392 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
393 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
394 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
395 | 31 | 31 | ||
404 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
405 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
406 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
407 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
408 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
409 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
410 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
411 | 39 | tune.ssl.cachesize 16384 | 39 | tune.ssl.cachesize 16384 |
412 | 40 | 40 | ||
413 | 41 | defaults | 41 | defaults |
432 | 42 | log global | 42 | log global |
433 | 43 | maxconn 8192 | 43 | maxconn 8192 |
434 | 44 | mode http | 44 | mode http |
435 | 45 | option dontlognull | 45 | option dontlognull |
436 | 46 | timeout connect 5s | 46 | timeout connect 5s |
437 | 47 | timeout client 50s | 47 | timeout client 50s |
438 | 48 | timeout server 50s | 48 | timeout server 50s |
439 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
440 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
441 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
442 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
443 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
444 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
445 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
446 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
447 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
448 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
449 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
450 | 60 | 60 | ||
451 | 61 | resolvers dns | 61 | resolvers dns |
457 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
458 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
459 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
460 | 65 | timeout retry 3s | 65 | timeout retry 3s |
461 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
462 | 67 | 67 | ||
463 | 68 | listen stats | 68 | listen stats |
467 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
468 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
469 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
470 | 72 | 72 | ||
477 | 73 | mode http | 73 | mode http |
478 | 74 | stats enable | 74 | stats enable |
479 | 75 | stats uri / | 75 | stats uri / |
480 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
481 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
482 | 78 | stats refresh 3 | 78 | stats refresh 3 |
483 | 79 | 79 | ||
484 | 80 | 80 | ||
485 | 81 | listen cached-site1-local | 81 | listen cached-site1-local |
486 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt | |||
487 | index d87592f..af75f2c 100644 | |||
488 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt | |||
489 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt | |||
490 | @@ -1,81 +1,81 @@ | |||
491 | 1 | global | 1 | global |
503 | 2 | nbthread 4 | 2 | nbthread 4 |
504 | 3 | maxconn 24576 | 3 | maxconn 24576 |
505 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
506 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
507 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
508 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
509 | 8 | stats timeout 30s | 8 | stats timeout 30s |
510 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
511 | 10 | user haproxy | 10 | user haproxy |
512 | 11 | group haproxy | 11 | group haproxy |
513 | 12 | daemon | 12 | daemon |
514 | 13 | 13 | ||
518 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
519 | 15 | # and kill them off. | 15 | # and kill them off. |
520 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
521 | 17 | 17 | ||
525 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
526 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
527 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
528 | 21 | 21 | ||
538 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
539 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
540 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
541 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
542 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
543 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
544 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
545 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
546 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
547 | 31 | 31 | ||
556 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
557 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
558 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
559 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
560 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
561 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
562 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
563 | 39 | tune.ssl.cachesize 24576 | 39 | tune.ssl.cachesize 24576 |
564 | 40 | 40 | ||
565 | 41 | defaults | 41 | defaults |
584 | 42 | log global | 42 | log global |
585 | 43 | maxconn 8192 | 43 | maxconn 8192 |
586 | 44 | mode http | 44 | mode http |
587 | 45 | option dontlognull | 45 | option dontlognull |
588 | 46 | timeout connect 5s | 46 | timeout connect 5s |
589 | 47 | timeout client 50s | 47 | timeout client 50s |
590 | 48 | timeout server 50s | 48 | timeout server 50s |
591 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
592 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
593 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
594 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
595 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
596 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
597 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
598 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
599 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
600 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
601 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
602 | 60 | 60 | ||
603 | 61 | resolvers dns | 61 | resolvers dns |
609 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
610 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
611 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
612 | 65 | timeout retry 3s | 65 | timeout retry 3s |
613 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
614 | 67 | 67 | ||
615 | 68 | listen stats | 68 | listen stats |
619 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
620 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
621 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
622 | 72 | 72 | ||
629 | 73 | mode http | 73 | mode http |
630 | 74 | stats enable | 74 | stats enable |
631 | 75 | stats uri / | 75 | stats uri / |
632 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
633 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
634 | 78 | stats refresh 3 | 78 | stats refresh 3 |
635 | 79 | 79 | ||
636 | 80 | 80 | ||
637 | 81 | listen redirect-site1-local | 81 | listen redirect-site1-local |
638 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt | |||
639 | index 070f1b7..25b27e5 100644 | |||
640 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt | |||
641 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt | |||
642 | @@ -1,81 +1,81 @@ | |||
643 | 1 | global | 1 | global |
682 | 2 | nbthread 4 | 2 | nbthread 4 |
683 | 3 | maxconn 104000 | 3 | maxconn 104000 |
684 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
685 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
686 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
687 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
688 | 8 | stats timeout 30s | 8 | stats timeout 30s |
689 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
690 | 10 | user haproxy | 10 | user haproxy |
691 | 11 | group haproxy | 11 | group haproxy |
692 | 12 | daemon | 12 | daemon |
693 | 13 | 13 | ||
694 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
695 | 15 | # and kill them off. | 15 | # and kill them off. |
696 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
697 | 17 | 17 | ||
698 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
699 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
700 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
701 | 21 | 21 | ||
702 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
703 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
704 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
705 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
706 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
707 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
708 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
709 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
710 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
711 | 31 | 31 | ||
712 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
713 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
714 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
715 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
716 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
717 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
718 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
719 | 39 | tune.ssl.cachesize 104000 | 39 | tune.ssl.cachesize 104000 |
720 | 40 | 40 | ||
721 | 41 | defaults | 41 | defaults |
740 | 42 | log global | 42 | log global |
741 | 43 | maxconn 8000 | 43 | maxconn 8000 |
742 | 44 | mode http | 44 | mode http |
743 | 45 | option dontlognull | 45 | option dontlognull |
744 | 46 | timeout connect 5s | 46 | timeout connect 5s |
745 | 47 | timeout client 50s | 47 | timeout client 50s |
746 | 48 | timeout server 50s | 48 | timeout server 50s |
747 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
748 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
749 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
750 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
751 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
752 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
753 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
754 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
755 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
756 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
757 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
758 | 60 | 60 | ||
759 | 61 | resolvers dns | 61 | resolvers dns |
765 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
766 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
767 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
768 | 65 | timeout retry 3s | 65 | timeout retry 3s |
769 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
770 | 67 | 67 | ||
771 | 68 | listen stats | 68 | listen stats |
782 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
783 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
784 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
785 | 72 | 72 | ||
786 | 73 | mode http | 73 | mode http |
787 | 74 | stats enable | 74 | stats enable |
788 | 75 | stats uri / | 75 | stats uri / |
789 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
790 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
791 | 78 | stats refresh 3 | 78 | stats refresh 3 |
792 | 79 | 79 | ||
793 | 80 | 80 | ||
794 | 81 | listen combined-80 | 81 | listen combined-80 |
795 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt | |||
796 | index 4ad1982..d42878a 100644 | |||
797 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt | |||
798 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt | |||
799 | @@ -1,81 +1,81 @@ | |||
800 | 1 | global | 1 | global |
812 | 2 | nbthread 4 | 2 | nbthread 4 |
813 | 3 | maxconn 24576 | 3 | maxconn 24576 |
814 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
815 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
816 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
817 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
818 | 8 | stats timeout 30s | 8 | stats timeout 30s |
819 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
820 | 10 | user haproxy | 10 | user haproxy |
821 | 11 | group haproxy | 11 | group haproxy |
822 | 12 | daemon | 12 | daemon |
823 | 13 | 13 | ||
827 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
828 | 15 | # and kill them off. | 15 | # and kill them off. |
829 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
830 | 17 | 17 | ||
834 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
835 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
836 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
837 | 21 | 21 | ||
847 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
848 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
849 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
850 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
851 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
852 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
853 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
854 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
855 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
856 | 31 | 31 | ||
865 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
866 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
867 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
868 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
869 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
870 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
871 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
872 | 39 | tune.ssl.cachesize 24576 | 39 | tune.ssl.cachesize 24576 |
873 | 40 | 40 | ||
874 | 41 | defaults | 41 | defaults |
893 | 42 | log global | 42 | log global |
894 | 43 | maxconn 8192 | 43 | maxconn 8192 |
895 | 44 | mode http | 44 | mode http |
896 | 45 | option dontlognull | 45 | option dontlognull |
897 | 46 | timeout connect 5s | 46 | timeout connect 5s |
898 | 47 | timeout client 50s | 47 | timeout client 50s |
899 | 48 | timeout server 50s | 48 | timeout server 50s |
900 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
901 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
902 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
903 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
904 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
905 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
906 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
907 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
908 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
909 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
910 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
911 | 60 | 60 | ||
912 | 61 | resolvers dns | 61 | resolvers dns |
918 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
919 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
920 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
921 | 65 | timeout retry 3s | 65 | timeout retry 3s |
922 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
923 | 67 | 67 | ||
924 | 68 | listen stats | 68 | listen stats |
928 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
929 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
930 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
931 | 72 | 72 | ||
938 | 73 | mode http | 73 | mode http |
939 | 74 | stats enable | 74 | stats enable |
940 | 75 | stats uri / | 75 | stats uri / |
941 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
942 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
943 | 78 | stats refresh 3 | 78 | stats refresh 3 |
944 | 79 | 79 | ||
945 | 80 | 80 | ||
946 | 81 | listen cached-site1-local | 81 | listen cached-site1-local |
947 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt | |||
948 | index 14380ea..c17ee47 100644 | |||
949 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt | |||
950 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt | |||
951 | @@ -1,81 +1,81 @@ | |||
952 | 1 | global | 1 | global |
991 | 2 | nbthread 4 | 2 | nbthread 4 |
992 | 3 | maxconn 106496 | 3 | maxconn 106496 |
993 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
994 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
995 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
996 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
997 | 8 | stats timeout 30s | 8 | stats timeout 30s |
998 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
999 | 10 | user haproxy | 10 | user haproxy |
1000 | 11 | group haproxy | 11 | group haproxy |
1001 | 12 | daemon | 12 | daemon |
1002 | 13 | 13 | ||
1003 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1004 | 15 | # and kill them off. | 15 | # and kill them off. |
1005 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
1006 | 17 | 17 | ||
1007 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
1008 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
1009 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
1010 | 21 | 21 | ||
1011 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
1012 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
1013 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1014 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
1015 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1016 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1017 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1018 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1019 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
1020 | 31 | 31 | ||
1021 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
1022 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
1023 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
1024 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
1025 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1026 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
1027 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
1028 | 39 | tune.ssl.cachesize 106496 | 39 | tune.ssl.cachesize 106496 |
1029 | 40 | 40 | ||
1030 | 41 | defaults | 41 | defaults |
1049 | 42 | log global | 42 | log global |
1050 | 43 | maxconn 8192 | 43 | maxconn 8192 |
1051 | 44 | mode http | 44 | mode http |
1052 | 45 | option dontlognull | 45 | option dontlognull |
1053 | 46 | timeout connect 5s | 46 | timeout connect 5s |
1054 | 47 | timeout client 50s | 47 | timeout client 50s |
1055 | 48 | timeout server 50s | 48 | timeout server 50s |
1056 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
1057 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
1058 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
1059 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
1060 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
1061 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
1062 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
1063 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
1064 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1065 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
1066 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1067 | 60 | 60 | ||
1068 | 61 | resolvers dns | 61 | resolvers dns |
1074 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
1075 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
1076 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
1077 | 65 | timeout retry 3s | 65 | timeout retry 3s |
1078 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
1079 | 67 | 67 | ||
1080 | 68 | listen stats | 68 | listen stats |
1091 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
1092 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
1093 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
1094 | 72 | 72 | ||
1095 | 73 | mode http | 73 | mode http |
1096 | 74 | stats enable | 74 | stats enable |
1097 | 75 | stats uri / | 75 | stats uri / |
1098 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
1099 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
1100 | 78 | stats refresh 3 | 78 | stats refresh 3 |
1101 | 79 | 79 | ||
1102 | 80 | 80 | ||
1103 | 81 | listen combined-80 | 81 | listen combined-80 |
1104 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt | |||
1105 | index 72d1109..a27ff31 100644 | |||
1106 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt | |||
1107 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt | |||
1108 | @@ -1,82 +1,82 @@ | |||
1109 | 1 | global | 1 | global |
1149 | 2 | nbproc 3 | 2 | nbproc 3 |
1150 | 3 | nbthread 10 | 3 | nbthread 10 |
1151 | 4 | maxconn 260000 | 4 | maxconn 260000 |
1152 | 5 | log /dev/log local0 | 5 | log /dev/log local0 |
1153 | 6 | log /dev/log local1 notice | 6 | log /dev/log local1 notice |
1154 | 7 | chroot /var/lib/haproxy | 7 | chroot /var/lib/haproxy |
1155 | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1156 | 9 | stats timeout 30s | 9 | stats timeout 30s |
1157 | 10 | server-state-file /run/haproxy/saved-server-state | 10 | server-state-file /run/haproxy/saved-server-state |
1158 | 11 | user haproxy | 11 | user haproxy |
1159 | 12 | group haproxy | 12 | group haproxy |
1160 | 13 | daemon | 13 | daemon |
1161 | 14 | 14 | ||
1162 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1163 | 16 | # and kill them off. | 16 | # and kill them off. |
1164 | 17 | hard-stop-after 15m | 17 | hard-stop-after 15m |
1165 | 18 | 18 | ||
1166 | 19 | # Default SSL material locations | 19 | # Default SSL material locations |
1167 | 20 | ca-base /etc/ssl/certs | 20 | ca-base /etc/ssl/certs |
1168 | 21 | crt-base /etc/ssl/private | 21 | crt-base /etc/ssl/private |
1169 | 22 | 22 | ||
1170 | 23 | # Default ciphers to use on SSL-enabled listening sockets. | 23 | # Default ciphers to use on SSL-enabled listening sockets. |
1171 | 24 | # For more information, see ciphers(1SSL). This list is from: | 24 | # For more information, see ciphers(1SSL). This list is from: |
1172 | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1173 | 26 | # An alternative list with additional directives can be obtained from | 26 | # An alternative list with additional directives can be obtained from |
1174 | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1175 | 28 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 28 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1176 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1177 | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1178 | 31 | tune.ssl.default-dh-param 2048 | 31 | tune.ssl.default-dh-param 2048 |
1179 | 32 | 32 | ||
1180 | 33 | # Increase the SSL/TLS session cache from the default 20k. But | 33 | # Increase the SSL/TLS session cache from the default 20k. But |
1181 | 34 | # rather than hardcode values, let's just set it to match | 34 | # rather than hardcode values, let's just set it to match |
1182 | 35 | # global_max_connections (which by default is calculated using | 35 | # global_max_connections (which by default is calculated using |
1183 | 36 | # num. of CPU cores and num. of configured sites). Each entry | 36 | # num. of CPU cores and num. of configured sites). Each entry |
1184 | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1185 | 38 | # each with 2000 max conns will only consume around 122 Mbytes | 38 | # each with 2000 max conns will only consume around 122 Mbytes |
1186 | 39 | # (32 * 10 * 2000 * 200), which is not much. | 39 | # (32 * 10 * 2000 * 200), which is not much. |
1187 | 40 | tune.ssl.cachesize 260000 | 40 | tune.ssl.cachesize 260000 |
1188 | 41 | 41 | ||
1189 | 42 | defaults | 42 | defaults |
1208 | 43 | log global | 43 | log global |
1209 | 44 | maxconn 20000 | 44 | maxconn 20000 |
1210 | 45 | mode http | 45 | mode http |
1211 | 46 | option dontlognull | 46 | option dontlognull |
1212 | 47 | timeout connect 5s | 47 | timeout connect 5s |
1213 | 48 | timeout client 50s | 48 | timeout client 50s |
1214 | 49 | timeout server 50s | 49 | timeout server 50s |
1215 | 50 | errorfile 400 /etc/haproxy/errors/400.http | 50 | errorfile 400 /etc/haproxy/errors/400.http |
1216 | 51 | errorfile 403 /etc/haproxy/errors/403.http | 51 | errorfile 403 /etc/haproxy/errors/403.http |
1217 | 52 | errorfile 408 /etc/haproxy/errors/408.http | 52 | errorfile 408 /etc/haproxy/errors/408.http |
1218 | 53 | errorfile 500 /etc/haproxy/errors/500.http | 53 | errorfile 500 /etc/haproxy/errors/500.http |
1219 | 54 | errorfile 502 /etc/haproxy/errors/502.http | 54 | errorfile 502 /etc/haproxy/errors/502.http |
1220 | 55 | errorfile 503 /etc/haproxy/errors/503.http | 55 | errorfile 503 /etc/haproxy/errors/503.http |
1221 | 56 | errorfile 504 /etc/haproxy/errors/504.http | 56 | errorfile 504 /etc/haproxy/errors/504.http |
1222 | 57 | load-server-state-from-file global | 57 | load-server-state-from-file global |
1223 | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1224 | 59 | unique-id-header X-Cache-Request-ID | 59 | unique-id-header X-Cache-Request-ID |
1225 | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1226 | 61 | 61 | ||
1227 | 62 | resolvers dns | 62 | resolvers dns |
1233 | 63 | nameserver dns1 127.0.0.53:53 | 63 | nameserver dns1 127.0.0.53:53 |
1234 | 64 | resolve_retries 3 | 64 | resolve_retries 3 |
1235 | 65 | timeout resolve 3s | 65 | timeout resolve 3s |
1236 | 66 | timeout retry 3s | 66 | timeout retry 3s |
1237 | 67 | accepted_payload_size 8192 | 67 | accepted_payload_size 8192 |
1238 | 68 | 68 | ||
1239 | 69 | listen stats | 69 | listen stats |
1250 | 70 | bind 127.0.0.1:10000 | 70 | bind 127.0.0.1:10000 |
1251 | 71 | acl allowed_cidr src 127.0.0.0/8 | 71 | acl allowed_cidr src 127.0.0.0/8 |
1252 | 72 | http-request deny unless allowed_cidr | 72 | http-request deny unless allowed_cidr |
1253 | 73 | 73 | ||
1254 | 74 | mode http | 74 | mode http |
1255 | 75 | stats enable | 75 | stats enable |
1256 | 76 | stats uri / | 76 | stats uri / |
1257 | 77 | stats realm Haproxy\ Statistics | 77 | stats realm Haproxy\ Statistics |
1258 | 78 | stats auth haproxy:biometricsarenotsecret | 78 | stats auth haproxy:biometricsarenotsecret |
1259 | 79 | stats refresh 3 | 79 | stats refresh 3 |
1260 | 80 | 80 | ||
1261 | 81 | 81 | ||
1262 | 82 | listen combined-80 | 82 | listen combined-80 |
1263 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt | |||
1264 | index 015bc9c..2a6ee1a 100644 | |||
1265 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt | |||
1266 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt | |||
1267 | @@ -1,81 +1,81 @@ | |||
1268 | 1 | global | 1 | global |
1307 | 2 | nbthread 30 | 2 | nbthread 30 |
1308 | 3 | maxconn 524288 | 3 | maxconn 524288 |
1309 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
1310 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
1311 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
1312 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1313 | 8 | stats timeout 30s | 8 | stats timeout 30s |
1314 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
1315 | 10 | user haproxy | 10 | user haproxy |
1316 | 11 | group haproxy | 11 | group haproxy |
1317 | 12 | daemon | 12 | daemon |
1318 | 13 | 13 | ||
1319 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1320 | 15 | # and kill them off. | 15 | # and kill them off. |
1321 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
1322 | 17 | 17 | ||
1323 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
1324 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
1325 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
1326 | 21 | 21 | ||
1327 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
1328 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
1329 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1330 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
1331 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1332 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1333 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1334 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1335 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
1336 | 31 | 31 | ||
1337 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
1338 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
1339 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
1340 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
1341 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1342 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
1343 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
1344 | 39 | tune.ssl.cachesize 524288 | 39 | tune.ssl.cachesize 524288 |
1345 | 40 | 40 | ||
1346 | 41 | defaults | 41 | defaults |
1365 | 42 | log global | 42 | log global |
1366 | 43 | maxconn 60000 | 43 | maxconn 60000 |
1367 | 44 | mode http | 44 | mode http |
1368 | 45 | option dontlognull | 45 | option dontlognull |
1369 | 46 | timeout connect 5s | 46 | timeout connect 5s |
1370 | 47 | timeout client 50s | 47 | timeout client 50s |
1371 | 48 | timeout server 50s | 48 | timeout server 50s |
1372 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
1373 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
1374 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
1375 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
1376 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
1377 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
1378 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
1379 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
1380 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1381 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
1382 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1383 | 60 | 60 | ||
1384 | 61 | resolvers dns | 61 | resolvers dns |
1390 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
1391 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
1392 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
1393 | 65 | timeout retry 3s | 65 | timeout retry 3s |
1394 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
1395 | 67 | 67 | ||
1396 | 68 | listen stats | 68 | listen stats |
1407 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
1408 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
1409 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
1410 | 72 | 72 | ||
1411 | 73 | mode http | 73 | mode http |
1412 | 74 | stats enable | 74 | stats enable |
1413 | 75 | stats uri / | 75 | stats uri / |
1414 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
1415 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
1416 | 78 | stats refresh 3 | 78 | stats refresh 3 |
1417 | 79 | 79 | ||
1418 | 80 | 80 | ||
1419 | 81 | listen combined-80 | 81 | listen combined-80 |
1420 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt | |||
1421 | index bc80f29..8a219b5 100644 | |||
1422 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt | |||
1423 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt | |||
1424 | @@ -1,81 +1,81 @@ | |||
1425 | 1 | global | 1 | global |
1437 | 2 | nbthread 4 | 2 | nbthread 4 |
1438 | 3 | maxconn 16384 | 3 | maxconn 16384 |
1439 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
1440 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
1441 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
1442 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1443 | 8 | stats timeout 30s | 8 | stats timeout 30s |
1444 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
1445 | 10 | user haproxy | 10 | user haproxy |
1446 | 11 | group haproxy | 11 | group haproxy |
1447 | 12 | daemon | 12 | daemon |
1448 | 13 | 13 | ||
1452 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1453 | 15 | # and kill them off. | 15 | # and kill them off. |
1454 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
1455 | 17 | 17 | ||
1459 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
1460 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
1461 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
1462 | 21 | 21 | ||
1472 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
1473 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
1474 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1475 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
1476 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1477 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1478 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1479 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1480 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
1481 | 31 | 31 | ||
1490 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
1491 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
1492 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
1493 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
1494 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1495 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
1496 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
1497 | 39 | tune.ssl.cachesize 16384 | 39 | tune.ssl.cachesize 16384 |
1498 | 40 | 40 | ||
1499 | 41 | defaults | 41 | defaults |
1518 | 42 | log global | 42 | log global |
1519 | 43 | maxconn 8192 | 43 | maxconn 8192 |
1520 | 44 | mode http | 44 | mode http |
1521 | 45 | option dontlognull | 45 | option dontlognull |
1522 | 46 | timeout connect 5s | 46 | timeout connect 5s |
1523 | 47 | timeout client 50s | 47 | timeout client 50s |
1524 | 48 | timeout server 50s | 48 | timeout server 50s |
1525 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
1526 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
1527 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
1528 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
1529 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
1530 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
1531 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
1532 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
1533 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1534 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
1535 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1536 | 60 | 60 | ||
1537 | 61 | resolvers dns | 61 | resolvers dns |
1543 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
1544 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
1545 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
1546 | 65 | timeout retry 3s | 65 | timeout retry 3s |
1547 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
1548 | 67 | 67 | ||
1549 | 68 | listen stats | 68 | listen stats |
1553 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
1554 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
1555 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
1556 | 72 | 72 | ||
1563 | 73 | mode http | 73 | mode http |
1564 | 74 | stats enable | 74 | stats enable |
1565 | 75 | stats uri / | 75 | stats uri / |
1566 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
1567 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
1568 | 78 | stats refresh 3 | 78 | stats refresh 3 |
1569 | 79 | 79 | ||
1570 | 80 | 80 | ||
1571 | 81 | listen cached-site1-local | 81 | listen cached-site1-local |
1572 | diff --git a/tests/unit/files/haproxy_config_rendered_test_output.txt b/tests/unit/files/haproxy_config_rendered_test_output.txt | |||
1573 | index 8badf52..dd6b279 100644 | |||
1574 | --- a/tests/unit/files/haproxy_config_rendered_test_output.txt | |||
1575 | +++ b/tests/unit/files/haproxy_config_rendered_test_output.txt | |||
1576 | @@ -1,82 +1,82 @@ | |||
1577 | 1 | global | 1 | global |
1617 | 2 | nbproc 2 | 2 | nbproc 2 |
1618 | 3 | nbthread 4 | 3 | nbthread 4 |
1619 | 4 | maxconn 15000 | 4 | maxconn 15000 |
1620 | 5 | log /dev/log local0 | 5 | log /dev/log local0 |
1621 | 6 | log /dev/log local1 notice | 6 | log /dev/log local1 notice |
1622 | 7 | chroot /var/lib/haproxy | 7 | chroot /var/lib/haproxy |
1623 | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1624 | 9 | stats timeout 30s | 9 | stats timeout 30s |
1625 | 10 | server-state-file /run/haproxy/saved-server-state | 10 | server-state-file /run/haproxy/saved-server-state |
1626 | 11 | user haproxy | 11 | user haproxy |
1627 | 12 | group haproxy | 12 | group haproxy |
1628 | 13 | daemon | 13 | daemon |
1629 | 14 | 14 | ||
1630 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1631 | 16 | # and kill them off. | 16 | # and kill them off. |
1632 | 17 | hard-stop-after 5m | 17 | hard-stop-after 5m |
1633 | 18 | 18 | ||
1634 | 19 | # Default SSL material locations | 19 | # Default SSL material locations |
1635 | 20 | ca-base /etc/ssl/certs | 20 | ca-base /etc/ssl/certs |
1636 | 21 | crt-base /etc/ssl/private | 21 | crt-base /etc/ssl/private |
1637 | 22 | 22 | ||
1638 | 23 | # Default ciphers to use on SSL-enabled listening sockets. | 23 | # Default ciphers to use on SSL-enabled listening sockets. |
1639 | 24 | # For more information, see ciphers(1SSL). This list is from: | 24 | # For more information, see ciphers(1SSL). This list is from: |
1640 | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1641 | 26 | # An alternative list with additional directives can be obtained from | 26 | # An alternative list with additional directives can be obtained from |
1642 | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1643 | 28 | ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS | 28 | ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS |
1644 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1645 | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1646 | 31 | tune.ssl.default-dh-param 2048 | 31 | tune.ssl.default-dh-param 2048 |
1647 | 32 | 32 | ||
1648 | 33 | # Increase the SSL/TLS session cache from the default 20k. But | 33 | # Increase the SSL/TLS session cache from the default 20k. But |
1649 | 34 | # rather than hardcode values, let's just set it to match | 34 | # rather than hardcode values, let's just set it to match |
1650 | 35 | # global_max_connections (which by default is calculated using | 35 | # global_max_connections (which by default is calculated using |
1651 | 36 | # num. of CPU cores and num. of configured sites). Each entry | 36 | # num. of CPU cores and num. of configured sites). Each entry |
1652 | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1653 | 38 | # each with 2000 max conns will only consume around 122 Mbytes | 38 | # each with 2000 max conns will only consume around 122 Mbytes |
1654 | 39 | # (32 * 10 * 2000 * 200), which is not much. | 39 | # (32 * 10 * 2000 * 200), which is not much. |
1655 | 40 | tune.ssl.cachesize 15000 | 40 | tune.ssl.cachesize 15000 |
1656 | 41 | 41 | ||
1657 | 42 | defaults | 42 | defaults |
1676 | 43 | log global | 43 | log global |
1677 | 44 | maxconn 5000 | 44 | maxconn 5000 |
1678 | 45 | mode http | 45 | mode http |
1679 | 46 | option dontlognull | 46 | option dontlognull |
1680 | 47 | timeout connect 5s | 47 | timeout connect 5s |
1681 | 48 | timeout client 50s | 48 | timeout client 50s |
1682 | 49 | timeout server 50s | 49 | timeout server 50s |
1683 | 50 | errorfile 400 /etc/haproxy/errors/400.http | 50 | errorfile 400 /etc/haproxy/errors/400.http |
1684 | 51 | errorfile 403 /etc/haproxy/errors/403.http | 51 | errorfile 403 /etc/haproxy/errors/403.http |
1685 | 52 | errorfile 408 /etc/haproxy/errors/408.http | 52 | errorfile 408 /etc/haproxy/errors/408.http |
1686 | 53 | errorfile 500 /etc/haproxy/errors/500.http | 53 | errorfile 500 /etc/haproxy/errors/500.http |
1687 | 54 | errorfile 502 /etc/haproxy/errors/502.http | 54 | errorfile 502 /etc/haproxy/errors/502.http |
1688 | 55 | errorfile 503 /etc/haproxy/errors/503.http | 55 | errorfile 503 /etc/haproxy/errors/503.http |
1689 | 56 | errorfile 504 /etc/haproxy/errors/504.http | 56 | errorfile 504 /etc/haproxy/errors/504.http |
1690 | 57 | load-server-state-from-file global | 57 | load-server-state-from-file global |
1691 | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1692 | 59 | unique-id-header X-Cache-Request-ID | 59 | unique-id-header X-Cache-Request-ID |
1693 | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1694 | 61 | 61 | ||
1695 | 62 | resolvers dns | 62 | resolvers dns |
1701 | 63 | nameserver dns1 127.0.0.53:53 | 63 | nameserver dns1 127.0.0.53:53 |
1702 | 64 | resolve_retries 3 | 64 | resolve_retries 3 |
1703 | 65 | timeout resolve 3s | 65 | timeout resolve 3s |
1704 | 66 | timeout retry 3s | 66 | timeout retry 3s |
1705 | 67 | accepted_payload_size 8192 | 67 | accepted_payload_size 8192 |
1706 | 68 | 68 | ||
1707 | 69 | listen stats | 69 | listen stats |
1718 | 70 | bind 127.0.0.1:10000 | 70 | bind 127.0.0.1:10000 |
1719 | 71 | acl allowed_cidr src 127.0.0.0/8 | 71 | acl allowed_cidr src 127.0.0.0/8 |
1720 | 72 | http-request deny unless allowed_cidr | 72 | http-request deny unless allowed_cidr |
1721 | 73 | 73 | ||
1722 | 74 | mode http | 74 | mode http |
1723 | 75 | stats enable | 75 | stats enable |
1724 | 76 | stats uri / | 76 | stats uri / |
1725 | 77 | stats realm Haproxy\ Statistics | 77 | stats realm Haproxy\ Statistics |
1726 | 78 | stats auth haproxy:biometricsarenotsecret | 78 | stats auth haproxy:biometricsarenotsecret |
1727 | 79 | stats refresh 3 | 79 | stats refresh 3 |
1728 | 80 | 80 | ||
1729 | 81 | 81 | ||
1730 | 82 | listen combined-80 | 82 | listen combined-80 |
1731 | diff --git a/tests/unit/files/haproxy_config_rendered_test_output2.txt b/tests/unit/files/haproxy_config_rendered_test_output2.txt | |||
1732 | index 61a329c..4620899 100644 | |||
1733 | --- a/tests/unit/files/haproxy_config_rendered_test_output2.txt | |||
1734 | +++ b/tests/unit/files/haproxy_config_rendered_test_output2.txt | |||
1735 | @@ -1,82 +1,82 @@ | |||
1736 | 1 | global | 1 | global |
1776 | 2 | nbproc 2 | 2 | nbproc 2 |
1777 | 3 | nbthread 4 | 3 | nbthread 4 |
1778 | 4 | maxconn 8192 | 4 | maxconn 8192 |
1779 | 5 | log /dev/log local0 | 5 | log /dev/log local0 |
1780 | 6 | log /dev/log local1 notice | 6 | log /dev/log local1 notice |
1781 | 7 | chroot /var/lib/haproxy | 7 | chroot /var/lib/haproxy |
1782 | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1783 | 9 | stats timeout 30s | 9 | stats timeout 30s |
1784 | 10 | server-state-file /run/haproxy/saved-server-state | 10 | server-state-file /run/haproxy/saved-server-state |
1785 | 11 | user haproxy | 11 | user haproxy |
1786 | 12 | group haproxy | 12 | group haproxy |
1787 | 13 | daemon | 13 | daemon |
1788 | 14 | 14 | ||
1789 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1790 | 16 | # and kill them off. | 16 | # and kill them off. |
1791 | 17 | hard-stop-after 5m | 17 | hard-stop-after 5m |
1792 | 18 | 18 | ||
1793 | 19 | # Default SSL material locations | 19 | # Default SSL material locations |
1794 | 20 | ca-base /etc/ssl/certs | 20 | ca-base /etc/ssl/certs |
1795 | 21 | crt-base /etc/ssl/private | 21 | crt-base /etc/ssl/private |
1796 | 22 | 22 | ||
1797 | 23 | # Default ciphers to use on SSL-enabled listening sockets. | 23 | # Default ciphers to use on SSL-enabled listening sockets. |
1798 | 24 | # For more information, see ciphers(1SSL). This list is from: | 24 | # For more information, see ciphers(1SSL). This list is from: |
1799 | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1800 | 26 | # An alternative list with additional directives can be obtained from | 26 | # An alternative list with additional directives can be obtained from |
1801 | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1802 | 28 | ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS | 28 | ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS |
1803 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1804 | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1805 | 31 | tune.ssl.default-dh-param 2048 | 31 | tune.ssl.default-dh-param 2048 |
1806 | 32 | 32 | ||
1807 | 33 | # Increase the SSL/TLS session cache from the default 20k. But | 33 | # Increase the SSL/TLS session cache from the default 20k. But |
1808 | 34 | # rather than hardcode values, let's just set it to match | 34 | # rather than hardcode values, let's just set it to match |
1809 | 35 | # global_max_connections (which by default is calculated using | 35 | # global_max_connections (which by default is calculated using |
1810 | 36 | # num. of CPU cores and num. of configured sites). Each entry | 36 | # num. of CPU cores and num. of configured sites). Each entry |
1811 | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1812 | 38 | # each with 2000 max conns will only consume around 122 Mbytes | 38 | # each with 2000 max conns will only consume around 122 Mbytes |
1813 | 39 | # (32 * 10 * 2000 * 200), which is not much. | 39 | # (32 * 10 * 2000 * 200), which is not much. |
1814 | 40 | tune.ssl.cachesize 8192 | 40 | tune.ssl.cachesize 8192 |
1815 | 41 | 41 | ||
1816 | 42 | defaults | 42 | defaults |
1835 | 43 | log global | 43 | log global |
1836 | 44 | maxconn 5000 | 44 | maxconn 5000 |
1837 | 45 | mode http | 45 | mode http |
1838 | 46 | option dontlognull | 46 | option dontlognull |
1839 | 47 | timeout connect 5s | 47 | timeout connect 5s |
1840 | 48 | timeout client 50s | 48 | timeout client 50s |
1841 | 49 | timeout server 50s | 49 | timeout server 50s |
1842 | 50 | errorfile 400 /etc/haproxy/errors/400.http | 50 | errorfile 400 /etc/haproxy/errors/400.http |
1843 | 51 | errorfile 403 /etc/haproxy/errors/403.http | 51 | errorfile 403 /etc/haproxy/errors/403.http |
1844 | 52 | errorfile 408 /etc/haproxy/errors/408.http | 52 | errorfile 408 /etc/haproxy/errors/408.http |
1845 | 53 | errorfile 500 /etc/haproxy/errors/500.http | 53 | errorfile 500 /etc/haproxy/errors/500.http |
1846 | 54 | errorfile 502 /etc/haproxy/errors/502.http | 54 | errorfile 502 /etc/haproxy/errors/502.http |
1847 | 55 | errorfile 503 /etc/haproxy/errors/503.http | 55 | errorfile 503 /etc/haproxy/errors/503.http |
1848 | 56 | errorfile 504 /etc/haproxy/errors/504.http | 56 | errorfile 504 /etc/haproxy/errors/504.http |
1849 | 57 | load-server-state-from-file global | 57 | load-server-state-from-file global |
1850 | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1851 | 59 | unique-id-header X-Cache-Request-ID | 59 | unique-id-header X-Cache-Request-ID |
1852 | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1853 | 61 | 61 | ||
1854 | 62 | resolvers dns | 62 | resolvers dns |
1860 | 63 | nameserver dns1 127.0.0.53:53 | 63 | nameserver dns1 127.0.0.53:53 |
1861 | 64 | resolve_retries 3 | 64 | resolve_retries 3 |
1862 | 65 | timeout resolve 3s | 65 | timeout resolve 3s |
1863 | 66 | timeout retry 3s | 66 | timeout retry 3s |
1864 | 67 | accepted_payload_size 8192 | 67 | accepted_payload_size 8192 |
1865 | 68 | 68 | ||
1866 | 69 | listen stats | 69 | listen stats |
1877 | 70 | bind 127.0.0.1:10000 | 70 | bind 127.0.0.1:10000 |
1878 | 71 | acl allowed_cidr src 127.0.0.0/8 | 71 | acl allowed_cidr src 127.0.0.0/8 |
1879 | 72 | http-request deny unless allowed_cidr | 72 | http-request deny unless allowed_cidr |
1880 | 73 | 73 | ||
1881 | 74 | mode http | 74 | mode http |
1882 | 75 | stats enable | 75 | stats enable |
1883 | 76 | stats uri / | 76 | stats uri / |
1884 | 77 | stats realm Haproxy\ Statistics | 77 | stats realm Haproxy\ Statistics |
1885 | 78 | stats auth haproxy:biometricsarenotsecret | 78 | stats auth haproxy:biometricsarenotsecret |
1886 | 79 | stats refresh 3 | 79 | stats refresh 3 |
1887 | 80 | 80 | ||
1888 | 81 | 81 | ||
1889 | 82 | listen combined-80 | 82 | listen combined-80 |
This merge proposal is being monitored by mergebot. Change the status to Approved to merge.