Merge ~hloeung/content-cache-charm:cleanup into content-cache-charm:master
- Git
- lp:~hloeung/content-cache-charm
- cleanup
- Merge into master
Proposed by
Haw Loeung
| Status: | Merged |
|---|---|
| Approved by: | Haw Loeung |
| Approved revision: | 51c5baff7265d57177de0966bfa8d0c9f89e0e11 |
| Merged at revision: | 3774c254f111422a5f61c2b592af906be9da33dc |
| Proposed branch: | ~hloeung/content-cache-charm:cleanup |
| Merge into: | content-cache-charm:master |
| Prerequisite: | ~hloeung/content-cache-charm:request-unique-id |
| Diff against target: |
1889 lines (+832/-832) 13 files modified
lib/haproxy.py (+1/-1) templates/haproxy_cfg.tmpl (+67/-67) tests/unit/files/content_cache_rendered_haproxy_test_output.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output2.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output3.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt (+72/-72) tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt (+66/-66) tests/unit/files/haproxy_config_rendered_test_output.txt (+72/-72) tests/unit/files/haproxy_config_rendered_test_output2.txt (+72/-72) |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Barry Price | Approve | ||
| Canonical IS Reviewers | Pending | ||
|
Review via email:
|
|||
Commit message
Fix indentation so it's consistent
Description of the change
To post a comment you must log in.
Revision history for this message
| 🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : | # |
Revision history for this message
| 🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : | # |
Change successfully merged at revision 3774c254f111422
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
| 1 | diff --git a/lib/haproxy.py b/lib/haproxy.py | |||
| 2 | index 7c0eabf..f76e083 100644 | |||
| 3 | --- a/lib/haproxy.py | |||
| 4 | +++ b/lib/haproxy.py | |||
| 5 | @@ -116,7 +116,7 @@ class HAProxyConf: | |||
| 6 | 116 | listen_stanza = """ | 116 | listen_stanza = """ |
| 7 | 117 | listen {name} | 117 | listen {name} |
| 8 | 118 | {bind_config} | 118 | {bind_config} |
| 10 | 119 | capture request header X-Cache-Request-ID len 60 | 119 | {indent}capture request header X-Cache-Request-ID len 60 |
| 11 | 120 | {redirect_config}{backend_config}{default_backend}""" | 120 | {redirect_config}{backend_config}{default_backend}""" |
| 12 | 121 | backend_conf = '{indent}use_backend backend-{backend} if {{ hdr(Host) -i {site_name} }}\n' | 121 | backend_conf = '{indent}use_backend backend-{backend} if {{ hdr(Host) -i {site_name} }}\n' |
| 13 | 122 | redirect_conf = '{indent}redirect scheme https code 301 if {{ hdr(Host) -i {site_name} }} !{{ ssl_fc }}\n' | 122 | redirect_conf = '{indent}redirect scheme https code 301 if {{ hdr(Host) -i {site_name} }} !{{ ssl_fc }}\n' |
| 14 | diff --git a/templates/haproxy_cfg.tmpl b/templates/haproxy_cfg.tmpl | |||
| 15 | index c59938c..4b8bdcd 100644 | |||
| 16 | --- a/templates/haproxy_cfg.tmpl | |||
| 17 | +++ b/templates/haproxy_cfg.tmpl | |||
| 18 | @@ -1,91 +1,91 @@ | |||
| 19 | 1 | global | 1 | global |
| 20 | 2 | {%- if num_procs %} | 2 | {%- if num_procs %} |
| 22 | 3 | nbproc {{num_procs}} | 3 | nbproc {{num_procs}} |
| 23 | 4 | {%- endif %} | 4 | {%- endif %} |
| 24 | 5 | {%- if num_threads %} | 5 | {%- if num_threads %} |
| 26 | 6 | nbthread {{num_threads}} | 6 | nbthread {{num_threads}} |
| 27 | 7 | {%- endif %} | 7 | {%- endif %} |
| 38 | 8 | maxconn {{global_max_connections}} | 8 | maxconn {{global_max_connections}} |
| 39 | 9 | log /dev/log local0 | 9 | log /dev/log local0 |
| 40 | 10 | log /dev/log local1 notice | 10 | log /dev/log local1 notice |
| 41 | 11 | chroot /var/lib/haproxy | 11 | chroot /var/lib/haproxy |
| 42 | 12 | stats socket {{socket_path}} mode 660 level admin expose-fd listeners | 12 | stats socket {{socket_path}} mode 660 level admin expose-fd listeners |
| 43 | 13 | stats timeout 30s | 13 | stats timeout 30s |
| 44 | 14 | server-state-file {{saved_server_state_path}} | 14 | server-state-file {{saved_server_state_path}} |
| 45 | 15 | user haproxy | 15 | user haproxy |
| 46 | 16 | group haproxy | 16 | group haproxy |
| 47 | 17 | daemon | 17 | daemon |
| 48 | 18 | 18 | ||
| 52 | 19 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 19 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 53 | 20 | # and kill them off. | 20 | # and kill them off. |
| 54 | 21 | hard-stop-after {{hard_stop_after}} | 21 | hard-stop-after {{hard_stop_after}} |
| 55 | 22 | 22 | ||
| 59 | 23 | # Default SSL material locations | 23 | # Default SSL material locations |
| 60 | 24 | ca-base /etc/ssl/certs | 24 | ca-base /etc/ssl/certs |
| 61 | 25 | crt-base /etc/ssl/private | 25 | crt-base /etc/ssl/private |
| 62 | 26 | 26 | ||
| 72 | 27 | # Default ciphers to use on SSL-enabled listening sockets. | 27 | # Default ciphers to use on SSL-enabled listening sockets. |
| 73 | 28 | # For more information, see ciphers(1SSL). This list is from: | 28 | # For more information, see ciphers(1SSL). This list is from: |
| 74 | 29 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 29 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 75 | 30 | # An alternative list with additional directives can be obtained from | 30 | # An alternative list with additional directives can be obtained from |
| 76 | 31 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 31 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 77 | 32 | ssl-default-bind-ciphers {{tls_cipher_suites}} | 32 | ssl-default-bind-ciphers {{tls_cipher_suites}} |
| 78 | 33 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 33 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 79 | 34 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 34 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 80 | 35 | tune.ssl.default-dh-param 2048 | 35 | tune.ssl.default-dh-param 2048 |
| 81 | 36 | 36 | ||
| 90 | 37 | # Increase the SSL/TLS session cache from the default 20k. But | 37 | # Increase the SSL/TLS session cache from the default 20k. But |
| 91 | 38 | # rather than hardcode values, let's just set it to match | 38 | # rather than hardcode values, let's just set it to match |
| 92 | 39 | # global_max_connections (which by default is calculated using | 39 | # global_max_connections (which by default is calculated using |
| 93 | 40 | # num. of CPU cores and num. of configured sites). Each entry | 40 | # num. of CPU cores and num. of configured sites). Each entry |
| 94 | 41 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 41 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 95 | 42 | # each with 2000 max conns will only consume around 122 Mbytes | 42 | # each with 2000 max conns will only consume around 122 Mbytes |
| 96 | 43 | # (32 * 10 * 2000 * 200), which is not much. | 43 | # (32 * 10 * 2000 * 200), which is not much. |
| 97 | 44 | tune.ssl.cachesize {{global_max_connections}} | 44 | tune.ssl.cachesize {{global_max_connections}} |
| 98 | 45 | 45 | ||
| 99 | 46 | defaults | 46 | defaults |
| 118 | 47 | log global | 47 | log global |
| 119 | 48 | maxconn {{max_connections}} | 48 | maxconn {{max_connections}} |
| 120 | 49 | mode http | 49 | mode http |
| 121 | 50 | option dontlognull | 50 | option dontlognull |
| 122 | 51 | timeout connect 5s | 51 | timeout connect 5s |
| 123 | 52 | timeout client 50s | 52 | timeout client 50s |
| 124 | 53 | timeout server 50s | 53 | timeout server 50s |
| 125 | 54 | errorfile 400 /etc/haproxy/errors/400.http | 54 | errorfile 400 /etc/haproxy/errors/400.http |
| 126 | 55 | errorfile 403 /etc/haproxy/errors/403.http | 55 | errorfile 403 /etc/haproxy/errors/403.http |
| 127 | 56 | errorfile 408 /etc/haproxy/errors/408.http | 56 | errorfile 408 /etc/haproxy/errors/408.http |
| 128 | 57 | errorfile 500 /etc/haproxy/errors/500.http | 57 | errorfile 500 /etc/haproxy/errors/500.http |
| 129 | 58 | errorfile 502 /etc/haproxy/errors/502.http | 58 | errorfile 502 /etc/haproxy/errors/502.http |
| 130 | 59 | errorfile 503 /etc/haproxy/errors/503.http | 59 | errorfile 503 /etc/haproxy/errors/503.http |
| 131 | 60 | errorfile 504 /etc/haproxy/errors/504.http | 60 | errorfile 504 /etc/haproxy/errors/504.http |
| 132 | 61 | load-server-state-from-file global | 61 | load-server-state-from-file global |
| 133 | 62 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 62 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 134 | 63 | unique-id-header X-Cache-Request-ID | 63 | unique-id-header X-Cache-Request-ID |
| 135 | 64 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 64 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 136 | 65 | 65 | ||
| 137 | 66 | {%- if dns_servers %} | 66 | {%- if dns_servers %} |
| 138 | 67 | 67 | ||
| 139 | 68 | resolvers dns | 68 | resolvers dns |
| 140 | 69 | {%- for resolver in dns_servers %} | 69 | {%- for resolver in dns_servers %} |
| 142 | 70 | nameserver dns{{loop.index}} {{resolver}}:53 | 70 | nameserver dns{{loop.index}} {{resolver}}:53 |
| 143 | 71 | {%- endfor %} | 71 | {%- endfor %} |
| 148 | 72 | resolve_retries 3 | 72 | resolve_retries 3 |
| 149 | 73 | timeout resolve 3s | 73 | timeout resolve 3s |
| 150 | 74 | timeout retry 3s | 74 | timeout retry 3s |
| 151 | 75 | accepted_payload_size 8192 | 75 | accepted_payload_size 8192 |
| 152 | 76 | {%- endif %} | 76 | {%- endif %} |
| 153 | 77 | 77 | ||
| 154 | 78 | listen stats | 78 | listen stats |
| 158 | 79 | bind 127.0.0.1:10000 | 79 | bind 127.0.0.1:10000 |
| 159 | 80 | acl allowed_cidr src 127.0.0.0/8 | 80 | acl allowed_cidr src 127.0.0.0/8 |
| 160 | 81 | http-request deny unless allowed_cidr | 81 | http-request deny unless allowed_cidr |
| 161 | 82 | 82 | ||
| 168 | 83 | mode http | 83 | mode http |
| 169 | 84 | stats enable | 84 | stats enable |
| 170 | 85 | stats uri / | 85 | stats uri / |
| 171 | 86 | stats realm Haproxy\ Statistics | 86 | stats realm Haproxy\ Statistics |
| 172 | 87 | stats auth haproxy:{{monitoring_password}} | 87 | stats auth haproxy:{{monitoring_password}} |
| 173 | 88 | stats refresh 3 | 88 | stats refresh 3 |
| 174 | 89 | 89 | ||
| 175 | 90 | {% for stanza in listen -%} | 90 | {% for stanza in listen -%} |
| 176 | 91 | {{stanza}} | 91 | {{stanza}} |
| 177 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt | |||
| 178 | index d187ca5..72bc2d3 100644 | |||
| 179 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt | |||
| 180 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt | |||
| 181 | @@ -1,81 +1,81 @@ | |||
| 182 | 1 | global | 1 | global |
| 221 | 2 | nbthread 4 | 2 | nbthread 4 |
| 222 | 3 | maxconn 106496 | 3 | maxconn 106496 |
| 223 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
| 224 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
| 225 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
| 226 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 227 | 8 | stats timeout 30s | 8 | stats timeout 30s |
| 228 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
| 229 | 10 | user haproxy | 10 | user haproxy |
| 230 | 11 | group haproxy | 11 | group haproxy |
| 231 | 12 | daemon | 12 | daemon |
| 232 | 13 | 13 | ||
| 233 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 234 | 15 | # and kill them off. | 15 | # and kill them off. |
| 235 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
| 236 | 17 | 17 | ||
| 237 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
| 238 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
| 239 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
| 240 | 21 | 21 | ||
| 241 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
| 242 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
| 243 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 244 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
| 245 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 246 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 247 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 248 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 249 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
| 250 | 31 | 31 | ||
| 251 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
| 252 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
| 253 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
| 254 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
| 255 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 256 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
| 257 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
| 258 | 39 | tune.ssl.cachesize 106496 | 39 | tune.ssl.cachesize 106496 |
| 259 | 40 | 40 | ||
| 260 | 41 | defaults | 41 | defaults |
| 279 | 42 | log global | 42 | log global |
| 280 | 43 | maxconn 8192 | 43 | maxconn 8192 |
| 281 | 44 | mode http | 44 | mode http |
| 282 | 45 | option dontlognull | 45 | option dontlognull |
| 283 | 46 | timeout connect 5s | 46 | timeout connect 5s |
| 284 | 47 | timeout client 50s | 47 | timeout client 50s |
| 285 | 48 | timeout server 50s | 48 | timeout server 50s |
| 286 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
| 287 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
| 288 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
| 289 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
| 290 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
| 291 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
| 292 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
| 293 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
| 294 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 295 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
| 296 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 297 | 60 | 60 | ||
| 298 | 61 | resolvers dns | 61 | resolvers dns |
| 304 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
| 305 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
| 306 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
| 307 | 65 | timeout retry 3s | 65 | timeout retry 3s |
| 308 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
| 309 | 67 | 67 | ||
| 310 | 68 | listen stats | 68 | listen stats |
| 321 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
| 322 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
| 323 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
| 324 | 72 | 72 | ||
| 325 | 73 | mode http | 73 | mode http |
| 326 | 74 | stats enable | 74 | stats enable |
| 327 | 75 | stats uri / | 75 | stats uri / |
| 328 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
| 329 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
| 330 | 78 | stats refresh 3 | 78 | stats refresh 3 |
| 331 | 79 | 79 | ||
| 332 | 80 | 80 | ||
| 333 | 81 | listen combined-80 | 81 | listen combined-80 |
| 334 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt | |||
| 335 | index 15403b6..a618ceb 100644 | |||
| 336 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt | |||
| 337 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt | |||
| 338 | @@ -1,81 +1,81 @@ | |||
| 339 | 1 | global | 1 | global |
| 351 | 2 | nbthread 4 | 2 | nbthread 4 |
| 352 | 3 | maxconn 16384 | 3 | maxconn 16384 |
| 353 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
| 354 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
| 355 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
| 356 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 357 | 8 | stats timeout 30s | 8 | stats timeout 30s |
| 358 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
| 359 | 10 | user haproxy | 10 | user haproxy |
| 360 | 11 | group haproxy | 11 | group haproxy |
| 361 | 12 | daemon | 12 | daemon |
| 362 | 13 | 13 | ||
| 366 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 367 | 15 | # and kill them off. | 15 | # and kill them off. |
| 368 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
| 369 | 17 | 17 | ||
| 373 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
| 374 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
| 375 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
| 376 | 21 | 21 | ||
| 386 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
| 387 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
| 388 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 389 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
| 390 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 391 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 392 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 393 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 394 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
| 395 | 31 | 31 | ||
| 404 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
| 405 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
| 406 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
| 407 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
| 408 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 409 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
| 410 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
| 411 | 39 | tune.ssl.cachesize 16384 | 39 | tune.ssl.cachesize 16384 |
| 412 | 40 | 40 | ||
| 413 | 41 | defaults | 41 | defaults |
| 432 | 42 | log global | 42 | log global |
| 433 | 43 | maxconn 8192 | 43 | maxconn 8192 |
| 434 | 44 | mode http | 44 | mode http |
| 435 | 45 | option dontlognull | 45 | option dontlognull |
| 436 | 46 | timeout connect 5s | 46 | timeout connect 5s |
| 437 | 47 | timeout client 50s | 47 | timeout client 50s |
| 438 | 48 | timeout server 50s | 48 | timeout server 50s |
| 439 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
| 440 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
| 441 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
| 442 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
| 443 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
| 444 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
| 445 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
| 446 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
| 447 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 448 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
| 449 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 450 | 60 | 60 | ||
| 451 | 61 | resolvers dns | 61 | resolvers dns |
| 457 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
| 458 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
| 459 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
| 460 | 65 | timeout retry 3s | 65 | timeout retry 3s |
| 461 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
| 462 | 67 | 67 | ||
| 463 | 68 | listen stats | 68 | listen stats |
| 467 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
| 468 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
| 469 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
| 470 | 72 | 72 | ||
| 477 | 73 | mode http | 73 | mode http |
| 478 | 74 | stats enable | 74 | stats enable |
| 479 | 75 | stats uri / | 75 | stats uri / |
| 480 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
| 481 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
| 482 | 78 | stats refresh 3 | 78 | stats refresh 3 |
| 483 | 79 | 79 | ||
| 484 | 80 | 80 | ||
| 485 | 81 | listen cached-site1-local | 81 | listen cached-site1-local |
| 486 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt | |||
| 487 | index d87592f..af75f2c 100644 | |||
| 488 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt | |||
| 489 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt | |||
| 490 | @@ -1,81 +1,81 @@ | |||
| 491 | 1 | global | 1 | global |
| 503 | 2 | nbthread 4 | 2 | nbthread 4 |
| 504 | 3 | maxconn 24576 | 3 | maxconn 24576 |
| 505 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
| 506 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
| 507 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
| 508 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 509 | 8 | stats timeout 30s | 8 | stats timeout 30s |
| 510 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
| 511 | 10 | user haproxy | 10 | user haproxy |
| 512 | 11 | group haproxy | 11 | group haproxy |
| 513 | 12 | daemon | 12 | daemon |
| 514 | 13 | 13 | ||
| 518 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 519 | 15 | # and kill them off. | 15 | # and kill them off. |
| 520 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
| 521 | 17 | 17 | ||
| 525 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
| 526 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
| 527 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
| 528 | 21 | 21 | ||
| 538 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
| 539 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
| 540 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 541 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
| 542 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 543 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 544 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 545 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 546 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
| 547 | 31 | 31 | ||
| 556 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
| 557 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
| 558 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
| 559 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
| 560 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 561 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
| 562 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
| 563 | 39 | tune.ssl.cachesize 24576 | 39 | tune.ssl.cachesize 24576 |
| 564 | 40 | 40 | ||
| 565 | 41 | defaults | 41 | defaults |
| 584 | 42 | log global | 42 | log global |
| 585 | 43 | maxconn 8192 | 43 | maxconn 8192 |
| 586 | 44 | mode http | 44 | mode http |
| 587 | 45 | option dontlognull | 45 | option dontlognull |
| 588 | 46 | timeout connect 5s | 46 | timeout connect 5s |
| 589 | 47 | timeout client 50s | 47 | timeout client 50s |
| 590 | 48 | timeout server 50s | 48 | timeout server 50s |
| 591 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
| 592 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
| 593 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
| 594 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
| 595 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
| 596 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
| 597 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
| 598 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
| 599 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 600 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
| 601 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 602 | 60 | 60 | ||
| 603 | 61 | resolvers dns | 61 | resolvers dns |
| 609 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
| 610 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
| 611 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
| 612 | 65 | timeout retry 3s | 65 | timeout retry 3s |
| 613 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
| 614 | 67 | 67 | ||
| 615 | 68 | listen stats | 68 | listen stats |
| 619 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
| 620 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
| 621 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
| 622 | 72 | 72 | ||
| 629 | 73 | mode http | 73 | mode http |
| 630 | 74 | stats enable | 74 | stats enable |
| 631 | 75 | stats uri / | 75 | stats uri / |
| 632 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
| 633 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
| 634 | 78 | stats refresh 3 | 78 | stats refresh 3 |
| 635 | 79 | 79 | ||
| 636 | 80 | 80 | ||
| 637 | 81 | listen redirect-site1-local | 81 | listen redirect-site1-local |
| 638 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt | |||
| 639 | index 070f1b7..25b27e5 100644 | |||
| 640 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt | |||
| 641 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt | |||
| 642 | @@ -1,81 +1,81 @@ | |||
| 643 | 1 | global | 1 | global |
| 682 | 2 | nbthread 4 | 2 | nbthread 4 |
| 683 | 3 | maxconn 104000 | 3 | maxconn 104000 |
| 684 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
| 685 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
| 686 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
| 687 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 688 | 8 | stats timeout 30s | 8 | stats timeout 30s |
| 689 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
| 690 | 10 | user haproxy | 10 | user haproxy |
| 691 | 11 | group haproxy | 11 | group haproxy |
| 692 | 12 | daemon | 12 | daemon |
| 693 | 13 | 13 | ||
| 694 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 695 | 15 | # and kill them off. | 15 | # and kill them off. |
| 696 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
| 697 | 17 | 17 | ||
| 698 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
| 699 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
| 700 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
| 701 | 21 | 21 | ||
| 702 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
| 703 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
| 704 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 705 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
| 706 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 707 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 708 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 709 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 710 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
| 711 | 31 | 31 | ||
| 712 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
| 713 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
| 714 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
| 715 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
| 716 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 717 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
| 718 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
| 719 | 39 | tune.ssl.cachesize 104000 | 39 | tune.ssl.cachesize 104000 |
| 720 | 40 | 40 | ||
| 721 | 41 | defaults | 41 | defaults |
| 740 | 42 | log global | 42 | log global |
| 741 | 43 | maxconn 8000 | 43 | maxconn 8000 |
| 742 | 44 | mode http | 44 | mode http |
| 743 | 45 | option dontlognull | 45 | option dontlognull |
| 744 | 46 | timeout connect 5s | 46 | timeout connect 5s |
| 745 | 47 | timeout client 50s | 47 | timeout client 50s |
| 746 | 48 | timeout server 50s | 48 | timeout server 50s |
| 747 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
| 748 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
| 749 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
| 750 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
| 751 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
| 752 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
| 753 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
| 754 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
| 755 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 756 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
| 757 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 758 | 60 | 60 | ||
| 759 | 61 | resolvers dns | 61 | resolvers dns |
| 765 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
| 766 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
| 767 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
| 768 | 65 | timeout retry 3s | 65 | timeout retry 3s |
| 769 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
| 770 | 67 | 67 | ||
| 771 | 68 | listen stats | 68 | listen stats |
| 782 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
| 783 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
| 784 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
| 785 | 72 | 72 | ||
| 786 | 73 | mode http | 73 | mode http |
| 787 | 74 | stats enable | 74 | stats enable |
| 788 | 75 | stats uri / | 75 | stats uri / |
| 789 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
| 790 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
| 791 | 78 | stats refresh 3 | 78 | stats refresh 3 |
| 792 | 79 | 79 | ||
| 793 | 80 | 80 | ||
| 794 | 81 | listen combined-80 | 81 | listen combined-80 |
| 795 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt | |||
| 796 | index 4ad1982..d42878a 100644 | |||
| 797 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt | |||
| 798 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt | |||
| 799 | @@ -1,81 +1,81 @@ | |||
| 800 | 1 | global | 1 | global |
| 812 | 2 | nbthread 4 | 2 | nbthread 4 |
| 813 | 3 | maxconn 24576 | 3 | maxconn 24576 |
| 814 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
| 815 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
| 816 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
| 817 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 818 | 8 | stats timeout 30s | 8 | stats timeout 30s |
| 819 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
| 820 | 10 | user haproxy | 10 | user haproxy |
| 821 | 11 | group haproxy | 11 | group haproxy |
| 822 | 12 | daemon | 12 | daemon |
| 823 | 13 | 13 | ||
| 827 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 828 | 15 | # and kill them off. | 15 | # and kill them off. |
| 829 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
| 830 | 17 | 17 | ||
| 834 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
| 835 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
| 836 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
| 837 | 21 | 21 | ||
| 847 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
| 848 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
| 849 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 850 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
| 851 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 852 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 853 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 854 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 855 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
| 856 | 31 | 31 | ||
| 865 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
| 866 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
| 867 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
| 868 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
| 869 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 870 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
| 871 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
| 872 | 39 | tune.ssl.cachesize 24576 | 39 | tune.ssl.cachesize 24576 |
| 873 | 40 | 40 | ||
| 874 | 41 | defaults | 41 | defaults |
| 893 | 42 | log global | 42 | log global |
| 894 | 43 | maxconn 8192 | 43 | maxconn 8192 |
| 895 | 44 | mode http | 44 | mode http |
| 896 | 45 | option dontlognull | 45 | option dontlognull |
| 897 | 46 | timeout connect 5s | 46 | timeout connect 5s |
| 898 | 47 | timeout client 50s | 47 | timeout client 50s |
| 899 | 48 | timeout server 50s | 48 | timeout server 50s |
| 900 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
| 901 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
| 902 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
| 903 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
| 904 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
| 905 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
| 906 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
| 907 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
| 908 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 909 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
| 910 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 911 | 60 | 60 | ||
| 912 | 61 | resolvers dns | 61 | resolvers dns |
| 918 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
| 919 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
| 920 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
| 921 | 65 | timeout retry 3s | 65 | timeout retry 3s |
| 922 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
| 923 | 67 | 67 | ||
| 924 | 68 | listen stats | 68 | listen stats |
| 928 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
| 929 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
| 930 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
| 931 | 72 | 72 | ||
| 938 | 73 | mode http | 73 | mode http |
| 939 | 74 | stats enable | 74 | stats enable |
| 940 | 75 | stats uri / | 75 | stats uri / |
| 941 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
| 942 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
| 943 | 78 | stats refresh 3 | 78 | stats refresh 3 |
| 944 | 79 | 79 | ||
| 945 | 80 | 80 | ||
| 946 | 81 | listen cached-site1-local | 81 | listen cached-site1-local |
| 947 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt | |||
| 948 | index 14380ea..c17ee47 100644 | |||
| 949 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt | |||
| 950 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt | |||
| 951 | @@ -1,81 +1,81 @@ | |||
| 952 | 1 | global | 1 | global |
| 991 | 2 | nbthread 4 | 2 | nbthread 4 |
| 992 | 3 | maxconn 106496 | 3 | maxconn 106496 |
| 993 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
| 994 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
| 995 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
| 996 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 997 | 8 | stats timeout 30s | 8 | stats timeout 30s |
| 998 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
| 999 | 10 | user haproxy | 10 | user haproxy |
| 1000 | 11 | group haproxy | 11 | group haproxy |
| 1001 | 12 | daemon | 12 | daemon |
| 1002 | 13 | 13 | ||
| 1003 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 1004 | 15 | # and kill them off. | 15 | # and kill them off. |
| 1005 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
| 1006 | 17 | 17 | ||
| 1007 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
| 1008 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
| 1009 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
| 1010 | 21 | 21 | ||
| 1011 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
| 1012 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
| 1013 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 1014 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
| 1015 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 1016 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 1017 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 1018 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 1019 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
| 1020 | 31 | 31 | ||
| 1021 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
| 1022 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
| 1023 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
| 1024 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
| 1025 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 1026 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
| 1027 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
| 1028 | 39 | tune.ssl.cachesize 106496 | 39 | tune.ssl.cachesize 106496 |
| 1029 | 40 | 40 | ||
| 1030 | 41 | defaults | 41 | defaults |
| 1049 | 42 | log global | 42 | log global |
| 1050 | 43 | maxconn 8192 | 43 | maxconn 8192 |
| 1051 | 44 | mode http | 44 | mode http |
| 1052 | 45 | option dontlognull | 45 | option dontlognull |
| 1053 | 46 | timeout connect 5s | 46 | timeout connect 5s |
| 1054 | 47 | timeout client 50s | 47 | timeout client 50s |
| 1055 | 48 | timeout server 50s | 48 | timeout server 50s |
| 1056 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
| 1057 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
| 1058 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
| 1059 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
| 1060 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
| 1061 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
| 1062 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
| 1063 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
| 1064 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 1065 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
| 1066 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 1067 | 60 | 60 | ||
| 1068 | 61 | resolvers dns | 61 | resolvers dns |
| 1074 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
| 1075 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
| 1076 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
| 1077 | 65 | timeout retry 3s | 65 | timeout retry 3s |
| 1078 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
| 1079 | 67 | 67 | ||
| 1080 | 68 | listen stats | 68 | listen stats |
| 1091 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
| 1092 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
| 1093 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
| 1094 | 72 | 72 | ||
| 1095 | 73 | mode http | 73 | mode http |
| 1096 | 74 | stats enable | 74 | stats enable |
| 1097 | 75 | stats uri / | 75 | stats uri / |
| 1098 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
| 1099 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
| 1100 | 78 | stats refresh 3 | 78 | stats refresh 3 |
| 1101 | 79 | 79 | ||
| 1102 | 80 | 80 | ||
| 1103 | 81 | listen combined-80 | 81 | listen combined-80 |
| 1104 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt | |||
| 1105 | index 72d1109..a27ff31 100644 | |||
| 1106 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt | |||
| 1107 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt | |||
| 1108 | @@ -1,82 +1,82 @@ | |||
| 1109 | 1 | global | 1 | global |
| 1149 | 2 | nbproc 3 | 2 | nbproc 3 |
| 1150 | 3 | nbthread 10 | 3 | nbthread 10 |
| 1151 | 4 | maxconn 260000 | 4 | maxconn 260000 |
| 1152 | 5 | log /dev/log local0 | 5 | log /dev/log local0 |
| 1153 | 6 | log /dev/log local1 notice | 6 | log /dev/log local1 notice |
| 1154 | 7 | chroot /var/lib/haproxy | 7 | chroot /var/lib/haproxy |
| 1155 | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 1156 | 9 | stats timeout 30s | 9 | stats timeout 30s |
| 1157 | 10 | server-state-file /run/haproxy/saved-server-state | 10 | server-state-file /run/haproxy/saved-server-state |
| 1158 | 11 | user haproxy | 11 | user haproxy |
| 1159 | 12 | group haproxy | 12 | group haproxy |
| 1160 | 13 | daemon | 13 | daemon |
| 1161 | 14 | 14 | ||
| 1162 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 1163 | 16 | # and kill them off. | 16 | # and kill them off. |
| 1164 | 17 | hard-stop-after 15m | 17 | hard-stop-after 15m |
| 1165 | 18 | 18 | ||
| 1166 | 19 | # Default SSL material locations | 19 | # Default SSL material locations |
| 1167 | 20 | ca-base /etc/ssl/certs | 20 | ca-base /etc/ssl/certs |
| 1168 | 21 | crt-base /etc/ssl/private | 21 | crt-base /etc/ssl/private |
| 1169 | 22 | 22 | ||
| 1170 | 23 | # Default ciphers to use on SSL-enabled listening sockets. | 23 | # Default ciphers to use on SSL-enabled listening sockets. |
| 1171 | 24 | # For more information, see ciphers(1SSL). This list is from: | 24 | # For more information, see ciphers(1SSL). This list is from: |
| 1172 | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 1173 | 26 | # An alternative list with additional directives can be obtained from | 26 | # An alternative list with additional directives can be obtained from |
| 1174 | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 1175 | 28 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 28 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 1176 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 1177 | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 1178 | 31 | tune.ssl.default-dh-param 2048 | 31 | tune.ssl.default-dh-param 2048 |
| 1179 | 32 | 32 | ||
| 1180 | 33 | # Increase the SSL/TLS session cache from the default 20k. But | 33 | # Increase the SSL/TLS session cache from the default 20k. But |
| 1181 | 34 | # rather than hardcode values, let's just set it to match | 34 | # rather than hardcode values, let's just set it to match |
| 1182 | 35 | # global_max_connections (which by default is calculated using | 35 | # global_max_connections (which by default is calculated using |
| 1183 | 36 | # num. of CPU cores and num. of configured sites). Each entry | 36 | # num. of CPU cores and num. of configured sites). Each entry |
| 1184 | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 1185 | 38 | # each with 2000 max conns will only consume around 122 Mbytes | 38 | # each with 2000 max conns will only consume around 122 Mbytes |
| 1186 | 39 | # (32 * 10 * 2000 * 200), which is not much. | 39 | # (32 * 10 * 2000 * 200), which is not much. |
| 1187 | 40 | tune.ssl.cachesize 260000 | 40 | tune.ssl.cachesize 260000 |
| 1188 | 41 | 41 | ||
| 1189 | 42 | defaults | 42 | defaults |
| 1208 | 43 | log global | 43 | log global |
| 1209 | 44 | maxconn 20000 | 44 | maxconn 20000 |
| 1210 | 45 | mode http | 45 | mode http |
| 1211 | 46 | option dontlognull | 46 | option dontlognull |
| 1212 | 47 | timeout connect 5s | 47 | timeout connect 5s |
| 1213 | 48 | timeout client 50s | 48 | timeout client 50s |
| 1214 | 49 | timeout server 50s | 49 | timeout server 50s |
| 1215 | 50 | errorfile 400 /etc/haproxy/errors/400.http | 50 | errorfile 400 /etc/haproxy/errors/400.http |
| 1216 | 51 | errorfile 403 /etc/haproxy/errors/403.http | 51 | errorfile 403 /etc/haproxy/errors/403.http |
| 1217 | 52 | errorfile 408 /etc/haproxy/errors/408.http | 52 | errorfile 408 /etc/haproxy/errors/408.http |
| 1218 | 53 | errorfile 500 /etc/haproxy/errors/500.http | 53 | errorfile 500 /etc/haproxy/errors/500.http |
| 1219 | 54 | errorfile 502 /etc/haproxy/errors/502.http | 54 | errorfile 502 /etc/haproxy/errors/502.http |
| 1220 | 55 | errorfile 503 /etc/haproxy/errors/503.http | 55 | errorfile 503 /etc/haproxy/errors/503.http |
| 1221 | 56 | errorfile 504 /etc/haproxy/errors/504.http | 56 | errorfile 504 /etc/haproxy/errors/504.http |
| 1222 | 57 | load-server-state-from-file global | 57 | load-server-state-from-file global |
| 1223 | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 1224 | 59 | unique-id-header X-Cache-Request-ID | 59 | unique-id-header X-Cache-Request-ID |
| 1225 | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 1226 | 61 | 61 | ||
| 1227 | 62 | resolvers dns | 62 | resolvers dns |
| 1233 | 63 | nameserver dns1 127.0.0.53:53 | 63 | nameserver dns1 127.0.0.53:53 |
| 1234 | 64 | resolve_retries 3 | 64 | resolve_retries 3 |
| 1235 | 65 | timeout resolve 3s | 65 | timeout resolve 3s |
| 1236 | 66 | timeout retry 3s | 66 | timeout retry 3s |
| 1237 | 67 | accepted_payload_size 8192 | 67 | accepted_payload_size 8192 |
| 1238 | 68 | 68 | ||
| 1239 | 69 | listen stats | 69 | listen stats |
| 1250 | 70 | bind 127.0.0.1:10000 | 70 | bind 127.0.0.1:10000 |
| 1251 | 71 | acl allowed_cidr src 127.0.0.0/8 | 71 | acl allowed_cidr src 127.0.0.0/8 |
| 1252 | 72 | http-request deny unless allowed_cidr | 72 | http-request deny unless allowed_cidr |
| 1253 | 73 | 73 | ||
| 1254 | 74 | mode http | 74 | mode http |
| 1255 | 75 | stats enable | 75 | stats enable |
| 1256 | 76 | stats uri / | 76 | stats uri / |
| 1257 | 77 | stats realm Haproxy\ Statistics | 77 | stats realm Haproxy\ Statistics |
| 1258 | 78 | stats auth haproxy:biometricsarenotsecret | 78 | stats auth haproxy:biometricsarenotsecret |
| 1259 | 79 | stats refresh 3 | 79 | stats refresh 3 |
| 1260 | 80 | 80 | ||
| 1261 | 81 | 81 | ||
| 1262 | 82 | listen combined-80 | 82 | listen combined-80 |
| 1263 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt | |||
| 1264 | index 015bc9c..2a6ee1a 100644 | |||
| 1265 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt | |||
| 1266 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt | |||
| 1267 | @@ -1,81 +1,81 @@ | |||
| 1268 | 1 | global | 1 | global |
| 1307 | 2 | nbthread 30 | 2 | nbthread 30 |
| 1308 | 3 | maxconn 524288 | 3 | maxconn 524288 |
| 1309 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
| 1310 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
| 1311 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
| 1312 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 1313 | 8 | stats timeout 30s | 8 | stats timeout 30s |
| 1314 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
| 1315 | 10 | user haproxy | 10 | user haproxy |
| 1316 | 11 | group haproxy | 11 | group haproxy |
| 1317 | 12 | daemon | 12 | daemon |
| 1318 | 13 | 13 | ||
| 1319 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 1320 | 15 | # and kill them off. | 15 | # and kill them off. |
| 1321 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
| 1322 | 17 | 17 | ||
| 1323 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
| 1324 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
| 1325 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
| 1326 | 21 | 21 | ||
| 1327 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
| 1328 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
| 1329 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 1330 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
| 1331 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 1332 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 1333 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 1334 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 1335 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
| 1336 | 31 | 31 | ||
| 1337 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
| 1338 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
| 1339 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
| 1340 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
| 1341 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 1342 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
| 1343 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
| 1344 | 39 | tune.ssl.cachesize 524288 | 39 | tune.ssl.cachesize 524288 |
| 1345 | 40 | 40 | ||
| 1346 | 41 | defaults | 41 | defaults |
| 1365 | 42 | log global | 42 | log global |
| 1366 | 43 | maxconn 60000 | 43 | maxconn 60000 |
| 1367 | 44 | mode http | 44 | mode http |
| 1368 | 45 | option dontlognull | 45 | option dontlognull |
| 1369 | 46 | timeout connect 5s | 46 | timeout connect 5s |
| 1370 | 47 | timeout client 50s | 47 | timeout client 50s |
| 1371 | 48 | timeout server 50s | 48 | timeout server 50s |
| 1372 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
| 1373 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
| 1374 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
| 1375 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
| 1376 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
| 1377 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
| 1378 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
| 1379 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
| 1380 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 1381 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
| 1382 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 1383 | 60 | 60 | ||
| 1384 | 61 | resolvers dns | 61 | resolvers dns |
| 1390 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
| 1391 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
| 1392 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
| 1393 | 65 | timeout retry 3s | 65 | timeout retry 3s |
| 1394 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
| 1395 | 67 | 67 | ||
| 1396 | 68 | listen stats | 68 | listen stats |
| 1407 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
| 1408 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
| 1409 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
| 1410 | 72 | 72 | ||
| 1411 | 73 | mode http | 73 | mode http |
| 1412 | 74 | stats enable | 74 | stats enable |
| 1413 | 75 | stats uri / | 75 | stats uri / |
| 1414 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
| 1415 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
| 1416 | 78 | stats refresh 3 | 78 | stats refresh 3 |
| 1417 | 79 | 79 | ||
| 1418 | 80 | 80 | ||
| 1419 | 81 | listen combined-80 | 81 | listen combined-80 |
| 1420 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt | |||
| 1421 | index bc80f29..8a219b5 100644 | |||
| 1422 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt | |||
| 1423 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt | |||
| 1424 | @@ -1,81 +1,81 @@ | |||
| 1425 | 1 | global | 1 | global |
| 1437 | 2 | nbthread 4 | 2 | nbthread 4 |
| 1438 | 3 | maxconn 16384 | 3 | maxconn 16384 |
| 1439 | 4 | log /dev/log local0 | 4 | log /dev/log local0 |
| 1440 | 5 | log /dev/log local1 notice | 5 | log /dev/log local1 notice |
| 1441 | 6 | chroot /var/lib/haproxy | 6 | chroot /var/lib/haproxy |
| 1442 | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 7 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 1443 | 8 | stats timeout 30s | 8 | stats timeout 30s |
| 1444 | 9 | server-state-file /run/haproxy/saved-server-state | 9 | server-state-file /run/haproxy/saved-server-state |
| 1445 | 10 | user haproxy | 10 | user haproxy |
| 1446 | 11 | group haproxy | 11 | group haproxy |
| 1447 | 12 | daemon | 12 | daemon |
| 1448 | 13 | 13 | ||
| 1452 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 14 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 1453 | 15 | # and kill them off. | 15 | # and kill them off. |
| 1454 | 16 | hard-stop-after 15m | 16 | hard-stop-after 15m |
| 1455 | 17 | 17 | ||
| 1459 | 18 | # Default SSL material locations | 18 | # Default SSL material locations |
| 1460 | 19 | ca-base /etc/ssl/certs | 19 | ca-base /etc/ssl/certs |
| 1461 | 20 | crt-base /etc/ssl/private | 20 | crt-base /etc/ssl/private |
| 1462 | 21 | 21 | ||
| 1472 | 22 | # Default ciphers to use on SSL-enabled listening sockets. | 22 | # Default ciphers to use on SSL-enabled listening sockets. |
| 1473 | 23 | # For more information, see ciphers(1SSL). This list is from: | 23 | # For more information, see ciphers(1SSL). This list is from: |
| 1474 | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 24 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 1475 | 25 | # An alternative list with additional directives can be obtained from | 25 | # An alternative list with additional directives can be obtained from |
| 1476 | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 26 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 1477 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 | 27 | ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
| 1478 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 28 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 1479 | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 29 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 1480 | 30 | tune.ssl.default-dh-param 2048 | 30 | tune.ssl.default-dh-param 2048 |
| 1481 | 31 | 31 | ||
| 1490 | 32 | # Increase the SSL/TLS session cache from the default 20k. But | 32 | # Increase the SSL/TLS session cache from the default 20k. But |
| 1491 | 33 | # rather than hardcode values, let's just set it to match | 33 | # rather than hardcode values, let's just set it to match |
| 1492 | 34 | # global_max_connections (which by default is calculated using | 34 | # global_max_connections (which by default is calculated using |
| 1493 | 35 | # num. of CPU cores and num. of configured sites). Each entry | 35 | # num. of CPU cores and num. of configured sites). Each entry |
| 1494 | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 36 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 1495 | 37 | # each with 2000 max conns will only consume around 122 Mbytes | 37 | # each with 2000 max conns will only consume around 122 Mbytes |
| 1496 | 38 | # (32 * 10 * 2000 * 200), which is not much. | 38 | # (32 * 10 * 2000 * 200), which is not much. |
| 1497 | 39 | tune.ssl.cachesize 16384 | 39 | tune.ssl.cachesize 16384 |
| 1498 | 40 | 40 | ||
| 1499 | 41 | defaults | 41 | defaults |
| 1518 | 42 | log global | 42 | log global |
| 1519 | 43 | maxconn 8192 | 43 | maxconn 8192 |
| 1520 | 44 | mode http | 44 | mode http |
| 1521 | 45 | option dontlognull | 45 | option dontlognull |
| 1522 | 46 | timeout connect 5s | 46 | timeout connect 5s |
| 1523 | 47 | timeout client 50s | 47 | timeout client 50s |
| 1524 | 48 | timeout server 50s | 48 | timeout server 50s |
| 1525 | 49 | errorfile 400 /etc/haproxy/errors/400.http | 49 | errorfile 400 /etc/haproxy/errors/400.http |
| 1526 | 50 | errorfile 403 /etc/haproxy/errors/403.http | 50 | errorfile 403 /etc/haproxy/errors/403.http |
| 1527 | 51 | errorfile 408 /etc/haproxy/errors/408.http | 51 | errorfile 408 /etc/haproxy/errors/408.http |
| 1528 | 52 | errorfile 500 /etc/haproxy/errors/500.http | 52 | errorfile 500 /etc/haproxy/errors/500.http |
| 1529 | 53 | errorfile 502 /etc/haproxy/errors/502.http | 53 | errorfile 502 /etc/haproxy/errors/502.http |
| 1530 | 54 | errorfile 503 /etc/haproxy/errors/503.http | 54 | errorfile 503 /etc/haproxy/errors/503.http |
| 1531 | 55 | errorfile 504 /etc/haproxy/errors/504.http | 55 | errorfile 504 /etc/haproxy/errors/504.http |
| 1532 | 56 | load-server-state-from-file global | 56 | load-server-state-from-file global |
| 1533 | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 57 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 1534 | 58 | unique-id-header X-Cache-Request-ID | 58 | unique-id-header X-Cache-Request-ID |
| 1535 | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 59 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 1536 | 60 | 60 | ||
| 1537 | 61 | resolvers dns | 61 | resolvers dns |
| 1543 | 62 | nameserver dns1 127.0.0.53:53 | 62 | nameserver dns1 127.0.0.53:53 |
| 1544 | 63 | resolve_retries 3 | 63 | resolve_retries 3 |
| 1545 | 64 | timeout resolve 3s | 64 | timeout resolve 3s |
| 1546 | 65 | timeout retry 3s | 65 | timeout retry 3s |
| 1547 | 66 | accepted_payload_size 8192 | 66 | accepted_payload_size 8192 |
| 1548 | 67 | 67 | ||
| 1549 | 68 | listen stats | 68 | listen stats |
| 1553 | 69 | bind 127.0.0.1:10000 | 69 | bind 127.0.0.1:10000 |
| 1554 | 70 | acl allowed_cidr src 127.0.0.0/8 | 70 | acl allowed_cidr src 127.0.0.0/8 |
| 1555 | 71 | http-request deny unless allowed_cidr | 71 | http-request deny unless allowed_cidr |
| 1556 | 72 | 72 | ||
| 1563 | 73 | mode http | 73 | mode http |
| 1564 | 74 | stats enable | 74 | stats enable |
| 1565 | 75 | stats uri / | 75 | stats uri / |
| 1566 | 76 | stats realm Haproxy\ Statistics | 76 | stats realm Haproxy\ Statistics |
| 1567 | 77 | stats auth haproxy:biometricsarenotsecret | 77 | stats auth haproxy:biometricsarenotsecret |
| 1568 | 78 | stats refresh 3 | 78 | stats refresh 3 |
| 1569 | 79 | 79 | ||
| 1570 | 80 | 80 | ||
| 1571 | 81 | listen cached-site1-local | 81 | listen cached-site1-local |
| 1572 | diff --git a/tests/unit/files/haproxy_config_rendered_test_output.txt b/tests/unit/files/haproxy_config_rendered_test_output.txt | |||
| 1573 | index 8badf52..dd6b279 100644 | |||
| 1574 | --- a/tests/unit/files/haproxy_config_rendered_test_output.txt | |||
| 1575 | +++ b/tests/unit/files/haproxy_config_rendered_test_output.txt | |||
| 1576 | @@ -1,82 +1,82 @@ | |||
| 1577 | 1 | global | 1 | global |
| 1617 | 2 | nbproc 2 | 2 | nbproc 2 |
| 1618 | 3 | nbthread 4 | 3 | nbthread 4 |
| 1619 | 4 | maxconn 15000 | 4 | maxconn 15000 |
| 1620 | 5 | log /dev/log local0 | 5 | log /dev/log local0 |
| 1621 | 6 | log /dev/log local1 notice | 6 | log /dev/log local1 notice |
| 1622 | 7 | chroot /var/lib/haproxy | 7 | chroot /var/lib/haproxy |
| 1623 | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 1624 | 9 | stats timeout 30s | 9 | stats timeout 30s |
| 1625 | 10 | server-state-file /run/haproxy/saved-server-state | 10 | server-state-file /run/haproxy/saved-server-state |
| 1626 | 11 | user haproxy | 11 | user haproxy |
| 1627 | 12 | group haproxy | 12 | group haproxy |
| 1628 | 13 | daemon | 13 | daemon |
| 1629 | 14 | 14 | ||
| 1630 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 1631 | 16 | # and kill them off. | 16 | # and kill them off. |
| 1632 | 17 | hard-stop-after 5m | 17 | hard-stop-after 5m |
| 1633 | 18 | 18 | ||
| 1634 | 19 | # Default SSL material locations | 19 | # Default SSL material locations |
| 1635 | 20 | ca-base /etc/ssl/certs | 20 | ca-base /etc/ssl/certs |
| 1636 | 21 | crt-base /etc/ssl/private | 21 | crt-base /etc/ssl/private |
| 1637 | 22 | 22 | ||
| 1638 | 23 | # Default ciphers to use on SSL-enabled listening sockets. | 23 | # Default ciphers to use on SSL-enabled listening sockets. |
| 1639 | 24 | # For more information, see ciphers(1SSL). This list is from: | 24 | # For more information, see ciphers(1SSL). This list is from: |
| 1640 | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 1641 | 26 | # An alternative list with additional directives can be obtained from | 26 | # An alternative list with additional directives can be obtained from |
| 1642 | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 1643 | 28 | ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS | 28 | ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS |
| 1644 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 1645 | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 1646 | 31 | tune.ssl.default-dh-param 2048 | 31 | tune.ssl.default-dh-param 2048 |
| 1647 | 32 | 32 | ||
| 1648 | 33 | # Increase the SSL/TLS session cache from the default 20k. But | 33 | # Increase the SSL/TLS session cache from the default 20k. But |
| 1649 | 34 | # rather than hardcode values, let's just set it to match | 34 | # rather than hardcode values, let's just set it to match |
| 1650 | 35 | # global_max_connections (which by default is calculated using | 35 | # global_max_connections (which by default is calculated using |
| 1651 | 36 | # num. of CPU cores and num. of configured sites). Each entry | 36 | # num. of CPU cores and num. of configured sites). Each entry |
| 1652 | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 1653 | 38 | # each with 2000 max conns will only consume around 122 Mbytes | 38 | # each with 2000 max conns will only consume around 122 Mbytes |
| 1654 | 39 | # (32 * 10 * 2000 * 200), which is not much. | 39 | # (32 * 10 * 2000 * 200), which is not much. |
| 1655 | 40 | tune.ssl.cachesize 15000 | 40 | tune.ssl.cachesize 15000 |
| 1656 | 41 | 41 | ||
| 1657 | 42 | defaults | 42 | defaults |
| 1676 | 43 | log global | 43 | log global |
| 1677 | 44 | maxconn 5000 | 44 | maxconn 5000 |
| 1678 | 45 | mode http | 45 | mode http |
| 1679 | 46 | option dontlognull | 46 | option dontlognull |
| 1680 | 47 | timeout connect 5s | 47 | timeout connect 5s |
| 1681 | 48 | timeout client 50s | 48 | timeout client 50s |
| 1682 | 49 | timeout server 50s | 49 | timeout server 50s |
| 1683 | 50 | errorfile 400 /etc/haproxy/errors/400.http | 50 | errorfile 400 /etc/haproxy/errors/400.http |
| 1684 | 51 | errorfile 403 /etc/haproxy/errors/403.http | 51 | errorfile 403 /etc/haproxy/errors/403.http |
| 1685 | 52 | errorfile 408 /etc/haproxy/errors/408.http | 52 | errorfile 408 /etc/haproxy/errors/408.http |
| 1686 | 53 | errorfile 500 /etc/haproxy/errors/500.http | 53 | errorfile 500 /etc/haproxy/errors/500.http |
| 1687 | 54 | errorfile 502 /etc/haproxy/errors/502.http | 54 | errorfile 502 /etc/haproxy/errors/502.http |
| 1688 | 55 | errorfile 503 /etc/haproxy/errors/503.http | 55 | errorfile 503 /etc/haproxy/errors/503.http |
| 1689 | 56 | errorfile 504 /etc/haproxy/errors/504.http | 56 | errorfile 504 /etc/haproxy/errors/504.http |
| 1690 | 57 | load-server-state-from-file global | 57 | load-server-state-from-file global |
| 1691 | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 1692 | 59 | unique-id-header X-Cache-Request-ID | 59 | unique-id-header X-Cache-Request-ID |
| 1693 | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 1694 | 61 | 61 | ||
| 1695 | 62 | resolvers dns | 62 | resolvers dns |
| 1701 | 63 | nameserver dns1 127.0.0.53:53 | 63 | nameserver dns1 127.0.0.53:53 |
| 1702 | 64 | resolve_retries 3 | 64 | resolve_retries 3 |
| 1703 | 65 | timeout resolve 3s | 65 | timeout resolve 3s |
| 1704 | 66 | timeout retry 3s | 66 | timeout retry 3s |
| 1705 | 67 | accepted_payload_size 8192 | 67 | accepted_payload_size 8192 |
| 1706 | 68 | 68 | ||
| 1707 | 69 | listen stats | 69 | listen stats |
| 1718 | 70 | bind 127.0.0.1:10000 | 70 | bind 127.0.0.1:10000 |
| 1719 | 71 | acl allowed_cidr src 127.0.0.0/8 | 71 | acl allowed_cidr src 127.0.0.0/8 |
| 1720 | 72 | http-request deny unless allowed_cidr | 72 | http-request deny unless allowed_cidr |
| 1721 | 73 | 73 | ||
| 1722 | 74 | mode http | 74 | mode http |
| 1723 | 75 | stats enable | 75 | stats enable |
| 1724 | 76 | stats uri / | 76 | stats uri / |
| 1725 | 77 | stats realm Haproxy\ Statistics | 77 | stats realm Haproxy\ Statistics |
| 1726 | 78 | stats auth haproxy:biometricsarenotsecret | 78 | stats auth haproxy:biometricsarenotsecret |
| 1727 | 79 | stats refresh 3 | 79 | stats refresh 3 |
| 1728 | 80 | 80 | ||
| 1729 | 81 | 81 | ||
| 1730 | 82 | listen combined-80 | 82 | listen combined-80 |
| 1731 | diff --git a/tests/unit/files/haproxy_config_rendered_test_output2.txt b/tests/unit/files/haproxy_config_rendered_test_output2.txt | |||
| 1732 | index 61a329c..4620899 100644 | |||
| 1733 | --- a/tests/unit/files/haproxy_config_rendered_test_output2.txt | |||
| 1734 | +++ b/tests/unit/files/haproxy_config_rendered_test_output2.txt | |||
| 1735 | @@ -1,82 +1,82 @@ | |||
| 1736 | 1 | global | 1 | global |
| 1776 | 2 | nbproc 2 | 2 | nbproc 2 |
| 1777 | 3 | nbthread 4 | 3 | nbthread 4 |
| 1778 | 4 | maxconn 8192 | 4 | maxconn 8192 |
| 1779 | 5 | log /dev/log local0 | 5 | log /dev/log local0 |
| 1780 | 6 | log /dev/log local1 notice | 6 | log /dev/log local1 notice |
| 1781 | 7 | chroot /var/lib/haproxy | 7 | chroot /var/lib/haproxy |
| 1782 | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | 8 | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
| 1783 | 9 | stats timeout 30s | 9 | stats timeout 30s |
| 1784 | 10 | server-state-file /run/haproxy/saved-server-state | 10 | server-state-file /run/haproxy/saved-server-state |
| 1785 | 11 | user haproxy | 11 | user haproxy |
| 1786 | 12 | group haproxy | 12 | group haproxy |
| 1787 | 13 | daemon | 13 | daemon |
| 1788 | 14 | 14 | ||
| 1789 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 | 15 | # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
| 1790 | 16 | # and kill them off. | 16 | # and kill them off. |
| 1791 | 17 | hard-stop-after 5m | 17 | hard-stop-after 5m |
| 1792 | 18 | 18 | ||
| 1793 | 19 | # Default SSL material locations | 19 | # Default SSL material locations |
| 1794 | 20 | ca-base /etc/ssl/certs | 20 | ca-base /etc/ssl/certs |
| 1795 | 21 | crt-base /etc/ssl/private | 21 | crt-base /etc/ssl/private |
| 1796 | 22 | 22 | ||
| 1797 | 23 | # Default ciphers to use on SSL-enabled listening sockets. | 23 | # Default ciphers to use on SSL-enabled listening sockets. |
| 1798 | 24 | # For more information, see ciphers(1SSL). This list is from: | 24 | # For more information, see ciphers(1SSL). This list is from: |
| 1799 | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | 25 | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 1800 | 26 | # An alternative list with additional directives can be obtained from | 26 | # An alternative list with additional directives can be obtained from |
| 1801 | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | 27 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
| 1802 | 28 | ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS | 28 | ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS |
| 1803 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | 29 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
| 1804 | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params | 30 | # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
| 1805 | 31 | tune.ssl.default-dh-param 2048 | 31 | tune.ssl.default-dh-param 2048 |
| 1806 | 32 | 32 | ||
| 1807 | 33 | # Increase the SSL/TLS session cache from the default 20k. But | 33 | # Increase the SSL/TLS session cache from the default 20k. But |
| 1808 | 34 | # rather than hardcode values, let's just set it to match | 34 | # rather than hardcode values, let's just set it to match |
| 1809 | 35 | # global_max_connections (which by default is calculated using | 35 | # global_max_connections (which by default is calculated using |
| 1810 | 36 | # num. of CPU cores and num. of configured sites). Each entry | 36 | # num. of CPU cores and num. of configured sites). Each entry |
| 1811 | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, | 37 | # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
| 1812 | 38 | # each with 2000 max conns will only consume around 122 Mbytes | 38 | # each with 2000 max conns will only consume around 122 Mbytes |
| 1813 | 39 | # (32 * 10 * 2000 * 200), which is not much. | 39 | # (32 * 10 * 2000 * 200), which is not much. |
| 1814 | 40 | tune.ssl.cachesize 8192 | 40 | tune.ssl.cachesize 8192 |
| 1815 | 41 | 41 | ||
| 1816 | 42 | defaults | 42 | defaults |
| 1835 | 43 | log global | 43 | log global |
| 1836 | 44 | maxconn 5000 | 44 | maxconn 5000 |
| 1837 | 45 | mode http | 45 | mode http |
| 1838 | 46 | option dontlognull | 46 | option dontlognull |
| 1839 | 47 | timeout connect 5s | 47 | timeout connect 5s |
| 1840 | 48 | timeout client 50s | 48 | timeout client 50s |
| 1841 | 49 | timeout server 50s | 49 | timeout server 50s |
| 1842 | 50 | errorfile 400 /etc/haproxy/errors/400.http | 50 | errorfile 400 /etc/haproxy/errors/400.http |
| 1843 | 51 | errorfile 403 /etc/haproxy/errors/403.http | 51 | errorfile 403 /etc/haproxy/errors/403.http |
| 1844 | 52 | errorfile 408 /etc/haproxy/errors/408.http | 52 | errorfile 408 /etc/haproxy/errors/408.http |
| 1845 | 53 | errorfile 500 /etc/haproxy/errors/500.http | 53 | errorfile 500 /etc/haproxy/errors/500.http |
| 1846 | 54 | errorfile 502 /etc/haproxy/errors/502.http | 54 | errorfile 502 /etc/haproxy/errors/502.http |
| 1847 | 55 | errorfile 503 /etc/haproxy/errors/503.http | 55 | errorfile 503 /etc/haproxy/errors/503.http |
| 1848 | 56 | errorfile 504 /etc/haproxy/errors/504.http | 56 | errorfile 504 /etc/haproxy/errors/504.http |
| 1849 | 57 | load-server-state-from-file global | 57 | load-server-state-from-file global |
| 1850 | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid | 58 | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
| 1851 | 59 | unique-id-header X-Cache-Request-ID | 59 | unique-id-header X-Cache-Request-ID |
| 1852 | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" | 60 | log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
| 1853 | 61 | 61 | ||
| 1854 | 62 | resolvers dns | 62 | resolvers dns |
| 1860 | 63 | nameserver dns1 127.0.0.53:53 | 63 | nameserver dns1 127.0.0.53:53 |
| 1861 | 64 | resolve_retries 3 | 64 | resolve_retries 3 |
| 1862 | 65 | timeout resolve 3s | 65 | timeout resolve 3s |
| 1863 | 66 | timeout retry 3s | 66 | timeout retry 3s |
| 1864 | 67 | accepted_payload_size 8192 | 67 | accepted_payload_size 8192 |
| 1865 | 68 | 68 | ||
| 1866 | 69 | listen stats | 69 | listen stats |
| 1877 | 70 | bind 127.0.0.1:10000 | 70 | bind 127.0.0.1:10000 |
| 1878 | 71 | acl allowed_cidr src 127.0.0.0/8 | 71 | acl allowed_cidr src 127.0.0.0/8 |
| 1879 | 72 | http-request deny unless allowed_cidr | 72 | http-request deny unless allowed_cidr |
| 1880 | 73 | 73 | ||
| 1881 | 74 | mode http | 74 | mode http |
| 1882 | 75 | stats enable | 75 | stats enable |
| 1883 | 76 | stats uri / | 76 | stats uri / |
| 1884 | 77 | stats realm Haproxy\ Statistics | 77 | stats realm Haproxy\ Statistics |
| 1885 | 78 | stats auth haproxy:biometricsarenotsecret | 78 | stats auth haproxy:biometricsarenotsecret |
| 1886 | 79 | stats refresh 3 | 79 | stats refresh 3 |
| 1887 | 80 | 80 | ||
| 1888 | 81 | 81 | ||
| 1889 | 82 | listen combined-80 | 82 | listen combined-80 |
This merge proposal is being monitored by mergebot. Change the status to Approved to merge.