blob: f15c9a4d69ab52d143d945e8884f1787f661f4ed (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
# HAProxy configuration for Baserock Project front-end proxy.
global
maxconn 4000
daemon
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
log /dev/log local0
stats socket /var/lib/haproxy/stats
# Maximum number of bits used when generating temporary
# keys for DHE key exchange. Higher values involve more CPU
# usage, lower values are less secure. HAProxy's default is
# 1024, which is too low and HAProxy actually warns if you use
# the default.
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
log global
option httplog
frontend http-in
# All HTTP traffic is redirected to HTTPS using the '301 Moved' HTTP code.
bind *:80
redirect scheme https code 301
frontend https-in
# We do 'SSL termination' with HAProxy. So secure requests are received in
# the frontend, then decrypted and sent over HTTP on the internal network.
# This means we only need to have the certificate in one place, and the
# configuration of the other instances is simpler. It does mean that we
# need to avoid having any insecure machines in the cloud.
bind *:443 ssl no-sslv3 crt /etc/pki/tls/private/baserock.pem
reqadd X-Forwarded-Proto:\ https
# Rules below here implement the URL-based forwarding to the
# appropriate instance. The hdr(host) call means 'extract the
# first Host header from the HTTP request or response', the '-m beg'
# switch means 'match against the beginning of it' and the '-i' flag
# makes the match case-insensitive.
#
# See <https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7>
# for more documentation than you ever dreamed of.
acl host_gerrit hdr(host) -m beg -i gerrit
use_backend baserock_gerrit_http if host_gerrit
acl host_irclogs hdr(host) -m beg -i irclogs
use_backend baserock_irclogs_http if host_irclogs
acl host_spec hdr(host) -m beg -i spec
acl host_spec hdr(host) -m beg -i docs
use_backend baserock_spec_http if host_spec
acl host_download hdr(host) -m beg -i download
use_backend baserock_webserver_http if host_download
use_backend baserock_openid_provider_http if { hdr(host) -m beg -i openid }
acl host_ostree hdr(host) -m beg -i ostree
acl host_ostree hdr(host) -m beg -i cache
use_backend baserock_ostree_http if host_ostree
frontend ssh-in:
# FIXME: it'd be better if we could limit traffic on port 29418 to
# gerrit.baserock.org. There's no way of knowing from an SSH request
# which subdomain the user tried to connect to, so for now they can
# clone repos from 'ssh://openid.baserock.org:29418' and such like.
# For this reason it's probably worth pointing gerrit.baserock.org to
# a different floating IP that serves only the gerrit instance.
mode tcp
bind *:29418
default_backend baserock_gerrit_ssh
# Uploading artifacts can be slow; need a long timeout.
timeout client 12h
# Similarly, port 22200 on any instance forwards SSH to the ostree
# machine
mode tcp
bind *:22200
default_backend baserock_ostree_ssh
# It's very annoying for 'gerrit stream-events' to have disconnection
# after 50 seconds!
timeout client 1h
# Entries here locate each server backend.
backend baserock_spec_http
# Point to Gitlab pages url. This repository has to have configured
# alternative domain names in order to make this redirection work.
# Otherwise Gitlab will just show a 404 page
server baserock_spec baserock.gitlab.io:80
backend baserock_gerrit_http
server baserock_gerrit 192.168.222.69:8080
backend baserock_gerrit_ssh
mode tcp
server baserock_gerrit 192.168.222.69:29418
# It's very annoying for 'gerrit stream-events' to have disconnection
# after 50 seconds!
timeout server 1h
backend baserock_irclogs_http
server baserock_irclogs 192.168.222.74:80
backend baserock_openid_provider_http
server baserock_openid_provider 192.168.222.144:80
backend baserock_ostree_http
server baserock_ostree 192.168.222.153:80
backend baserock_ostree_ssh
mode tcp
server baserock_ostree 192.168.222.153:22
# Uploading artifacts can be slow; need a long timeout.
timeout client 12h
backend baserock_webserver_http
server baserock_webserver 192.168.222.127:80
|