feat: add teleport like configs

2026-04-17 13:49:26 +02:00 · 2026-04-17 13:49:26 +02:00 · 1fa9c044d0
commit 1fa9c044d0
parent 3b0e74fba4
4 changed files with 158 additions and 113 deletions
--- a/readme.md
+++ b/readme.md
@ -8,14 +8,14 @@ Install and configure HAProxy load balancer with flexible frontends, backends, a

 | Variable | Required | Default | Description |
 |----------|----------|---------|-------------|
-| `haproxy_global.log` | No | `/dev/log local2` | Log target |
+| `haproxy_global.log` | No | List with `/dev/log local2` | Log target (string or list) |
+| `haproxy_global.stats_socket` | No | See defaults | Stats socket configuration |
 | `haproxy_global.chroot` | No | `/var/lib/haproxy` | Chroot directory |
-| `haproxy_global.pidfile` | No | `/var/run/haproxy.pid` | PID file location |
-| `haproxy_global.maxconn` | No | `35000` | Maximum connections |
 | `haproxy_global.user` | No | `haproxy` | User to run as |
 | `haproxy_global.group` | No | `haproxy` | Group to run as |
 | `haproxy_global.daemon` | No | `true` | Run as daemon |
-| `haproxy_global.stats_socket` | No | See defaults | Stats socket configuration |
+| `haproxy_global.pidfile` | No | `/var/run/haproxy.pid` | PID file location (optional) |
+| `haproxy_global.maxconn` | No | `35000` | Maximum connections (optional) |

 ### Default Settings

@ -23,11 +23,12 @@ Install and configure HAProxy load balancer with flexible frontends, backends, a
 |----------|----------|---------|-------------|
 | `haproxy_defaults.log` | No | `global` | Log setting |
 | `haproxy_defaults.mode` | No | `tcp` | Default mode (tcp/http) |
-| `haproxy_defaults.option` | No | `tcplog` | Default option |
-| `haproxy_defaults.timeout_check` | No | `5s` | Health check timeout |
+| `haproxy_defaults.options` | No | List with `tcplog` | Options list (or use `option` for single) |
+| `haproxy_defaults.timeout_check` | No | `5s` | Health check timeout (optional) |
 | `haproxy_defaults.timeout_connect` | No | `10s` | Connection timeout |
 | `haproxy_defaults.timeout_client` | No | `600s` | Client timeout |
 | `haproxy_defaults.timeout_server` | No | `600s` | Server timeout |
+| `haproxy_defaults.timeout_tunnel` | No | Empty | Tunnel timeout (optional) |

 ### Stats Listener

@ -67,18 +68,110 @@ Install and configure HAProxy load balancer with flexible frontends, backends, a
 | `haproxy_backends[].tcp_response` | No | `[]` | TCP response rules |
 | `haproxy_backends[].stick` | No | `[]` | Stick rules |
 | `haproxy_backends[].options` | No | `[]` | Additional options |
+| `haproxy_backends[].http_check` | No | `[]` | HTTP health check directives |
+| `haproxy_backends[].tcp_check` | No | `[]` | TCP health check directives |
 | `haproxy_backends[].servers` | Yes | - | List of backend servers |
 | `haproxy_backends[].servers[].name` | Yes | - | Server name |
 | `haproxy_backends[].servers[].address` | Yes | - | Server address:port |
 | `haproxy_backends[].servers[].check` | No | `false` | Enable health checks |
+| `haproxy_backends[].servers[].check_port` | No | - | Health check port (if different) |
 | `haproxy_backends[].servers[].send_proxy` | No | `false` | Enable send-proxy |
 | `haproxy_backends[].servers[].extra_params` | No | - | Additional server parameters |

-## Full Example
+## Examples
+
+### Teleport Example
+
+Configuration for Teleport with SSL session persistence and advanced health checks:
+
+```yaml
+---
+- name: "Deploy HAProxy for Teleport"
+  hosts: "haproxy_servers"
+  become: true
+
+  vars:
+
+    # global settings with multiple log targets
+    haproxy_global:
+      log:
+        - "/dev/log local0"
+        - "/dev/log local1 notice"
+      stats_socket: "/var/lib/haproxy/stats level admin"
+      chroot: "/var/lib/haproxy"
+      user: "haproxy"
+      group: "haproxy"
+      daemon: true
+
+    # defaults with multiple options
+    haproxy_defaults:
+      log: "global"
+      mode: "tcp"
+      options:
+        - "httplog"
+        - "dontlognull"
+      timeout_connect: "5000"
+      timeout_client: "10m"
+      timeout_server: "10m"
+      timeout_tunnel: "10m"
+
+    # frontends
+    haproxy_frontends:
+      - name: "hafrontend"
+        bind: "*:443"
+        mode: "tcp"
+        default_backend: "teleport"
+
+    # backends with http-check and tcp-check
+    haproxy_backends:
+      - name: "teleport"
+        mode: "tcp"
+        balance: "roundrobin"
+        stick_table: "type binary len 2048 size 300k expire 30m"
+        acls:
+          - "clienthello req.ssl_hello_type 1"
+          - "serverhello res.ssl_hello_type 2"
+        tcp_request:
+          - "inspect-delay 10s"
+          - "content accept if clienthello"
+        tcp_response:
+          - "content accept if serverhello"
+        stick:
+          - "on req.payload_lv(43,1) if clienthello"
+          - "store-response res.payload_lv(43,1) if serverhello"
+        options:
+          - "option httpchk GET /healthz"
+          - "option tcp-check"
+        http_check:
+          - "expect status 200"
+        tcp_check:
+          - "connect"
+        servers:
+
+          # teleport node 1
+          - name: "teleport-prod-01"
+            address: "192.168.10.120:443"
+            check: true
+            check_port: "3000"
+            send_proxy: true
+            extra_params: "check-ssl verify none"
+
+          # teleport node 2
+          - name: "teleport-prod-02"
+            address: "192.168.10.121:443"
+            check: true
+            check_port: "3000"
+            send_proxy: true
+            extra_params: "check-ssl verify none"
+
+  roles:
+    - "role-haproxy"
+```
+
+### WAF Example with SSL Persistence

 ```yaml
 ---
-# Example playbook using role-haproxy
 - name: "Deploy HAProxy Load Balancer"
  hosts: "haproxy_servers"
  become: true