haproxy/readme.md

Ansible Role: HAProxy

Install and configure HAProxy load balancer with flexible frontends, backends, and stats.

Variables

Global Settings

Variable	Required	Default	Description
haproxy_global.log	No	/dev/log local2	Log target
haproxy_global.chroot	No	/var/lib/haproxy	Chroot directory
haproxy_global.pidfile	No	/var/run/haproxy.pid	PID file location
haproxy_global.maxconn	No	35000	Maximum connections
haproxy_global.user	No	haproxy	User to run as
haproxy_global.group	No	haproxy	Group to run as
haproxy_global.daemon	No	true	Run as daemon
haproxy_global.stats_socket	No	See defaults	Stats socket configuration

Default Settings

Variable	Required	Default	Description
haproxy_defaults.log	No	global	Log setting
haproxy_defaults.mode	No	tcp	Default mode (tcp/http)
haproxy_defaults.option	No	tcplog	Default option
haproxy_defaults.timeout_check	No	5s	Health check timeout
haproxy_defaults.timeout_connect	No	10s	Connection timeout
haproxy_defaults.timeout_client	No	600s	Client timeout
haproxy_defaults.timeout_server	No	600s	Server timeout

Stats Listener

Variable	Required	Default	Description
haproxy_stats.enabled	No	false	Enable stats interface
haproxy_stats.bind	No	192.168.32.10:9000	Bind address for stats
haproxy_stats.mode	No	http	Stats mode
haproxy_stats.uri	No	/	Stats URI path
haproxy_stats.show_node	No	true	Show node name
haproxy_stats.refresh	No	10s	Refresh interval
haproxy_stats.auth	No	admin:password	Basic auth credentials

Frontends

Variable	Required	Default	Description
haproxy_frontends	No	[]	List of frontends
haproxy_frontends[].name	Yes	-	Frontend name
haproxy_frontends[].bind	Yes	-	Bind address and port
haproxy_frontends[].default_backend	Yes	-	Default backend name
haproxy_frontends[].mode	No	-	Override default mode
haproxy_frontends[].options	No	[]	Additional options

Backends

Variable	Required	Default	Description
haproxy_backends	No	[]	List of backends
haproxy_backends[].name	Yes	-	Backend name
haproxy_backends[].balance	No	-	Load balancing algorithm
haproxy_backends[].hash_type	No	-	Hash type for balancing
haproxy_backends[].mode	No	-	Override default mode
haproxy_backends[].stick_table	No	-	Stick table configuration
haproxy_backends[].acls	No	[]	List of ACL rules
haproxy_backends[].tcp_request	No	[]	TCP request rules
haproxy_backends[].tcp_response	No	[]	TCP response rules
haproxy_backends[].stick	No	[]	Stick rules
haproxy_backends[].options	No	[]	Additional options
haproxy_backends[].servers	Yes	-	List of backend servers
haproxy_backends[].servers[].name	Yes	-	Server name
haproxy_backends[].servers[].address	Yes	-	Server address:port
haproxy_backends[].servers[].check	No	false	Enable health checks
haproxy_backends[].servers[].send_proxy	No	false	Enable send-proxy
haproxy_backends[].servers[].extra_params	No	-	Additional server parameters

Full Example

---
# Example playbook using role-haproxy
- name: "Deploy HAProxy Load Balancer"
  hosts: "haproxy_servers"
  become: true

  vars:

    # enable stats interface
    haproxy_stats:
      enabled: true
      bind: "192.168.32.10:9000"
      mode: "http"
      uri: "/"
      show_node: true
      refresh: "10s"
      auth: "admin:password"

    # frontends
    haproxy_frontends:

      # http frontend
      - name: "http-in"
        bind: "192.168.32.15:80"
        default_backend: "waf_siempie_tools_http"

      # https frontend
      - name: "https-in"
        bind: "192.168.32.15:443"
        default_backend: "waf_siempie_tools_https"

    # backends
    haproxy_backends:

      # http backend with simple load balancing
      - name: "waf_siempie_tools_http"
        balance: "source"
        hash_type: "consistent"
        options:
          - "option httpchk GET /health"
        servers:

          # waf0.siempie.tools
          - name: "waf0.siempie.tools"
            address: "192.168.32.20:80"
            check: true
            send_proxy: true

          # waf1.siempie.tools
          - name: "waf1.siempie.tools"
            address: "192.168.32.21:80"
            check: true
            send_proxy: true

      # https backend with SSL session persistence
      - name: "waf_siempie_tools_https"
        balance: "roundrobin"
        stick_table: "type binary len 2048 size 300k expire 30m"
        acls:
          - "clienthello req.ssl_hello_type 1"
          - "serverhello res.ssl_hello_type 2"
        tcp_request:
          - "inspect-delay 10s"
          - "content accept if clienthello"
        tcp_response:
          - "content accept if serverhello"
        stick:
          - "on req.payload_lv(43,1) if clienthello"
          - "store-response res.payload_lv(43,1) if serverhello"
        options:
          - "option httpchk GET /health"
        servers:

          # waf0.siempie.tools
          - name: "waf0.siempie.tools"
            address: "192.168.32.20:443"
            send_proxy: true
            check: true
            extra_params: "check-ssl verify none"

          # waf0.siempie.tools
          - name: "waf1.siempie.tools"
            address: "192.168.32.21:443"
            send_proxy: true
            check: true
            extra_params: "check-ssl verify none"

  roles:
    - "role-haproxy"