# Ansible managed global log /dev/log local0 chroot /var/lib/haproxy user haproxy group haproxy daemon maxconn 4096 tune.maxrewrite 1280 stats socket /var/run/haproxy.stat level admin mode 600 ssl-default-bind-options ssl-min-ver TLSv1.2 prefer-client-ciphers ssl-default-server-options ssl-min-ver TLSv1.2 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM tune.ssl.default-dh-param 2048 defaults log global option dontlognull option redispatch option httpclose retries 3 timeout client 50s timeout connect 10s timeout http-request 5s timeout server 50s maxconn 4096 # Ansible managed frontend base-redirect-front-1 bind 104.130.253.16:80 mode http redirect scheme https if !{ ssl_fc } frontend base-front-1 bind 104.130.253.16:443 ssl crt /etc/haproxy/ssl/haproxy_aio1-104.130.253.16.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 use_backend %[path,map_reg(/etc/haproxy/base_regex.map)] http-request add-header X-Forwarded-Proto https mode http http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains;" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "same-origin" http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()" http-response set-header Content-Security-Policy " default-src 'self'; frame-ancestors 'self' ; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' 104.130.253.16:6082 104.130.253.16:6080 104.130.253.16:6083; frame-src 'self' 104.130.253.16:6082 104.130.253.16:6080 104.130.253.16:6083; connect-src 'self' 104.130.253.16:* wss://104.130.253.16:6083; img-src 'self' data:; worker-src blob:; " frontend base-redirect-front-2 bind 172.29.236.101:80 mode http redirect scheme https if !{ ssl_fc } frontend base-front-2 bind 172.29.236.101:443 ssl crt /etc/haproxy/ssl/haproxy_aio1-172.29.236.101.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 use_backend %[path,map_reg(/etc/haproxy/base_regex.map)] http-request add-header X-Forwarded-Proto https mode http http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains;" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "same-origin" http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()" http-response set-header Content-Security-Policy " default-src 'self'; frame-ancestors 'self' ; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' 104.130.253.16:6082 104.130.253.16:6080 104.130.253.16:6083; frame-src 'self' 104.130.253.16:6082 104.130.253.16:6080 104.130.253.16:6083; connect-src 'self' 104.130.253.16:* wss://104.130.253.16:6083; img-src 'self' data:; worker-src blob:; " # Ansible managed frontend cinder_api-front-1 bind 104.130.253.16:8776 ssl crt /etc/haproxy/ssl/haproxy_aio1-104.130.253.16.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 http-request add-header X-Forwarded-Proto https mode http default_backend cinder_api-back frontend cinder_api-front-2 bind 172.29.236.101:8776 option httplog option forwardfor except 127.0.0.0/8 mode http default_backend cinder_api-back backend cinder_api-back mode http balance leastconn stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri /healthcheck server aio1-cinder-api-container-15af9d1b 172.29.236.112:8776 check port 8776 inter 12000 rise 3 fall 3 # Ansible managed frontend galera-front-1 bind 172.29.236.101:3306 option tcplog timeout client 5000s acl allow_list src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 tcp-request content accept if allow_list tcp-request content reject mode tcp default_backend galera-back backend galera-back mode tcp balance leastconn timeout server 5000s option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD server aio1-galera-container-3170046e 172.29.239.252:3306 check port 9200 inter 12000 rise 3 fall 3 send-proxy-v2 # Ansible managed frontend glance_api-front-1 bind 104.130.253.16:9292 ssl crt /etc/haproxy/ssl/haproxy_aio1-104.130.253.16.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 http-request add-header X-Forwarded-Proto https mode http default_backend glance_api-back frontend glance_api-front-2 bind 172.29.236.101:9292 option httplog option forwardfor except 127.0.0.0/8 mode http default_backend glance_api-back backend glance_api-back mode http balance source stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth GET uri /healthcheck server aio1-glance-container-f867c4f2 172.29.239.208:9292 check port 9292 inter 12000 rise 3 fall 3 # Ansible managed backend horizon-back mode http balance source stick-table type ipv6 size 256k expire 10s store http_req_rate(10s),http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri /auth/login/ server aio1-horizon-container-759e6a6a 172.29.237.177:80 check port 80 inter 12000 rise 3 fall 3 # Ansible managed frontend keystone_service-front-1 bind 104.130.253.16:5000 ssl crt /etc/haproxy/ssl/haproxy_aio1-104.130.253.16.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 http-request add-header X-Forwarded-Proto https mode http default_backend keystone_service-back frontend keystone_service-front-2 bind 172.29.236.101:5000 option httplog option forwardfor except 127.0.0.0/8 mode http default_backend keystone_service-back backend keystone_service-back mode http balance leastconn stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri /healthcheck server aio1-keystone-container-dd9739ec 172.29.239.140:5000 check port 5000 inter 12000 rise 3 fall 3 # Ansible managed frontend neutron_server-front-1 bind 104.130.253.16:9696 ssl crt /etc/haproxy/ssl/haproxy_aio1-104.130.253.16.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 http-request add-header X-Forwarded-Proto https mode http default_backend neutron_server-back frontend neutron_server-front-2 bind 172.29.236.101:9696 option httplog option forwardfor except 127.0.0.0/8 mode http default_backend neutron_server-back backend neutron_server-back mode http balance leastconn stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth GET uri /healthcheck server aio1-neutron-server-container-4b5d5912 172.29.238.27:9696 check port 9696 inter 12000 rise 3 fall 3 # Ansible managed frontend nova_api_metadata-front-1 bind 172.29.236.101:8775 option httplog option forwardfor except 127.0.0.0/8 acl allow_list src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 tcp-request content accept if allow_list tcp-request content reject mode http default_backend nova_api_metadata-back backend nova_api_metadata-back mode http balance leastconn stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-proxy-healthcheck" meth HEAD server aio1-nova-api-container-d170d4ae 172.29.239.248:8775 check port 8775 inter 12000 rise 3 fall 3 # Ansible managed frontend nova_api_os_compute-front-1 bind 104.130.253.16:8774 ssl crt /etc/haproxy/ssl/haproxy_aio1-104.130.253.16.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 http-request add-header X-Forwarded-Proto https mode http default_backend nova_api_os_compute-back frontend nova_api_os_compute-front-2 bind 172.29.236.101:8774 option httplog option forwardfor except 127.0.0.0/8 mode http default_backend nova_api_os_compute-back backend nova_api_os_compute-back mode http balance leastconn stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-proxy-healthcheck" meth HEAD server aio1-nova-api-container-d170d4ae 172.29.239.248:8774 check port 8774 inter 12000 rise 3 fall 3 # Ansible managed frontend nova_novnc_console-front-1 bind 104.130.253.16:6080 ssl crt /etc/haproxy/ssl/haproxy_aio1-104.130.253.16.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 timeout client 60m http-request add-header X-Forwarded-Proto https mode http default_backend nova_novnc_console-back http-request deny if { path,url_dec -m sub /. } frontend nova_novnc_console-front-2 bind 172.29.236.101:6080 option httplog option forwardfor except 127.0.0.0/8 timeout client 60m mode http default_backend nova_novnc_console-back http-request deny if { path,url_dec -m sub /. } backend nova_novnc_console-back mode http balance source timeout server 60m stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-proxy-healthcheck" meth HEAD uri /vnc.html http-check expect status 200 server aio1-nova-api-container-d170d4ae 172.29.239.248:6080 check port 6080 inter 12000 rise 3 fall 3 # Ansible managed frontend placement-front-1 bind 104.130.253.16:8780 ssl crt /etc/haproxy/ssl/haproxy_aio1-104.130.253.16.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 http-request add-header X-Forwarded-Proto https mode http default_backend placement-back frontend placement-front-2 bind 172.29.236.101:8780 option httplog option forwardfor except 127.0.0.0/8 mode http default_backend placement-back backend placement-back mode http balance leastconn stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth GET server aio1-placement-container-5af1d0ed 172.29.239.97:8780 check port 8780 inter 12000 rise 3 fall 3 # Ansible managed frontend rabbitmq_mgmt-front-1 bind 172.29.236.101:15671 ssl crt /etc/haproxy/ssl/haproxy_aio1-172.29.236.101.pem alpn h2,http/1.1 option httplog option forwardfor except 127.0.0.0/8 acl allow_list src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 tcp-request content accept if allow_list tcp-request content reject http-request add-header X-Forwarded-Proto https mode http default_backend rabbitmq_mgmt-back backend rabbitmq_mgmt-back mode http balance leastconn stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD server aio1-rabbit-mq-container-a85e173f 172.29.238.154:15671 check port 15671 inter 12000 rise 3 fall 3 ssl check-ssl verify none # Ansible managed frontend repo_all-front-1 bind 172.29.236.101:8181 option httplog option forwardfor except 127.0.0.0/8 mode http default_backend repo_all-back backend repo_all-back mode http balance leastconn stick-table type ipv6 size 256k expire 10s store http_err_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 192.168.0.0/16 } !{ src 172.16.0.0/12 } !{ src 10.0.0.0/8 } option forwardfor option httpchk http-check send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri /constraints/upper_constraints_cached.txt http-check expect status 200 server aio1-repo-container-5dee23ed 172.29.239.227:8181 check port 8181 inter 12000 rise 3 fall 3