Commit 8d952c8c authored by Jérome Perrin's avatar Jérome Perrin

stack/erp5: make haproxy listening on both old apache + old proxy ports

parent 123d5ccf
...@@ -90,11 +90,11 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57 ...@@ -90,11 +90,11 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
[template-balancer] [template-balancer]
filename = instance-balancer.cfg.in filename = instance-balancer.cfg.in
md5sum = 4a119083eab1eadbaf44468eb4f3381f md5sum = abbf7a437e582c994c9f3a5b4edfc6f0
[template-haproxy-cfg] [template-haproxy-cfg]
filename = haproxy.cfg.in filename = haproxy.cfg.in
md5sum = 8de18a61607bd66341a44b95640d293f md5sum = 7149e973ab1f6c1cb31b1ca33638c145
[template-rsyslogd-cfg] [template-rsyslogd-cfg]
filename = rsyslogd.cfg.in filename = rsyslogd.cfg.in
......
...@@ -46,6 +46,7 @@ ...@@ -46,6 +46,7 @@
# "backend-dict": { # "backend-dict": {
# "family-secure": { # "family-secure": {
# ( 8000, # port int # ( 8000, # port int
# 18000, # legacy_port int
# 'https', # proto str # 'https', # proto str
# True, # ssl_required bool # True, # ssl_required bool
# [ # backends # [ # backends
...@@ -57,6 +58,7 @@ ...@@ -57,6 +58,7 @@
# }, # },
# "family-default": { # "family-default": {
# ( 8002, # port int # ( 8002, # port int
# 18002, # legacy_port int
# 'https', # proto str # 'https', # proto str
# False, # ssl_required bool # False, # ssl_required bool
# [ # backends # [ # backends
...@@ -88,10 +90,16 @@ ...@@ -88,10 +90,16 @@
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001 # - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# only accepting requests from clients providing a verified TLS certificate # only accepting requests from clients providing a verified TLS certificate
# emitted by a CA from `ca-cert` and not revoked in `crl`. # emitted by a CA from `ca-cert` and not revoked in `crl`.
# For historical reasons, they will also listen on the legacy port:
# - 0.0.0.0:18000 redirecting internaly to http://10.0.0.10:8001 and
# - [::1]:18000 redirecting internaly to http://10.0.0.10:8001
# For "family-default": # For "family-default":
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003 # - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003 # - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# accepting requests from any client. # accepting requests from any client.
# For historical reasons, they will also listen on the legacy port:
# - 0.0.0.0:18002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:18002 redirecting internaly to http://10.0.0.10:8003
# #
# For both families, X-Forwarded-For header will be stripped unless # For both families, X-Forwarded-For header will be stripped unless
# client presents a certificate that can be verified with `ca-cert` and `crl`. # client presents a certificate that can be verified with `ca-cert` and `crl`.
...@@ -148,7 +156,7 @@ defaults ...@@ -148,7 +156,7 @@ defaults
{% set bind_ssl_crt = 'ssl crt ' ~ parameter_dict['cert'] ~ ' alpn h2,http/1.1' %} {% set bind_ssl_crt = 'ssl crt ' ~ parameter_dict['cert'] ~ ' alpn h2,http/1.1' %}
{% for name, (port, _, certificate_authentication, backend_list) in sorted(parameter_dict['backend-dict'].iteritems()) -%} {% for name, (port, legacy_port, _, certificate_authentication, backend_list) in sorted(parameter_dict['backend-dict'].iteritems()) -%}
listen family_{{ name }} listen family_{{ name }}
{%- if parameter_dict.get('ca-cert') -%} {%- if parameter_dict.get('ca-cert') -%}
{%- set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional' ) ~ ' crl-file ' ~ parameter_dict['crl'] %} {%- set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
...@@ -157,6 +165,8 @@ listen family_{{ name }} ...@@ -157,6 +165,8 @@ listen family_{{ name }}
{%- endif %} {%- endif %}
bind {{ parameter_dict['ipv4'] }}:{{ port }} {{ bind_ssl_crt }} {{ ssl_auth }} bind {{ parameter_dict['ipv4'] }}:{{ port }} {{ bind_ssl_crt }} {{ ssl_auth }}
bind {{ parameter_dict['ipv6'] }}:{{ port }} {{ bind_ssl_crt }} {{ ssl_auth }} bind {{ parameter_dict['ipv6'] }}:{{ port }} {{ bind_ssl_crt }} {{ ssl_auth }}
bind {{ parameter_dict['ipv4'] }}:{{ legacy_port }} {{ bind_ssl_crt }} {{ ssl_auth }}
bind {{ parameter_dict['ipv6'] }}:{{ legacy_port }} {{ bind_ssl_crt }} {{ ssl_auth }}
cookie SERVERID rewrite cookie SERVERID rewrite
http-request set-header X-Balancer-Current-Cookie SERVERID http-request set-header X-Balancer-Current-Cookie SERVERID
......
...@@ -166,11 +166,10 @@ update-command = ${:command} ...@@ -166,11 +166,10 @@ update-command = ${:command}
{# {#
# We use to have haproxy then apache, now haproxy is playing apache's role # We use to have haproxy then apache, now haproxy is playing apache's role
# To keep port stable, we consume one port so that haproxy use the same port # To keep port stables, we make haproxy listen on both ports (the one
# that apache was using before. # apache was using + the one haproxy was using).
-#} -#}
{% set _ = next_port() -%} {% set legacy_haproxy_port = next_port() -%}
{% set haproxy_port = next_port() -%} {% set haproxy_port = next_port() -%}
{% set backend_path = slapparameter_dict['backend-path-dict'][family_name] -%} {% set backend_path = slapparameter_dict['backend-path-dict'][family_name] -%}
{% if has_webdav -%} {% if has_webdav -%}
...@@ -178,7 +177,7 @@ update-command = ${:command} ...@@ -178,7 +177,7 @@ update-command = ${:command}
{% else %} {% else %}
{% set external_scheme = 'https' -%} {% set external_scheme = 'https' -%}
{% endif -%} {% endif -%}
{% do haproxy_dict.__setitem__(family_name, (haproxy_port, external_scheme, slapparameter_dict['ssl-authentication-dict'].get(family_name, False), zope_family_address_list)) -%} {% do haproxy_dict.__setitem__(family_name, (haproxy_port, legacy_haproxy_port, external_scheme, slapparameter_dict['ssl-authentication-dict'].get(family_name, False), zope_family_address_list)) -%}
{% endfor -%} {% endfor -%}
[haproxy-cfg-parameter-dict] [haproxy-cfg-parameter-dict]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment