Do not define TLS for frontend with mode tcp 

In case frontend/backend are configured in TCP mode there is no reason
to supply a SSL configuration for such frontend.
With that we also align usage of `request_option` variable which is
anyway defined out of `service.haproxy_balance_type` but with provided
default value.
Change-Id: I5dff5aadc546d2984c1295e89b67b35a34254237
This commit is contained in:
Dmitriy Rabotyagov
2024年11月10日 16:31:24 +01:00
parent ec0066e06c
commit 7e30567f02

View File

@@ -53,7 +53,7 @@ bind {{ vip_address }}:{{ service.haproxy_redirect_http_port }}{{ (vip_interface
{% else %}
{% set haproxy_ssl_path=haproxy_ssl_cert_path + "/haproxy_" + (haproxy_host | default(ansible_facts['hostname'])) + "-" + ((vip_interface is truthy) | ternary(vip_address ~ '-' ~ vip_interface, vip_address)) + ".pem" %}
frontend {{ service.haproxy_service_name }}-front-{{ loop.index }}
bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }} {% if (service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}ssl crt {{ service.haproxy_ssl_path | default(haproxy_ssl_path) }}{% if service.haproxy_frontend_h2 | default(haproxy_frontend_h2) and request_option == "http" %} alpn h2,http/1.1{% endif %}{% endif %}
bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }} {% if (service.haproxy_ssl | default(false) | bool) and (request_option == "http") and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}ssl crt {{ service.haproxy_ssl_path | default(haproxy_ssl_path) }}{% if service.haproxy_frontend_h2 | default(haproxy_frontend_h2) %} alpn h2,http/1.1{% endif %}{% endif %}
{% if request_option == "http" %}
option httplog
@@ -86,7 +86,7 @@ frontend {{ service.haproxy_service_name }}-front-{{ loop.index }}
{% if (service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}
http-request add-header X-Forwarded-Proto https
{% endif %}
mode {{ service.haproxy_balance_type }}
mode {{ request_option }}
{% if (not service.haproxy_frontend_only | default(false)) or ((service.haproxy_default_backend is defined) and (service.haproxy_default_backend | length > 0)) %}
default_backend {{ service.haproxy_default_backend | default(service.haproxy_service_name) }}-back
{% endif %}
@@ -102,7 +102,7 @@ frontend {{ service.haproxy_service_name }}-front-{{ loop.index }}
{% set backend_arguments = service.haproxy_backend_arguments|default([]) %}
backend {{ service.haproxy_service_name }}-back
mode {{ service.haproxy_balance_type }}
mode {{ request_option }}
balance {{ service.haproxy_balance_alg|default("leastconn") }}
{% if service.haproxy_timeout_server is defined %}
timeout server {{ service.haproxy_timeout_server }}
Reference in New Issue
openstack/openstack-ansible-haproxy_server
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.

The note is not visible to the blocked user.