Don't restrict haproxy tunable options
Instead of hardcoding specific supported tunable options, we just pass key as an option to haproxy config. This change might break deployments during upgrades, since format of values in variable has changed, but appropriate release note was written We also increase maxrewrite by default, as otherwise usage of CSP leads to 500 error. Change-Id: I949960420ed5dbd6d58f0de7dae0ac629a85b7fc Related-Bug: https://github.com/haproxy/haproxy/issues/1597 Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/844815
This commit is contained in:
4 changed files with 37 additions and 17 deletions
@@ -210,13 +210,14 @@ haproxy_maxconn: 4096
# Parameters below should only be specified if necessary, defaults are programmed in the template
#haproxy_tuning_params:
# nbproc: 1
# bufsize: 384000
# chksize: 16384
# comp_maxlevel: 1
# http_maxhdr: 101
# maxaccept: 64
# ssl_cachesize: 20000
# ssl_lifetime: 300
# tune.bufsize: 384000
# tune.chksize: 16384
# tune.comp_maxlevel: 1
# tune.http_maxhdr: 101
# tune.maxaccept: 64
# tune.ssl_cachesize: 20000
# tune.ssl_lifetime: 300
haproxy_tuning_params:{}
# Add extra VIPs to all services
extra_lb_vip_addresses:[]
@@ -0,0 +1,20 @@
---
upgrade:
- |
If you have defined ``haproxy_tuning_params`` in your deployment, make sure
that before upgrade all keys are valid haproxy options. For example,
instead of ``chksize: 16384`` you should set ``tune.chksize: 16384``.
Otherwise invalid config will be generated and haproxy will fail on
startup.
No upgrade scripts are provided for this change as well as no backwards
compatability.
other:
- |
Restriction on parameters that can be passed to ``haproxy_tuning_params``
has been released. This means, that any tuning parameter can be passed in
key/value format.
fixes:
- |
By default we increase ``tune.maxrewrite`` as otherwise while using CSP
headers, their size could exceed allowed buffer.
Also deployers can override this value if needed.
@@ -7,16 +7,9 @@ global
group haproxy
daemon
maxconn {{ haproxy_maxconn }}
{% if haproxy_tuning_params is defined %}
nbproc {{ haproxy_tuning_params.nbproc | default('1') }}
tune.bufsize {{ haproxy_tuning_params.bufsize | default('384000') }}
tune.chksize {{ haproxy_tuning_params.chksize | default('16384') }}
tune.comp.maxlevel {{ haproxy_tuning_params.comp_maxlevel | default('1') }}
tune.http.maxhdr {{ haproxy_tuning_params.http_maxhdr | default('101') }}
tune.maxaccept {{ haproxy_tuning_params.maxaccept | default('64') }}
tune.ssl.cachesize {{ haproxy_tuning_params.ssl_cachesize | default('20000') }}
tune.ssl.lifetime {{ haproxy_tuning_params.ssl_lifetime | default('300') }}
{% endif %}
{% for key, value in ((_haproxy_default_tuning_params | default({})) | combine(haproxy_tuning_params)).items() %}
{{ key }} {{ value }}
{% endfor %}
stats socket /var/run/haproxy.stat level admin mode 600
{% if haproxy_stats_process is defined %}
stats bind-process {{ haproxy_stats_process }}
@@ -76,3 +76,9 @@ _haproxy_pki_install_certificates: |
{% endif %}
{% endfor %}
{{ _pki_install }}
# In case CSP is enabled, on newer haproxy versions, header size
# fill more than bufsize-maxrewrite, which results in 500
# See: https://github.com/haproxy/haproxy/issues/1597
_haproxy_default_tuning_params:
tune.maxrewrite:1280
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.