From be9a66c2807b5e7edb4f9868c6491ce26f0b5d7f Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: 2022年6月18日 21:05:25 +0200
Subject: [PATCH] Don't restrict haproxy tunable options
Instead of hardcoding specific supported tunable options, we
just pass key as an option to haproxy config.
This change might break deployments during upgrades, since format of
values in variable has changed, but appropriate release note was written
We also increase maxrewrite by default, as otherwise usage of CSP leads
to 500 error.
Change-Id: I949960420ed5dbd6d58f0de7dae0ac629a85b7fc
Related-Bug: https://github.com/haproxy/haproxy/issues/1597
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/844815
---
 defaults/main.yml &#124; 15 +++++++-------
 ...ning_params_released-45eb40104747561a.yaml &#124; 20 +++++++++++++++++++
 templates/haproxy.cfg.j2 &#124; 13 +++---------
 vars/main.yml &#124; 6 ++++++
 4 files changed, 37 insertions(+), 17 deletions(-)
 create mode 100644 releasenotes/notes/haproxy_tuning_params_released-45eb40104747561a.yaml
diff --git a/defaults/main.yml b/defaults/main.yml
index 9ddfcd8..5a46574 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -210,13 +210,14 @@ haproxy_maxconn: 4096
 # Parameters below should only be specified if necessary, defaults are programmed in the template
 #haproxy_tuning_params:
 # nbproc: 1
-# bufsize: 384000
-# chksize: 16384
-# comp_maxlevel: 1
-# http_maxhdr: 101
-# maxaccept: 64
-# ssl_cachesize: 20000
-# ssl_lifetime: 300
+# tune.bufsize: 384000
+# tune.chksize: 16384
+# tune.comp_maxlevel: 1
+# tune.http_maxhdr: 101
+# tune.maxaccept: 64
+# tune.ssl_cachesize: 20000
+# tune.ssl_lifetime: 300
+haproxy_tuning_params: {}
 
 # Add extra VIPs to all services
 extra_lb_vip_addresses: []
diff --git a/releasenotes/notes/haproxy_tuning_params_released-45eb40104747561a.yaml b/releasenotes/notes/haproxy_tuning_params_released-45eb40104747561a.yaml
new file mode 100644
index 0000000..7ca0ddf
--- /dev/null
+++ b/releasenotes/notes/haproxy_tuning_params_released-45eb40104747561a.yaml
@@ -0,0 +1,20 @@
+---
+upgrade:
+ - &#124;
+ If you have defined ``haproxy_tuning_params`` in your deployment, make sure
+ that before upgrade all keys are valid haproxy options. For example,
+ instead of ``chksize: 16384`` you should set ``tune.chksize: 16384``.
+ Otherwise invalid config will be generated and haproxy will fail on
+ startup.
+ No upgrade scripts are provided for this change as well as no backwards
+ compatability.
+other:
+ - &#124;
+ Restriction on parameters that can be passed to ``haproxy_tuning_params``
+ has been released. This means, that any tuning parameter can be passed in
+ key/value format.
+fixes:
+ - &#124;
+ By default we increase ``tune.maxrewrite`` as otherwise while using CSP
+ headers, their size could exceed allowed buffer.
+ Also deployers can override this value if needed.
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
index ece82ea..bad50c0 100644
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@@ -7,16 +7,9 @@ global
 group haproxy
 daemon
 maxconn {{ haproxy_maxconn }}
-{% if haproxy_tuning_params is defined %}
- nbproc {{ haproxy_tuning_params.nbproc &#124; default('1') }}
- tune.bufsize {{ haproxy_tuning_params.bufsize &#124; default('384000') }}
- tune.chksize {{ haproxy_tuning_params.chksize &#124; default('16384') }}
- tune.comp.maxlevel {{ haproxy_tuning_params.comp_maxlevel &#124; default('1') }}
- tune.http.maxhdr {{ haproxy_tuning_params.http_maxhdr &#124; default('101') }}
- tune.maxaccept {{ haproxy_tuning_params.maxaccept &#124; default('64') }}
- tune.ssl.cachesize {{ haproxy_tuning_params.ssl_cachesize &#124; default('20000') }}
- tune.ssl.lifetime {{ haproxy_tuning_params.ssl_lifetime &#124; default('300') }}
-{% endif %}
+{% for key, value in ((_haproxy_default_tuning_params &#124; default({})) &#124; combine(haproxy_tuning_params)).items() %}
+ {{ key }} {{ value }}
+{% endfor %}
 stats socket /var/run/haproxy.stat level admin mode 600
 {% if haproxy_stats_process is defined %}
 stats bind-process {{ haproxy_stats_process }}
diff --git a/vars/main.yml b/vars/main.yml
index 31e0d56..9dc4448 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -76,3 +76,9 @@ _haproxy_pki_install_certificates: &#124;
 {% endif %}
 {% endfor %}
 {{ _pki_install }}
+
+# In case CSP is enabled, on newer haproxy versions, header size
+# fill more than bufsize-maxrewrite, which results in 500
+# See: https://github.com/haproxy/haproxy/issues/1597
+_haproxy_default_tuning_params:
+ tune.maxrewrite: 1280
</div><div class="naked_ctrl">
<form action="/index.cgi/contrast" method="get" name="gate">
<p><a href="http://altstyle.alfasado.net">AltStyle</a> によって変換されたページ <a href="https://opendev.org/openstack/openstack-ansible-haproxy_server/commit/be9a66c2807b5e7edb4f9868c6491ce26f0b5d7f.patch">(-&gt;オリジナル)</a>
/ <label>アドレス: <input type="text" name="naked_post_url" value="https://opendev.org/openstack/openstack-ansible-haproxy_server/commit/be9a66c2807b5e7edb4f9868c6491ce26f0b5d7f.patch" size="22" /></label> <label>モード: <select name="naked_post_mode">
<option value="default">デフォルト</option>
<option value="speech">音声ブラウザ</option>
<option value="ruby">ルビ付き</option>
<option value="contrast" selected="selected">配色反転</option>
<option value="larger-text">文字拡大</option>
<option value="mobile">モバイル</option>
</select>
<input type="submit" value="表示" />
</p>
</form>
</div>