remove separate tls listen for haproxy (#543)

ewdurbin · web-flow · commit f5d76ee93302 · 2024-12-18T15:01:56.000-05:00
* remove separate tls listen for haproxy

haproxy has natively supported http/2 for a _long_ time.

This listen (combined frontend/backend) was added long ago before haproxy supported http/2 (back when it was called spdy).

Drop the http server config for http/2, and move all binds back into the main frontend.

* fix tls redirect acl
diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja
@@ -83,7 +83,14 @@ defaults
     errorfile 504 /etc/haproxy/errors/504.http
 
 
-listen tls:
+frontend main
+    # HTTP Binds
+    bind :20000
+    bind :20001 accept-proxy
+    bind 0.0.0.0:80
+    bind :::80
+
+    # HTTPS Binds
     # Advertise http/1.1 over NPN to enable TLS False Start
     bind :20003 ssl alpn h2,http/1.1 crt star.python.org.pem
     bind :20005 ssl alpn h2,http/1.1 crt star.pypa.io.pem
@@ -95,27 +102,6 @@ listen tls:
     bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
     bind :20011 accept-proxy ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
 
-    mode http
-
-    option httplog
-
-    # Capture the user agent in the log
-    capture request header User-Agent len 512
-    # Capture X-Forwarded-For in the log
-    capture request header X-Forwarded-For len 64
-
-    http-request set-header X-Client-IP %[src]
-
-    server default 127.0.0.1:19001
-
-
-frontend main
-    bind :20000
-    bind :20001 accept-proxy
-    bind 0.0.0.0:80
-    bind :::80
-    bind 127.0.0.1:19001  # This is our TLS socket.
-
     # Define a stick table for all services
     stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
     # Track all requests using a single counter
@@ -147,7 +133,7 @@ frontend main
     use_backend letsencrypt-well-known if letsencrypt-well-known-acl
 
     # Determine if this request has TLS on the client side or not.
-    acl is_tls dst_port 19001
+    acl is_tls ssl_fc
 
     acl our_domains hdr(host) -i -f /etc/haproxy/our_domains
 
diff --git a/salt/haproxy/config/nginx-http2.conf.jinja b/salt/haproxy/config/nginx-http2.conf.jinja
diff --git a/salt/haproxy/init.sls b/salt/haproxy/init.sls
@@ -117,17 +117,6 @@ haproxy-ocsp:
 {% endif %}
 
 
-/etc/nginx/sites.d/http2.conf:
-  file.managed:
-    - source: salt://haproxy/config/nginx-http2.conf.jinja
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: "0644"
-    - require:
-      - file: /etc/nginx/sites.d/
-
-
 /etc/nginx/sites.d/redirect.conf:
   file.managed:
     - source: salt://haproxy/config/nginx-redirect.conf.jinja
