Ask Your Question

puppet-haproxy module syntax, possible to get this particular output?

asked 2014-07-31 08:10:44 -0500

benbradley gravatar image

Using the puppetlabs-haproxy module and struggling to get a particular haproxy.cfg output.

I'm trying to get multiple bind statements output into the same haproxy frontend declaration. This I can do by specifying ipaddress => [] as an array...

## PUPPET ##
  haproxy::frontend { 'ServiceHttps':
    ipaddress => ['', '', '', '']
    ports     => '443',
    mode      => 'http',
    crt       => ['/etc/haproxy/ssl/certs/', '/etc/haproxy/ssl/certs/'],
    options   => {
      'option'  => [
      'reqadd' => 'X-Forwarded-Proto:\ https',
      'default_backend' => 'webcluster1',

And is compiled as...

frontend DrupalHttps
bind ssl  crt /etc/haproxy/ssl/certs/  crt /etc/haproxy/ssl/certs/
bind ssl  crt /etc/haproxy/ssl/certs/  crt /etc/haproxy/ssl/certs/
bind ssl  crt /etc/haproxy/ssl/certs/  crt /etc/haproxy/ssl/certs/
bind ssl  crt /etc/haproxy/ssl/certs/  crt /etc/haproxy/ssl/certs/
mode  http
  default_backend  drupal
  option  accept-invalid-http-request
  option  forwardfor
  reqadd  X-Forwarded-Proto:\ https

The next stage is to get different crt ... certificates applied to each different bind line.
Is this possible with the way the puppetlabs-haproxy module is written?

I've been looking through some of the templates in the module code to try and reverse engineer the data structure I need in my manifest to get the output I want, but no luck. Here's the template from the module code which looks to deal with the ipaddress values converted into bind lines...

Anyone got any ideas/suggestions?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-07-31 12:38:03 -0500

ramindk gravatar image

updated 2014-07-31 12:40:06 -0500

You'll need to modify the existing template, but I'm not sure how as you'll care about arrays within the hash at the top level, but not in certain case. You might need a whitelist of things to not expand. Regardless it seems painful and confusing to jam everything into a single frontend resource. Why not have several?

haproxy::frontend { 'drupal_https_customer1':
  ipaddress => ''
  ports     => '443',
  mode      => 'http',
  crt       => ['/etc/haproxy/ssl/certs/', '/etc/haproxy/ssl/certs/'],

haproxy::frontend { 'drupal_https_customer2':
  ipaddress => ''
  ports     => '443',
  mode      => 'http',
  crt       => ['/etc/haproxy/ssl/certs/', '/etc/haproxy/ssl/certs/'],

Also you might be interested in this answer which shows using Hiera and the role/profiles organaziation of modules to build haproxy.cfg.

edit flag offensive delete link more


There's about 10 lines of options and acls that would also need to apply to all these frontends, which is why I wanted to keep it as a single frontend to avoid a maintainance/readability nightmare. So instead of adding 5 new lines, I'd be adding 5x16 lines to my haproxy config!

benbradley gravatar imagebenbradley ( 2014-08-01 04:18:15 -0500 )edit

Funny thing is my haproxy puppet manifest is already over double the length of the resulting config. I'm tempted to switch this one to just service the config up as a static file, I've spent too much time wrangling this module as it is. Thanks for the hiera info though,I've been meaning to look into

benbradley gravatar imagebenbradley ( 2014-08-01 04:22:04 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-07-31 08:10:44 -0500

Seen: 1,155 times

Last updated: Jul 31 '14