add csat to haproxy

05798909 · David Ivey · 4e400929 · 05798909 · 05798909 · 4e400929
Commit 05798909 authored 5 years ago by David Ivey
--- a/apps/public/haproxy/configure-haproxy.sls
+++ b/apps/public/haproxy/configure-haproxy.sls
@@ -4,7 +4,6 @@ include:
 set_up_ssl:
  cmd.script:
    - source: salt://apps/public/haproxy/files/mkcert.sh
-    - source_hash: salt://apps/public/haproxy/files/hash
    - template: jinja
    - defaults:
        letsencrypt_email: {{ pillar['letsencrypt_email'] }}
@@ -12,17 +11,16 @@ set_up_ssl:
    - creates: /etc/letsencrypt/live/graylog.cybbh.space/fullchain.pem
    - creates: /etc/letsencrypt/live/register.cybbh.space/fullchain.pem
    - creates: /etc/letsencrypt/live/status.cybbh.space/fullchain.pem
+    - creates: /etc/letsencrypt/live/csat.cybbh.space/fullchain.pem

 /etc/haproxy/haproxy.cfg:
  file.managed:
    - source: salt://apps/public/haproxy/files/haproxy.cfg
-    - source_hash: salt://apps/public/haproxy/files/hash
    - template: jinja

 /etc/ssl/certs/dod-root-certs.pem:
  file.managed:
    - source: salt://apps/public/ipa/files/dod-root-certs.pem
-    - source_hash: salt://apps/public/ipa/files/hash

 haproxy_service:
  service.running:
@@ -44,3 +42,8 @@ systemctl stop haproxy.service && letsencrypt renew --agree-tos && cat /etc/lets
  cron.present:
    - minute: 45
    - hour: 6
+
+systemctl stop haproxy.service && letsencrypt renew --agree-tos && cat /etc/letsencrypt/live/csat.cybbh.space/fullchain.pem /etc/letsencrypt/live/csat.cybbh.space/privkey.pem > /etc/letsencrypt/live/csat.cybbh.space/master.pem && systemctl start haproxy.service:
+  cron.present:
+    - minute: 45
+    - hour: 6
--- a/apps/public/haproxy/files/haproxy.cfg
+++ b/apps/public/haproxy/files/haproxy.cfg
@@ -41,7 +41,7 @@ defaults

 frontend tls_termination
  mode http
-  bind 192.168.200.4:443 ssl crt /etc/letsencrypt/live/git.cybbh.space/master.pem crt /etc/letsencrypt/live/status.cybbh.space/master.pem
+  bind 192.168.200.4:443 ssl crt /etc/letsencrypt/live/git.cybbh.space/master.pem crt /etc/letsencrypt/live/status.cybbh.space/master.pem crt /etc/letsencrypt/live/csat.cybbh.space/master.pem
  bind 192.168.200.4:9000 ssl crt /etc/letsencrypt/live/graylog.cybbh.space/master.pem ca-file /etc/ssl/certs/dod-root-certs.pem verify required
  reqadd  X-Forwarded-Proto:\ https
  http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
@@ -84,3 +84,11 @@ listen nacl_ssh
  balance roundrobin
  server nacl.cybbh.space 192.168.200.5:22 check inter 2000 rise 2 fall 5
  option tcpka
+
+  backend csat_https
+    mode http
+    http-request  set-header X-Forwarded-Proto https if { ssl_fc }
+    balance roundrobin
+    option  tcpka
+    option  tcplog
+    server csat.cybbh.space 192.168.200.14:443 check inter 2000 rise 2 fall 5
--- a/apps/public/haproxy/files/hash
+++ b/apps/public/haproxy/files/hash
-d58c410faf392186ce4717c9d8baefeac2f2763d29b5eb6a3a240be04355c252da92b6aa02001bcd20e9b80d02a6516ff951f857a6c7cb6a755c9250fd8f5d6c  haproxy.cfg
-779fc7c09a406aec2ba5232e288a976ec5fa1db15593e8744ef5c0cb0fb28759feebe6c6addd86483b6fc50e09c2ae53260ca24f025f5d3814a585819e031194  mkcert.sh
--- a/apps/public/haproxy/files/mkcert.sh
+++ b/apps/public/haproxy/files/mkcert.sh
@@ -19,3 +19,8 @@ systemctl stop haproxy.service
 letsencrypt certonly -d status.cybbh.space --agree-tos --email {{ letsencrypt_email }}
 cat /etc/letsencrypt/live/status.cybbh.space/fullchain.pem /etc/letsencrypt/live/status.cybbh.space/privkey.pem > /etc/letsencrypt/live/status.cybbh.space/master.pem
 systemctl start haproxy.service
+
+systemctl stop haproxy.service
+letsencrypt certonly -d csat.cybbh.space --agree-tos --email {{ letsencrypt_email }}
+cat /etc/letsencrypt/live/csat.cybbh.space/fullchain.pem /etc/letsencrypt/live/csat.cybbh.space/privkey.pem > /etc/letsencrypt/live/csat.cybbh.space/master.pem
+systemctl start haproxy.service