# {{ ansible_managed }} global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 8000 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats {% if haproxy_frontend_ssl_certificate %} tune.ssl.default-dh-param {{ haproxy_ssl_dh_param }} ssl-default-bind-ciphers {{ haproxy_ssl_ciphers | join(':') }} ssl-default-bind-options {{ haproxy_ssl_options | join(' ') }} {% endif %} defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 8000 frontend rgw-frontend {% if haproxy_frontend_ssl_certificate %} bind *:{{ haproxy_frontend_ssl_port }} ssl crt {{ haproxy_frontend_ssl_certificate }} {% else %} bind *:{{ haproxy_frontend_port }} {% endif %} default_backend rgw-backend # when running in an selinux environment, selinux restricts the ports that haproxy can # connect to to: # * 80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t) and, # * 8080, 8118, 8123, 10001-10010 (http_cache_port_t) # # Practically speaking, it would be preferable (and perhaps easier) to configure the # rgw daemons to listen on ports 10001-10010 and configure haproxy here to match. # # Alternatively you can add other unused ports to http_port_t or http_cache_port_t # with, e.g.: `semanage port -a -t http_cache_port_t -p tcp 8085` # (Note that ports 8081-8084 are already taken and can't be used for haproxy.) # backend rgw-backend option forwardfor balance static-rr option httpchk HEAD / {% for host in groups[rgw_group_name] %} {% for instance in hostvars[host]['rgw_instances'] %} server {{ 'server-' + hostvars[host]['ansible_facts']['hostname'] + '-' + instance['instance_name'] }} {{ instance['radosgw_address'] }}:{{ instance['radosgw_frontend_port'] }} weight 100 check {% endfor %} {% endfor %}