1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
|
options:
global_log:
default: "/dev/log local0, /dev/log local1 notice"
type: string
description: Global log line ( multiples ... comma separated list )
global_maxconn:
default: 4096
type: int
description: |
Sets the maximum per-process number of concurrent connections to
<number>.
global_user:
default: "haproxy"
type: string
description: User
global_group:
default: "haproxy"
type: string
description: Group
global_debug:
default: False
type: boolean
description: Debug or not
global_quiet:
default: False
type: boolean
description: Quiet
global_spread_checks:
default: 0
type: int
description: |
Sometimes it is desirable to avoid sending health checks to servers at
exact intervals, for instance when many logical servers are located on
the same physical server. With the help of this parameter, it becomes
possible to add some randomness in the check interval between 0 and
+/- 50%. A value between 2 and 5 seems to show good results.
global_stats_socket:
default: False
type: boolean
description: |
Whether to enable the stats UNIX socket.
global_default_dh_param:
default: 2048
type: int
description: |
Sets the maximum size of the Diffie-Hellman parameters used for generating
the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange.
Default value if 2048, higher values will increase the CPU load. Values
greater than 1024 bits are not supported by Java 7 and earlier clients. This
config key will be ignored if the installed haproxy package has no SSL support.
global_default_bind_ciphers:
default: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:!DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
type: string
description: |
Sets the default string describing the list of cipher algorithms
("cipher suite") that are negotiated during the SSL/TLS handshake for
all "bind" lines which do not explicitly define theirs. The format of
the string is defined in "man 1 ciphers" from OpenSSL man pages, and
can be for instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH"
(without quotes). Please check the "bind" keyword for more information.
This config key will be ignored if the installed haproxy package has no SSL
support.
global_default_bind_options:
default: ""
type: string
description: |
Sets the default string describing the list of global SSL bind options.
Use this to force or disable certain protocols like TLS 1.0 or SSL 3.0.
default_log:
default: "global"
type: string
description: Default log
default_mode:
default: "http"
type: string
description: Default mode
default_options:
default: "httplog, dontlognull"
type: string
description: Default options
default_retries:
default: 3
type: int
description: |
Set the number of retries to perform on a server after a connection
failure. It is important to understand that this value applies to the
number of connection attempts, not full requests. When a connection
has effectively been established to a server, there will be no more
retry.
In order to avoid immediate reconnections to a server which is
restarting, a turn-around timer of 1 second is applied before a retry
occurs.
default_timeouts:
default: "queue 20000, client 50000, connect 5000, server 50000"
type: string
description: Default timeouts
logrotate_config:
default: ""
type: string
description: |
Override package logrotate configuration.
.
Warning: Setting this value back to the empty string will leave the previous config in place on disk.
.
Example value:
.
/var/log/haproxy.log {
weekly
rotate 52
missingok
notifempty
compress
delaycompress
postrotate
invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
endscript
}
.
enable_monitoring:
default: False
type: boolean
description: Enable monitoring
monitoring_port:
default: 10000
type: int
description: Default monitoring port
monitoring_allowed_cidr:
default: "127.0.0.1/32"
type: string
description: |
CIDR allowed ( multiple CIDRs separated by space ) access to the
monitoring interface.
monitoring_username:
default: "haproxy"
type: string
description: Monitoring username
monitoring_password:
default: "changeme"
type: string
description: |
Password to the monitoring interface ( if "changeme", a new password
will be generated and displayed in juju-log )
monitoring_stats_refresh:
default: 3
type: int
description: Monitoring interface refresh interval (in seconds)
package_status:
default: "install"
type: "string"
description: |
The status of service-affecting packages will be set to this value in the dpkg database.
Useful valid values are "install" and "hold".
services:
default: |
- service_name: haproxy_service
service_host: "0.0.0.0"
service_port: 80
service_options: [balance leastconn, cookie SRVNAME insert]
server_options: maxconn 100 cookie S{i} check
type: string
description: |
Services definition(s). Although the variable type is a string, this is
interpreted in the charm as yaml. To use multiple services within the
same haproxy instance, specify all of the variables (service_name,
service_host, service_port, service_options, server_options) with a "-"
before the first variable, service_name, as above. Service options is a
comma separated list, server options will be appended as a string to
the individual server lines for a given listen stanza.
If your web application serves dynamic content based on users' login
sessions, a visitor will experience unexpected behaviour if each request
is proxied to a different backend web server. Session stickiness ensures
that a visitor 'sticks' to the backend web server which served their
first request. This is made possible by tagging each backend server
with a cookie. Session are sticky by default. To turn off sticky sessions,
remove the 'cookie SRVNAME insert' and 'cookie S{i}' stanzas from
`service_options` and `server_options`.
userlists:
default: ""
type: string
description: |
Userlists control access to services or stats by allowing
only authenticated users.
.
For example
.
- list1:
groups:
- G1 users tiger,scott
- G2 users xdb,scott
users:
- tiger password $6$k6y3o.eP$JlKBx9z...
- scott insecure-password elgato
- xdb insecure-password hello
- list2:
groups:
- group1
users:
- alice insecure-password foo groups group1
- bob insecure-password bar groups group1
.
See http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#3.4
nagios_servicegroups:
default: ""
type: string
description: |
A comma-separated list of nagios servicegroups.
If left empty, the nagios_context will be used as the servicegroup.
ssl_cert:
type: string
description: |
base64 encoded default SSL certificate. If the keyword 'SELFSIGNED'
is used, the certificate and key will be autogenerated as
self-signed. This is the certificate used by services configured
using keyword 'DEFAULT' as SSL certificate. This config key will be
ignored if the installed haproxy package has no SSL support.
default: ""
ssl_key:
type: string
description: |
base64 encoded private key for the default SSL certificate. If ssl_cert
is specified as SELFSIGNED or the installed haproxy package has no SSL
support, this will be ignored.
default: ""
sysctl:
default: ""
type: string
description: >
YAML-formatted list of sysctl values, e.g.:
'{ net.ipv4.tcp_max_syn_backlog : 65536 }'
nagios_context:
default: "juju"
type: string
description: |
Used by the nrpe-external-master subordinate charm.
A string that will be prepended to instance name to set the host name
in nagios. So for instance the hostname would be something like:
juju-postgresql-0
If you're running multiple environments with the same services in them
this allows you to differentiate between them.
metrics_target:
default: ""
type: string
description: |
Destination for statsd-format metrics, format "host:port". If
not present and valid, metrics disabled. Requires "enable_monitoring"
to be set to true to work.
metrics_prefix:
default: "dev.$UNIT.haproxy"
type: string
description: |
Prefix for metrics. Special value $UNIT can be used to include the
name of the unit in the prefix.
metrics_sample_interval:
default: 5
type: int
description: Period for metrics cron job to run in minutes
source:
default: ""
type: string
description: |
Optional configuration to support use of additional sources such as:
.
- ppa:myteam/ppa
- cloud:precise-proposed/folsom
- http://my.archive.com/ubuntu main
.
The last option should be used in conjunction with the key configuration
option.
key:
default: ""
type: string
description: |
Key ID to import to the apt keyring to support use with arbitary source
configuration from outside of Launchpad archives or PPA's.
peering_mode:
default: "active-passive"
type: string
description: |
Possible values : "active-passive", "active-active". This is only used
if several units are spawned. In "active-passive" mode, all the units will
forward traffic to the first working haproxy unit, which will then forward it
to configured backends. In "active-active" mode, each unit will proxy the
traffic directly to the backends. The "active-passive" mode gives a better
control of the maximum connection that will be opened to a backend server.
|