Resource Type: opnsense_haproxy_frontend
- Defined in:
- lib/puppet/type/opnsense_haproxy_frontend.rb
Summary
Manage opnsense haproxy frontendsOverview
This type provides Puppet with the capabilities to manage opnsense haproxy frontends.
Examples:
opnsense_haproxy_frontend { 'webserver_frontend':
device => 'opnsense-test.device.com',
enabled => true,
description => 'frontend for webserver',
bind => '127.0.0.1:8080',
bind_options => '',
mode => 'http',
default_backend => '',
ssl_enabled => true,
ssl_certificates => ['60cc4641eb577', '5eba6f0f352e3'],
ssl_default_certificate => '60cc4641eb577',
ssl_custom_options => '',
ssl_advanced_enabled => true,
ssl_bind_options => ['prefer-client-ciphers'],
ssl_min_version => 'TLSv1.2',
ssl_max_version => '',
ssl_cipher_list => 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256',
ssl_cipher_suites => 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
ssl_hsts_enabled => false,
ssl_hsts_include_sub_domains => false,
ssl_hsts_preload => false,
ssl_hsts_max_age => '15768000',
ssl_client_auth_enabled => false,
ssl_client_auth_verify => 'required',
ssl_client_auth_cas => [],
ssl_client_auth_crls => [],
basic_auth_enabled => false,
basic_auth_users => [],
basic_auth_groups => [],
tuning_max_connections => '',
tuning_timeout_client => '',
tuning_timeout_http_req => '',
tuning_timeout_http_keep_alive => '',
linked_cpu_affinity_rules => [],
logging_dont_log_null => false,
logging_dont_log_normal => false,
logging_log_separate_errors => false,
logging_detailed_log => true,
logging_socket_stats => false,
stickiness_pattern => '',
stickiness_data_types => [''],
stickiness_expire => '30m',
stickiness_size => '50k',
stickiness_counter => true,
stickiness_counter_key => 'src',
stickiness_length => '',
stickiness_conn_rate_period => '10s',
stickiness_sess_rate_period => '10s',
stickiness_http_req_rate_period => '10s',
stickiness_http_err_rate_period => '10s',
stickiness_bytes_in_rate_period => '1m',
stickiness_bytes_out_rate_period => '1m',
http2_enabled => false,
http2_enabled_nontls => false,
advertised_protocols => ['h2', 'http11'],
forward_for => false,
connection_behaviour => 'http-keep-alive',
custom_options => '',
linked_actions => [],
linked_errorfiles => [],
ensure => 'present',
}Properties
-
advertised_protocols
(defaults to: ["h2"])
When using the TLS ALPN extension, HAProxy advertises the specified protocol list as supported on top of ALPN.
-
basic_auth_enabled
Enable HTTP Basic Authentication.
-
basic_auth_groups
(defaults to: [])
Specify the uuids of the basic auth groups for this frontend.
-
basic_auth_users
(defaults to: [])
Specify the uuids of the basic auth users for this frontend.
-
bind
Configure listen addresses for this public service, i.e. 127.0.0.1:8080.
-
bind_options
A list of parameters that will be appended to every Listen Address line e.g. accept-proxy npn http/1.1.
-
connection_behaviour
(defaults to: http-keep-alive)
The HaProxy connection behaviour.
-
custom_options
(defaults to: '')
These lines will be added to the HAProxy frontend configuration.
-
default_backend
(defaults to: '')
Set the default backend pool to use for this public service.
-
description
The backend description.
-
enabled
(defaults to: true)
Enable or disable this frontend.
-
ensure
(defaults to: present)
Whether this resource should be present or absent on the target system.
-
forward_for
Enable insertion of the X-Forwarded-For header to requests sent to servers.
-
http2_enabled
Enable support for HTTP/2.
-
http2_enabled_nontls
Enable support for HTTP/2 even if TLS (SSL offloading) is not enabled.
-
linked_actions
(defaults to: [])
Choose uuid of rules to be included in this public service.
-
linked_cpu_affinity_rules
(defaults to: [])
Choose CPU affinity rules that should be applied to this public service.
-
linked_errorfiles
(defaults to: [])
Choose uuid of error messages to be included in this public service.
-
logging_detailed_log
Enable or disable verbose logging. Each log line turns into a much richer format.
-
logging_dont_log_normal
Enable or disable logging of normal, successful connections.
-
logging_dont_log_null
Enable or disable logging of connections with no data.
-
logging_log_separate_errors
Allow HAProxy to automatically raise log level for non-completely successful connections to aid debugging.
-
logging_socket_stats
Enable or disable collecting & providing separate statistics for each socket.
-
mode
(defaults to: http)
Set the running mode or protocol for this public service.
-
ssl_advanced_enabled
Enable or disable advanced SSL settings.
-
ssl_bind_options
(defaults to: ["prefer-client-ciphers"])
Used to enforce or disable certain SSL options.
-
ssl_certificates
(defaults to: [])
Select certificates to use for SSL offloading.
-
ssl_cipher_list
(defaults to: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256)
The default string describing the list of cipher algorithms (“cipher suite”) that are negotiated during the SSL/TLS handshake up to TLSv1.2.
-
ssl_cipher_suites
(defaults to: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256)
The default string describing the list of cipher algorithms (“cipher suite”) that are negotiated during the SSL/TLS handshake for TLSv1.3.
-
ssl_client_auth_cas
(defaults to: [])
Select CA certificates to use for client certificate authentication.
-
ssl_client_auth_crls
(defaults to: [])
Select CRLs to use for client certificate authentication.
-
ssl_client_auth_enabled
Enable client certificate authentication.
-
ssl_client_auth_verify
(defaults to: required)
If set to ‘optional’ or ‘required’, client certificate is requested.
-
ssl_custom_options
(defaults to: '')
Pass additional SSL parameters to the HAProxy configuration.
-
ssl_default_certificate
(defaults to: '')
This certificate will be presented if no SNI is provided by the client if the client provides an SNI hostname which does not match any certificate.
-
ssl_enabled
Enable SSL offloading.
-
ssl_hsts_enabled
(defaults to: true)
Enable HTTP Strict Transport Security.
-
ssl_hsts_include_sub_domains
Enable or disable if all present and future subdomains will be HTTPS.
-
ssl_hsts_max_age
(defaults to: 15768000)
Future requests to the domain should use only HTTPS for the specified time (in seconds).
-
ssl_hsts_preload
Enable if you like this domain to be included in the HSTS preload list.
-
ssl_max_version
(defaults to: '')
Used to enforce or disable certain SSL options.
-
ssl_min_version
(defaults to: TLSv1.2)
Used to enforce or disable certain SSL options.
-
stickiness_bytes_in_rate_period
(defaults to: 1m)
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
-
stickiness_bytes_out_rate_period
(defaults to: 1m)
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
-
stickiness_conn_rate_period
(defaults to: 10s)
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
-
stickiness_counter
(defaults to: true)
Enable to be able to retrieve values from sticky counters.
-
stickiness_counter_key
(defaults to: src)
Describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters.
-
stickiness_data_types
(defaults to: [])
This is used to store additional information in the stick-table.
-
stickiness_expire
(defaults to: 30m)
This configures the maximum duration of an entry in the stick-table since it was last created, refreshed or matched. Valid suffixes d, h, m, s, ms.
-
stickiness_http_err_rate_period
(defaults to: 10s)
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
-
stickiness_http_req_rate_period
(defaults to: 10s)
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
-
stickiness_length
(defaults to: '')
Specify the maximum length for a value in the stick-table.
-
stickiness_pattern
(defaults to: '')
Choose the type of data that should be stored in this stick-table.
-
stickiness_sess_rate_period
(defaults to: 10s)
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
-
stickiness_size
(defaults to: 50k)
This configures the maximum number of entries that can fit in the table. Valid suffixes k, m, g.
-
tuning_max_connections
(defaults to: '')
Set the maximum number of concurrent connections for this public service.
-
tuning_shards
(defaults to: '')
Creates the specified number of listeners for every IP:port combination and evenly distributes them among available threads.
-
tuning_timeout_client
(defaults to: '')
Set the maximum inactivity time on the client side. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
-
tuning_timeout_http_keep_alive
(defaults to: '')
Set the maximum allowed time to wait for a new HTTP request to appear. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
-
tuning_timeout_http_req
(defaults to: '')
Set the maximum allowed time to wait for a complete HTTP request. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
-
uuid
The uuid of the frontend.
Parameters
-
device (namevar)
The name of the opnsense_device type you want to manage.
-
name (namevar)
The name of the resource you want to manage.