default.rb 16.5 KB
Newer Older
1 2
default['gitlab-haproxy']['major-version'] = 'haproxy-1.8'

John Jarvis's avatar
John Jarvis committed
3 4
### Save HAProxy state on reload
default['gitlab-haproxy']['systemd_service_overrides']['enable'] = true
Ben Kochie's avatar
Ben Kochie committed
5 6
default['gitlab-haproxy']['drain_time_seconds'] = 600
default['gitlab-haproxy']['systemd_timeout_stop_seconds'] = (node['gitlab-haproxy']['drain_time_seconds'] * 1.25).to_i
John Jarvis's avatar
John Jarvis committed
7

8 9 10 11
default['gitlab-haproxy']['secrets']['backend'] = 'chef_vault'
default['gitlab-haproxy']['secrets']['path'] = 'gitlab-cluster-base'
default['gitlab-haproxy']['secrets']['key'] = '_default'

12
default['gitlab-haproxy']['errors']['503']['title'] = 'An internal server error occured.'
John Northrup's avatar
John Northrup committed
13
default['gitlab-haproxy']['errors']['503']['subtitle'] = 'Please see our <a href="https://status.gitlab.com">status page</a> for more information.'
John Jarvis's avatar
John Jarvis committed
14
default['gitlab-haproxy']['global']['ssl-default-bind-ciphers'] = 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES'
Ben Kochie's avatar
Ben Kochie committed
15
default['gitlab-haproxy']['global']['ssl-default-bind-options'] = 'no-tlsv10 no-tlsv11'
16

17 18 19
### Multithreading configuration #####
#   It creates <number> threads for each created processes.
#   this defaults to 4 on the current HAProxy fleet, 1 thread per core
Ben Kochie's avatar
Ben Kochie committed
20
default['gitlab-haproxy']['global']['nbthread'] = node['cpu']['total']
21 22
######################################

John Jarvis's avatar
John Jarvis committed
23 24 25 26
# https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-hard-stop-after
# Kill connections that remain open when HAProxy receives a SIGUSR1
# this helps to prevent presistent TCP connections from keeping haproxy
# processes lingering for a long time after reload
Ben Kochie's avatar
Ben Kochie committed
27 28
default['gitlab-haproxy']['global']['hard-stop']['enable'] = true
default['gitlab-haproxy']['global']['hard-stop']['timeout'] = '5m'
29 30 31 32 33 34 35 36 37 38 39 40
default['gitlab-haproxy']['global']['tcp_checks'] =
  [
    {
      'port' => '8083',
      'path' => '/readiness',
    },
    {
      'port' => '443',
      'ssl' => true,
      'path' => '/-/health',
    },
  ]
John Northrup's avatar
John Northrup committed
41
default['gitlab-haproxy']['delay_speed_ms'] = '1000'
John Jarvis's avatar
John Jarvis committed
42 43
default['gitlab-haproxy']['timeout_connect'] = '5000'
default['gitlab-haproxy']['timeout_check'] = '30000'
Jeroen Nijhof's avatar
Jeroen Nijhof committed
44
default['gitlab-haproxy']['timeout_server_ssh'] = '2h'
45
default['gitlab-haproxy']['timeout_server_camoproxy'] = '10s'
Jeroen Nijhof's avatar
Jeroen Nijhof committed
46 47 48
default['gitlab-haproxy']['timeout_client_fin'] = '5s'
default['gitlab-haproxy']['timeout_server_fin'] = '5s'
default['gitlab-haproxy']['timeout_tunnel'] = '8s'
49
default['gitlab-haproxy']['listen_address'] = '0.0.0.0'
50
default['gitlab-haproxy']['timeout_client'] = '90s'
Ben Kochie's avatar
Ben Kochie committed
51
default['gitlab-haproxy']['timeout_server'] = '1h'
52
default['gitlab-haproxy']['admin_password'] = nil
53
default['gitlab-haproxy']['api_address'] = '0.0.0.0'
John Jarvis's avatar
John Jarvis committed
54
default['gitlab-haproxy']['maxconn'] = '20000'
55

56 57 58 59 60 61 62 63
#####################################################################
#
# Fe lb configuration, gitlab.com port 443, 80, 22
# this is named "frontend" not to be confused with
# frontends in the HAProxy configuration file
#
#####################################################################

64
default['gitlab-haproxy']['frontend']['blacklist']['uri'] = {}
65 66 67
default['gitlab-haproxy']['frontend']['whitelist']['internal'] = {}
default['gitlab-haproxy']['frontend']['whitelist']['api'] = {}

68
default['gitlab-haproxy']['frontend']['peers']['servers'] = {}
69
default['gitlab-haproxy']['frontend']['api']['httpchk_host'] = 'gitlab.com'
John Jarvis's avatar
John Jarvis committed
70
default['gitlab-haproxy']['frontend']['api']['httpchk_path'] = '/-/health'
71
default['gitlab-haproxy']['frontend']['api']['servers'] = {}
72
default['gitlab-haproxy']['frontend']['api']['rate_limit_http_rate_per_minute'] = '600'
John Jarvis's avatar
John Jarvis committed
73
default['gitlab-haproxy']['frontend']['api']['check_opts'] = 'check-ssl'
74
default['gitlab-haproxy']['frontend']['api']['tcp_check_enable'] = false
75
default['gitlab-haproxy']['frontend']['https_git']['httpchk_host'] = 'gitlab.com'
John Jarvis's avatar
John Jarvis committed
76
default['gitlab-haproxy']['frontend']['https_git']['httpchk_path'] = '/-/health'
John Jarvis's avatar
John Jarvis committed
77
default['gitlab-haproxy']['frontend']['https_git']['check_opts'] = 'check-ssl'
78
default['gitlab-haproxy']['frontend']['https_git']['tcp_check_enable'] = false
79 80 81 82 83
default['gitlab-haproxy']['frontend']['https_git']['servers'] = {}
default['gitlab-haproxy']['frontend']['https']['custom_config'] = nil
default['gitlab-haproxy']['frontend']['https']['rate_limit_frontend_port'] = '4444'
default['gitlab-haproxy']['frontend']['https']['rate_limit_sessions_per_second'] = '10'
default['gitlab-haproxy']['frontend']['https']['rate_limit_whitelist'] = '127.0.0.1'
Ahmad Sherif's avatar
Ahmad Sherif committed
84
default['gitlab-haproxy']['frontend']['https']['extra_bind_port'] = nil
John Jarvis's avatar
John Jarvis committed
85

86
default['gitlab-haproxy']['frontend']['ssh']['httpchk_host'] = 'gitlab.com'
John Jarvis's avatar
John Jarvis committed
87
default['gitlab-haproxy']['frontend']['ssh']['httpchk_path'] = '/-/health'
John Jarvis's avatar
John Jarvis committed
88
default['gitlab-haproxy']['frontend']['ssh']['check_opts'] = 'check-ssl port 443 verify none'
89
default['gitlab-haproxy']['frontend']['ssh']['tcp_check_enable'] = false
90 91
default['gitlab-haproxy']['frontend']['ssh']['port'] = '22'
default['gitlab-haproxy']['frontend']['ssh']['servers'] = {}
92
default['gitlab-haproxy']['frontend']['ssh']['custom_config'] = []
John Jarvis's avatar
John Jarvis committed
93

94
default['gitlab-haproxy']['frontend']['web']['httpchk_host'] = 'gitlab.com'
John Jarvis's avatar
John Jarvis committed
95
default['gitlab-haproxy']['frontend']['web']['httpchk_path'] = '/-/health'
John Jarvis's avatar
John Jarvis committed
96
default['gitlab-haproxy']['frontend']['web']['check_opts'] = 'check-ssl'
97
default['gitlab-haproxy']['frontend']['web']['tcp_check_enable'] = false
Stan Hu's avatar
Stan Hu committed
98
default['gitlab-haproxy']['frontend']['web']['content_security_policy_enabled'] = true
99
default['gitlab-haproxy']['frontend']['web']['content_security_policy'] = " default-src 'self';"
John Jarvis's avatar
John Jarvis committed
100 101
# Access control headers disabled because of https://gitlab.com/gitlab-com/gl-infra/production/issues/724
default['gitlab-haproxy']['frontend']['web']['access_control_allow_headers']['enable'] = false
John Jarvis's avatar
John Jarvis committed
102
default['gitlab-haproxy']['frontend']['web']['access_control_allow_headers']['headers'] = ' X-Requested-With'
103
default['gitlab-haproxy']['frontend']['web']['servers'] = {}
John Jarvis's avatar
John Jarvis committed
104

Stan Hu's avatar
Stan Hu committed
105
default['gitlab-haproxy']['frontend']['canary_web']['content_security_policy_enabled'] = true
106
default['gitlab-haproxy']['frontend']['canary_web']['content_security_policy'] = " default-src 'self';"
107
default['gitlab-haproxy']['frontend']['websockets']['servers'] = {}
John Jarvis's avatar
John Jarvis committed
108
default['gitlab-haproxy']['frontend']['websockets']['check_opts'] = 'check-ssl'
109
default['gitlab-haproxy']['frontend']['websockets']['tcp_check_enable'] = false
110 111
default['gitlab-haproxy']['frontend']['websockets']['httpchk_host'] = 'gitlab.com'
default['gitlab-haproxy']['frontend']['websockets']['httpchk_path'] = '/-/health'
112
default['gitlab-haproxy']['frontend']['api_rate_limit']['custom_config'] = []
113
default['gitlab-haproxy']['frontend']['api_rate_limit']['enforced'] = true
114
default['gitlab-haproxy']['frontend']['default_check_opts'] = 'inter 3s fastinter 1s downinter 5s fall 3'
115 116 117 118 119
default['gitlab-haproxy']['frontend']['asset_proxy']['enable'] = false
default['gitlab-haproxy']['frontend']['asset_proxy']['httpchk_path'] = '/info'
default['gitlab-haproxy']['frontend']['asset_proxy']['host'] = 'example.com'
default['gitlab-haproxy']['frontend']['asset_proxy']['server'] = 'storage.googleapis.com'
default['gitlab-haproxy']['frontend']['asset_proxy']['opts'] = 'check check-ssl inter 2s fastinter 1s downinter 5s fall 3 ssl verify none'
120 121 122 123 124
default['gitlab-haproxy']['frontend']['use_weights'] = false

default['gitlab-haproxy']['frontend']['web']['default_weight'] = '100'
default['gitlab-haproxy']['frontend']['api']['default_weight'] = '100'
default['gitlab-haproxy']['frontend']['ssh']['default_weight'] = '100'
125
default['gitlab-haproxy']['frontend']['ssh']['server_port'] = '22'
126
default['gitlab-haproxy']['frontend']['ssh']['balance'] = 'source'
127 128 129
default['gitlab-haproxy']['frontend']['https_git']['default_weight'] = '100'
default['gitlab-haproxy']['frontend']['websockets']['default_weight'] = '100'

130
default['gitlab-haproxy']['frontend']['canary_web']['enable'] = true
John Jarvis's avatar
John Jarvis committed
131 132 133
default['gitlab-haproxy']['frontend']['canary_api']['enable'] = true
default['gitlab-haproxy']['frontend']['canary_https_git']['enable'] = true
default['gitlab-haproxy']['frontend']['canary_registry']['enable'] = true
134 135 136 137 138 139 140 141 142 143 144 145
default['gitlab-haproxy']['frontend']['canary_web']['default_weight'] = '0'
default['gitlab-haproxy']['frontend']['canary_api']['default_weight'] = '0'
default['gitlab-haproxy']['frontend']['canary_ssh']['default_weight'] = '0'
default['gitlab-haproxy']['frontend']['canary_https_git']['default_weight'] = '0'
default['gitlab-haproxy']['frontend']['canary_websockets']['default_weight'] = '0'

default['gitlab-haproxy']['frontend']['canary_web']['servers'] = {}
default['gitlab-haproxy']['frontend']['canary_api']['servers'] = {}
default['gitlab-haproxy']['frontend']['canary_ssh']['servers'] = {}
default['gitlab-haproxy']['frontend']['canary_https_git']['servers'] = {}
default['gitlab-haproxy']['frontend']['canary_websockets']['servers'] = {}

John Jarvis's avatar
John Jarvis committed
146
default['gitlab-haproxy']['frontend']['canary_request_path']['path_list'] = []
John Jarvis's avatar
John Jarvis committed
147

148 149 150 151 152
default['gitlab-haproxy']['frontend']['root_page_redirect']['enable'] = false
default['gitlab-haproxy']['frontend']['root_page_redirect']['url'] = 'https://about.gitlab.com'
default['gitlab-haproxy']['frontend']['root_page_redirect']['session_cookie'] = '_gitlab_session'
default['gitlab-haproxy']['frontend']['root_page_redirect']['status_code'] = '301'

153 154
default['gitlab-haproxy']['frontend']['enforce_cloudflare_origin_pull'] = false

155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177
# Servers for HAProxy backends, defaulted to legacy server configuration that can
# be removed once https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/9766
# is complete

default['gitlab-haproxy']['frontend']['backend']['servers']['default']['api'] = node['gitlab-haproxy']['frontend']['api']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['https_git'] = node['gitlab-haproxy']['frontend']['https_git']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['ssh'] = node['gitlab-haproxy']['frontend']['ssh']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['web'] = node['gitlab-haproxy']['frontend']['web']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['websockets'] = node['gitlab-haproxy']['frontend']['websockets']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['canary_web'] = node['gitlab-haproxy']['frontend']['canary_web']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['canary_websockets'] = node['gitlab-haproxy']['frontend']['canary_websockets']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['canary_api'] = node['gitlab-haproxy']['frontend']['canary_api']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['canary_ssh'] = node['gitlab-haproxy']['frontend']['canary_ssh']['servers']
default['gitlab-haproxy']['frontend']['backend']['servers']['default']['canary_https_git'] = node['gitlab-haproxy']['frontend']['canary_https_git']['servers']
# Essential backends must have at least one server, otherwise the chef-run will fail
default['gitlab-haproxy']['frontend']['backend']['essential'] = %w(api https_git ssh web websockets)

#####################################################################
#
# ALTSSH lb configuration, gitlab.com git-ssh on port 443
#
#####################################################################

178
default['gitlab-haproxy']['altssh']['custom_config'] = nil
179
default['gitlab-haproxy']['altssh']['servers'] = {}
180
default['gitlab-haproxy']['altssh']['balance'] = 'source'
181

182 183 184 185 186 187 188 189 190 191 192 193 194 195
# Servers for HAProxy backends, defaulted to legacy server configuration that can
# be removed once https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/9766
# is complete

default['gitlab-haproxy']['altssh']['backend']['servers']['default']['altssh'] = node['gitlab-haproxy']['altssh']['servers']
# Essential backends must have at least one server, otherwise the chef-run will fail
default['gitlab-haproxy']['altssh']['backend']['essential'] = %w(altssh)

#####################################################################
#
# Pages lb configuration, *.gitlab.io port 443 and 80
#
#####################################################################

John Jarvis's avatar
John Jarvis committed
196 197
default['gitlab-haproxy']['pages']['httpchk_host'] = 'gitlab.com'
default['gitlab-haproxy']['pages']['httpchk_path'] = '/-/readiness'
198 199
default['gitlab-haproxy']['pages']['http_custom_config'] = nil
default['gitlab-haproxy']['pages']['https_custom_config'] = nil
200
default['gitlab-haproxy']['pages']['servers'] = {}
201 202
default['gitlab-haproxy']['pages']['http_backend_listen_port'] = 1080
default['gitlab-haproxy']['pages']['https_backend_listen_port'] = 1443
203
default['gitlab-haproxy']['pages']['enable_domain_blacklisting'] = false
204

205 206 207 208 209 210 211 212 213 214 215 216 217 218
# Servers for HAProxy backends, defaulted to legacy server configuration that can
# be removed once https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/9766
# is complete

default['gitlab-haproxy']['pages']['backend']['servers']['default']['pages'] = node['gitlab-haproxy']['pages']['servers']
# Essential backends must have at least one server, otherwise the chef-run will fail
default['gitlab-haproxy']['pages']['backend']['essential'] = %w(pages)

#####################################################################
#
# Registry lb configuration, registry.gitlab.com port 443 and 80
#
#####################################################################

219
default['gitlab-haproxy']['registry']['servers'] = {}
220
default['gitlab-haproxy']['canary_registry']['servers'] = {}
221
default['gitlab-haproxy']['canary_registry']['default_weight'] = '0'
222 223 224 225
default['gitlab-haproxy']['registry']['peers']['servers'] = {}
default['gitlab-haproxy']['registry']['custom_config'] = nil
default['gitlab-haproxy']['registry']['backend_port'] = '5000'
default['gitlab-haproxy']['registry']['httpchk_host'] = 'registry.gitlab.com'
John Jarvis's avatar
John Jarvis committed
226
default['gitlab-haproxy']['registry']['httpchk_path'] = '/debug/health'
227
default['gitlab-haproxy']['registry']['default_check_opts'] = 'inter 2s fastinter 1s downinter 5s fall 3 port 5001'
228
default['gitlab-haproxy']['registry']['use_weights'] = true
229
default['gitlab-haproxy']['registry']['default_weight'] = '100'
John Jarvis's avatar
John Jarvis committed
230

231 232
default['gitlab-haproxy']['registry']['enforce_cloudflare_origin_pull'] = false

233 234 235
default['gitlab-haproxy']['registry']['backend']['servers']['default']['registry'] = node['gitlab-haproxy']['registry']['servers']
default['gitlab-haproxy']['registry']['backend']['servers']['default']['canary_registry'] = node['gitlab-haproxy']['canary_registry']['servers']
# Essential backends must have at least one server, otherwise the chef-run will fail
236
default['gitlab-haproxy']['registry']['backend']['essential'] = %w(registry)
237

238 239
default['gitlab-haproxy']['camoproxy']['server_port'] = 8080
default['gitlab-haproxy']['camoproxy']['httpchk_path'] = '/status'
240 241

default['gitlab-haproxy']['cloudflare']['enable'] = false
242 243

default['gitlab-haproxy']['close_client_connections'] = false
244 245 246

###### CI Configuration
default['gitlab-haproxy']['ci']['backend']['essential'] = %w(api https_git)
247 248 249 250
default['gitlab-haproxy']['ci']['backend']['servers']['default']['api'] = {}
default['gitlab-haproxy']['ci']['backend']['servers']['default']['https_git'] = {}
default['gitlab-haproxy']['ci']['backend']['servers']['default']['canary_api'] = {}
default['gitlab-haproxy']['ci']['backend']['servers']['default']['canary_https_git'] = {}
251
default['gitlab-haproxy']['ci']['default_check_opts'] = 'inter 3s fastinter 1s downinter 5s fall 3'
252 253 254 255 256 257
default['gitlab-haproxy']['ci']['api']['check_opts'] = 'check-ssl'
default['gitlab-haproxy']['ci']['https_git']['check_opts'] = 'check-ssl'

# This will add a duplicate fallback_* backend for git and api with identical configuration.
# When this is enabled a request, that failed matching will be routed to those backends.
# This is designed to be a quick-fix during an incident instead of a permanent setting.
258
default['gitlab-haproxy']['ci']['enable_fallback'] = false
259 260 261 262 263 264 265 266 267 268 269 270 271 272 273

default['gitlab-haproxy']['ci']['use_weights'] = true
default['gitlab-haproxy']['ci']['default_weight'] = '100'

default['gitlab-haproxy']['ci']['canary_api']['enable'] = true
default['gitlab-haproxy']['ci']['canary_https_git']['enable'] = true
default['gitlab-haproxy']['ci']['api']['default_weight'] = '100'
default['gitlab-haproxy']['ci']['https_git']['default_weight'] = '100'
default['gitlab-haproxy']['ci']['canary_api']['default_weight'] = '0'
default['gitlab-haproxy']['ci']['canary_https_git']['default_weight'] = '0'

default['gitlab-haproxy']['ci']['api']['httpchk_host'] = 'gitlab.com'
default['gitlab-haproxy']['ci']['api']['httpchk_path'] = '/-/health'
default['gitlab-haproxy']['ci']['https_git']['httpchk_host'] = 'gitlab.com'
default['gitlab-haproxy']['ci']['https_git']['httpchk_path'] = '/-/health'