Playbook #2
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml
Execution
Date 08 Dec 2025 13:27:39 +0000
Duration 00:05:33.94
Controller aio1.openstack.local
User root
Versions
Ansible 2.18.6
ara 1.7.4 / 1.7.4
Python 3.12.3
Summary
2 Hosts
316 Tasks
313 Results
18 Plays
136 Files
0 Records
check:False tags:all

File: /home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/group_vars/horizon_all/haproxy_service.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# special haproxy stick table for horizon
# returns 429 when more than 20 calls to /auth per 10 second window
# returns 429 when more than 20 4xx responses per 10 second window
# from external IP addresses. Override as necessary.
openstack_haproxy_horizon_stick_table:
  - "stick-table  type ipv6  size 256k  expire 10s  store http_req_rate(10s),http_err_rate(10s)"
  - "http-request track-sc0 src"
  - "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
  - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"

horizon_webroot: "{{ (groups['skyline_all'] | default([])) | ternary('/horizon', '/') }}"

haproxy_horizon_service:
  haproxy_backend_only: true    #only describe the backends, frontend is in `base` via haproxy_all group vars
  haproxy_service_name: horizon
  haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
  haproxy_backend_port: "{{ (horizon_backend_ssl | default(openstack_service_backend_ssl)) | ternary(443, 80) }}"
  haproxy_balance_type: http
  haproxy_balance_alg: source
  haproxy_backend_httpcheck_options:
    - 'send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri {{ horizon_webroot.rstrip("/") }}/auth/login/'
  haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
  haproxy_backend_ssl: "{{ horizon_backend_ssl | default(openstack_service_backend_ssl) }}"
  haproxy_backend_ca: "{{ horizon_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}"
  haproxy_map_entries:
    - name: base_regex
      order: 98
      #match any requests to the horizon backend
      entries:
        - "{{ horizon_webroot }} horizon-back"

horizon_haproxy_services:
  - "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}"