对齐文件规范

2026-03-27 16:58:41 +08:00
parent 231b6713c4
commit 31709425e2
235 changed files with 5433 additions and 2850 deletions
--- a/ansible/files/01-07/haproxy-http.cfg
+++ b/ansible/files/01-07/haproxy-http.cfg
@@ -0,0 +1,38 @@
+# 01-07 HAProxy - 3.2 HTTP 健康检查（80 明文）
+# backend k3s_http 增加 option httpchk GET /
+# 文档：docs/01-07-openwrt-haproxy.md 第 3.2 节
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    option httpchk GET /
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check
+    server ylc62 192.168.2.62:80 check
+    server ylc63 192.168.2.63:80 check
+    server ylc64 192.168.2.64:80 check
+
+backend k3s_https
+    mode tcp
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check
+    server ylc62 192.168.2.62:443 check
+    server ylc63 192.168.2.63:443 check
+    server ylc64 192.168.2.64:443 check
--- a/ansible/files/01-07/haproxy-https.cfg
+++ b/ansible/files/01-07/haproxy-https.cfg
@@ -0,0 +1,41 @@
+# 01-07 HAProxy - 3.4 HTTPS 健康检查（443 应用层，HAProxy 终结 TLS，由 HAProxy 提供证书）
+# frontend 需 bind *:443 ssl，backend mode http 连 K3s:443 做 HTTP over TLS 检查
+# 将 your-ingress.example.com 改为实际 Host；将 /etc/ssl/haproxy.pem 改为实际证书路径
+# 自签/内网 CA 用 verify none，生产建议 ca-file
+# 文档：docs/01-07-openwrt-haproxy.md 第 3.4 节
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443 ssl crt /etc/ssl/haproxy.pem
+    mode http
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check
+    server ylc62 192.168.2.62:80 check
+    server ylc63 192.168.2.63:80 check
+    server ylc64 192.168.2.64:80 check
+
+backend k3s_https
+    mode http
+    option httpchk GET / HTTP/1.1\r\nHost:\ your-ingress.example.com
+    default-server ssl verify none
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check
+    server ylc62 192.168.2.62:443 check
+    server ylc63 192.168.2.63:443 check
+    server ylc64 192.168.2.64:443 check
--- a/ansible/files/01-07/haproxy-no-check.cfg
+++ b/ansible/files/01-07/haproxy-no-check.cfg
@@ -0,0 +1,38 @@
+# 01-07 OpenWrt HAProxy 负载均衡 - 原生最简（无健康检查）
+# 文档：docs/01-07-openwrt-haproxy.md 第 2 节
+# 将 192.168.2.61～64 按实际 K3s 节点 IP 修改
+# 如需健康检查，见第 3 节对应 cfg
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80
+    server ylc62 192.168.2.62:80
+    server ylc63 192.168.2.63:80
+    server ylc64 192.168.2.64:80
+
+backend k3s_https
+    mode tcp
+    balance roundrobin
+    server ylc61 192.168.2.61:443
+    server ylc62 192.168.2.62:443
+    server ylc63 192.168.2.63:443
+    server ylc64 192.168.2.64:443
--- a/ansible/files/01-07/haproxy-proxy-http-tls.cfg
+++ b/ansible/files/01-07/haproxy-proxy-http-tls.cfg
@@ -0,0 +1,39 @@
+# 01-07 HAProxy - 健康检查升级（HTTP+TLS）+ PROXY Protocol
+# 组合：k3s_http 用 option httpchk，k3s_https 用 ssl-hello-chk，均带 send-proxy-v2
+# 文档：docs/01-07-openwrt-haproxy.md 第 5 节「健康检查与 PROXY 组合」
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    option httpchk GET /
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check send-proxy-v2
+    server ylc62 192.168.2.62:80 check send-proxy-v2
+    server ylc63 192.168.2.63:80 check send-proxy-v2
+    server ylc64 192.168.2.64:80 check send-proxy-v2
+
+backend k3s_https
+    mode tcp
+    option ssl-hello-chk
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check send-proxy-v2
+    server ylc62 192.168.2.62:443 check send-proxy-v2
+    server ylc63 192.168.2.63:443 check send-proxy-v2
+    server ylc64 192.168.2.64:443 check send-proxy-v2
--- a/ansible/files/01-07/haproxy-tls.cfg
+++ b/ansible/files/01-07/haproxy-tls.cfg
@@ -0,0 +1,38 @@
+# 01-07 HAProxy - 3.3 TLS 健康检查（443 握手，mode tcp）
+# backend k3s_https 增加 option ssl-hello-chk
+# 文档：docs/01-07-openwrt-haproxy.md 第 3.3 节
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check
+    server ylc62 192.168.2.62:80 check
+    server ylc63 192.168.2.63:80 check
+    server ylc64 192.168.2.64:80 check
+
+backend k3s_https
+    mode tcp
+    option ssl-hello-chk
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check
+    server ylc62 192.168.2.62:443 check
+    server ylc63 192.168.2.63:443 check
+    server ylc64 192.168.2.64:443 check