-
Notifications
You must be signed in to change notification settings - Fork 5
/
haproxy-all.cfg
166 lines (138 loc) · 6.8 KB
/
haproxy-all.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#
# This is the ultimate HAProxy 2.0 "Getting Started" config
# It demonstrates many of the features available which are now available
# While you may not need all of these things, this can serve
# as a reference for your own configurations.
#
# Have questions? Check out our community Slack:
# https://slack.haproxy.org/
#
global
# master-worker required for `program` section
# enable here or start with -Ws
master-worker
mworker-max-reloads 3
# enable core dumps
set-dumpable
user haproxy
group haproxy
log stdout local0
stats socket *:9999 level admin expose-fd listeners
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
mode http
log global
timeout client 5s
timeout server 5s
timeout connect 5s
option redispatch
option httplog
program dataplane-api
command /usr/sbin/haproxy-dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --config-file /etc/haproxy/haproxy.cfg --reload-cmd "systemctl reload haproxy" --reload-delay 5 --userlist api
program spoa-mirror
command /usr/sbin/spoa-mirror -r0 -u"http://192.168.1.7/"
peers mypeers
bind :10001 ssl crt /etc/haproxy/certs/www.example.com.pem
default-server ssl verify none
server PC #local peer. name must match local server name
table src_tracking type string size 10m store http_req_rate(10s),http_req_cnt
resolvers dns
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
hold valid 10s
hold obsolete 30s
userlist api
user admin password $5$aVnIFECJ$2QYP64eTTXZ1grSjwwdoQxK/AP8kcOflEO1Q5fc.5aA
frontend stats
bind *:8404
# Enable Prometheus Exporter
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
frontend fe_main
bind :80
bind :443 tfo ssl crt /etc/haproxy/certs/www.example.com.pem alpn h2,http/1.1
# Enable log sampling
# One out of 10 requests would be logged to this source
log 127.0.0.1:10001 sample 1:10 local0
# For every 11 requests, log requests 2, 3, and 8-11
log 127.0.0.1:10002 sample 2-3,8-11:11 local0
# Log profiling data
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r cpu_calls:%[cpu_calls] cpu_ns_tot:%[cpu_ns_tot] cpu_ns_avg:%[cpu_ns_avg] lat_ns_tot:%[lat_ns_tot] lat_ns_avg:%[lat_ns_avg]"
# gRPC path matching
acl is_grpc_codename path /CodenameCreator/KeepGettingCodenames
# Dynamic 'do-resolve' trusted hosts
acl dynamic_hosts req.hdr(Host) api.local admin.local haproxy.com
# Activate Traffic Mirror
filter spoe engine traffic-mirror config mirror.cfg
# Redirect if not SSL
http-request redirect scheme https unless { ssl_fc }
# Enable src tracking
http-request track-sc0 src table mypeers/src_tracking
# Enable rate limiting
# Return 429 Too Many Requests if client averages more than
# 10 requests in 10 seconds.
# (duration defined in stick table in peers section)
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 }
# Enable local resolving of Host if within dynamic_hosts ACL
# Allows connecting to dynamic IP address specified in Host header
# Useful for DNS split view or split horizon
http-request do-resolve(txn.dstip,dns) hdr(Host),lower if dynamic_hosts
http-request capture var(txn.dstip) len 40 if dynamic_hosts
# return 503 when dynamic_hosts matches but the variable
# txn.dstip is not set which mean DNS resolution error
# otherwise route to be_dynamic
use_backend be_503 if dynamic_hosts !{ var(txn.dstip) -m found }
use_backend be_dynamic if dynamic_hosts
# route to gRPC path
use_backend be_grpc if is_grpc_codename
default_backend be_main
backend be_main
default-server ssl verify none alpn h2 check maxconn 50
# Enable Power of Two Random Choices Algorithm
balance random(2)
# Enable Layer 7 retries
retry-on all-retryable-errors
retries 3
# retrying POST requests can be dangerous
# make sure you understand the implications before removing
http-request disable-l7-retry if METH_POST
server server1 192.168.1.13:443 tfo
server server2 192.168.1.14:443 tfo
server server3 192.168.1.15:443 tfo
server server4 192.168.1.16:443 tfo
server server5 192.168.1.17:443 tfo
backend be_grpc
default-server ssl verify none alpn h2 check maxconn 50
server grpc1 10.1.0.11:3000
server grpc2 10.1.0.12:3000
backend be_dynamic
default-server ssl verify none check maxconn 50
# rule to prevent HAProxy from reconnecting to services
# on the local network (forged DNS name used to scan the network)
http-request deny if { var(txn.dstip) -m ip 127.0.0.0/8 10.0.0.0/8 }
http-request set-dst var(txn.dstip)
server dynamic 0.0.0.0:0
backend spoe-traffic-mirror
mode tcp
balance roundrobin
timeout connect 5s
timeout server 1m
server spoa1 127.0.0.1:12345
server spoa2 10.1.0.20:12345
backend be_503
# dummy backend used to return 503.
# You can use the 'errorfile' directive to send a nice
# 503 error page to end users.
errorfile 503 /etc/haproxy/errorfiles/503sorry.http