-
Notifications
You must be signed in to change notification settings - Fork 5
/
haproxy.cfg
145 lines (131 loc) · 4.77 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# _version=10
# This is the ultimate HAProxy 2.0 "Getting Started" config
# It demonstrates many of the features available which are now available
# While you may not need all of these things, this can serve
# as a reference for your own configurations.
# Have questions? Check out our community Slack:
# https://slack.haproxy.org/
global
master-worker
stats socket /run/haproxy.sock mode 600 level admin
stats timeout 2m
log stdout local0
# master-worker required for `program` section
# enable here or start with -Ws
mworker-max-reloads 3
# enable core dumps
set-dumpable
user root
group root
defaults
mode http
log global
option httplog
option redispatch
timeout connect 5s
timeout client 5s
timeout server 5s
userlist api
user admin insecure-password dalong
# user admin password $5$aVnIFECJ$2QYP64eTTXZ1grSjwwdoQxK/AP8kcOflEO1Q5fc.5aA
resolvers dns
hold obsolete 30s
hold valid 10s
timeout retry 1s
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
frontend fe_main
bind *:8080
acl is_grpc_codename path /CodenameCreator/KeepGettingCodenames
acl dynamic_hosts req.hdr(Host) api.local admin.local haproxy.com
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r cpu_calls:%[cpu_calls] cpu_ns_tot:%[cpu_ns_tot] cpu_ns_avg:%[cpu_ns_avg] lat_ns_tot:%[lat_ns_tot] lat_ns_avg:%[lat_ns_avg]"
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 }
use_backend be_503 if dynamic_hosts !{ var(txn.dstip) -m found }
use_backend be_dynamic if dynamic_hosts
use_backend be_grpc if is_grpc_codename
default_backend be_main
# Enable log sampling
# One out of 10 requests would be logged to this source
log 127.0.0.1:10001 sample 1:10 local0
# For every 11 requests, log requests 2, 3, and 8-11
log 127.0.0.1:10002 sample 2-3,8-11:11 local0
# Log profiling data
# gRPC path matching
# Dynamic 'do-resolve' trusted hosts
# Activate Traffic Mirror
# Redirect if not SSL
# http-request redirect scheme https unless { ssl_fc }
# Enable src tracking
# http-request track-sc0 src table mypeers/src_tracking
# Enable rate limiting
# Return 429 Too Many Requests if client averages more than
# 10 requests in 10 seconds.
# (duration defined in stick table in peers section)
# Enable local resolving of Host if within dynamic_hosts ACL
# Allows connecting to dynamic IP address specified in Host header
# Useful for DNS split view or split horizon
http-request do-resolve(txn.dstip,dns) hdr(Host),lower if dynamic_hosts
http-request capture var(txn.dstip) len 40 if dynamic_hosts
# return 503 when dynamic_hosts matches but the variable
# txn.dstip is not set which mean DNS resolution error
# otherwise route to be_dynamic
# route to gRPC path
frontend stats
bind *:8404
# Enable Prometheus Exporter
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
frontend test_frontend
mode http
maxconn 2000
bind *:10080 name http
default_backend test_backend
backend be_503
# dummy backend used to return 503.
# You can use the 'errorfile' directive to send a nice
# 503 error page to end users.
errorfile 503 /usr/local/etc/haproxy/errors/503.http
backend be_dynamic
default-server ssl verify none check maxconn 50
http-request deny if { var(txn.dstip) -m ip 127.0.0.0/8 10.0.0.0/8 }
server dynamic 0.0.0.0:0
# rule to prevent HAProxy from reconnecting to services
# on the local network (forged DNS name used to scan the network)
http-request set-dst var(txn.dstip)
backend be_grpc
default-server ssl verify none alpn h2 check maxconn 50
server grpc1 10.1.0.11:3000
server grpc2 10.1.0.12:3000
backend be_main
server server1 nginx1:80 check inter 3s
server server2 nginx2:80 check inter 3s
retries 3
# Enable Power of Two Random Choices Algorithm
balance random(2)
# Enable Layer 7 retries
retry-on all-retryable-errors
# retrying POST requests can be dangerous
# make sure you understand the implications before removing
http-request disable-l7-retry if METH_POST
backend spoe-traffic-mirror
mode tcp
balance roundrobin
timeout server 1m
timeout connect 5s
server spoa1 127.0.0.1:12345
server spoa2 10.1.0.20:12345
backend test_backend
mode http
balance roundrobin
option httpchk HEAD / HTTP/1.1
server server1 192.168.0.104:8888 check maxconn 30 weight 100
program dataplane-api
command /usr/local/sbin/dataplaneapi --host 0.0.0.0 --port 5555 -b /usr/local/sbin/haproxy -c /usr/local/etc/haproxy/haproxy.cfg --reload-cmd "kill -SIGUSR2 1" --reload-delay 5 --userlist api
no option start-on-reload