125 lines
4.6 KiB
INI
125 lines
4.6 KiB
INI
|
# This configuration creates a classical reverse-proxy and load balancer for
|
||
|
# public services. It presents ports 80 and 443 (with 80 redirecting to 443),
|
||
|
# enables caching up to one hour, and load-balances the service on a farm of
|
||
|
# 4 servers on private IP addresses which are checked using HTTP checks and
|
||
|
# by maintaining stickiness via session cookies. It offloads TLS processing
|
||
|
# and enables HTTP compression. It uses HAProxy 2.4.
|
||
|
|
||
|
# The global section deals with process-wide settings (security, resource usage)
|
||
|
global
|
||
|
# all file names are relative to the directory containing this config
|
||
|
# file by default
|
||
|
default-path config
|
||
|
|
||
|
# refuse to start if any warning is emitted at boot (keep configs clean)
|
||
|
zero-warning
|
||
|
|
||
|
# Security hardening: isolate and drop privileges
|
||
|
chroot /var/empty
|
||
|
user haproxy
|
||
|
group haproxy
|
||
|
|
||
|
# daemonize
|
||
|
daemon
|
||
|
pidfile /var/run/haproxy-svc1.pid
|
||
|
|
||
|
# do not keep old processes longer than that after a reload
|
||
|
hard-stop-after 5m
|
||
|
|
||
|
# The command-line-interface (CLI) used by the admin, by provisionning
|
||
|
# tools, and to transfer sockets during reloads
|
||
|
stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners
|
||
|
stats timeout 1h
|
||
|
|
||
|
# send logs to stderr for logging via the service manager
|
||
|
log stderr local0 info
|
||
|
|
||
|
# intermediate security for SSL, from https://ssl-config.mozilla.org/
|
||
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||
|
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||
|
|
||
|
# default settings common to all HTTP proxies below
|
||
|
defaults http
|
||
|
mode http
|
||
|
option httplog
|
||
|
log global
|
||
|
timeout client 1m
|
||
|
timeout server 1m
|
||
|
timeout connect 10s
|
||
|
timeout http-keep-alive 2m
|
||
|
timeout queue 15s
|
||
|
timeout tunnel 4h # for websocket
|
||
|
|
||
|
# provide a stats page on port 8181
|
||
|
frontend stats
|
||
|
bind :8181
|
||
|
# provide advanced stats (ssl, h2, ...)
|
||
|
stats uri /
|
||
|
stats show-modules
|
||
|
# some users may want to protect the access to their stats and/or to
|
||
|
# enable admin mode on the page from local networks
|
||
|
# stats auth admin:mystats
|
||
|
# stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 }
|
||
|
|
||
|
# First incoming public service. Supports HTTP/1.x and HTTP/2, using HSTS,
|
||
|
# redirects clear to TLS. Uses a dedicated host name for the stats page.
|
||
|
frontend pub1
|
||
|
bind :80 name clear
|
||
|
bind :443 name secure ssl crt pub1.pem alpn h2,http/1.1
|
||
|
option socket-stats # provide per-bind line stats
|
||
|
|
||
|
# set HSTS for one year after all responses
|
||
|
http-after-response set-header Strict-Transport-Security "max-age=31536000"
|
||
|
http-request redirect scheme https code 301 if !{ ssl_fc }
|
||
|
|
||
|
# silently ignore connect probes and pre-connect without request
|
||
|
option http-ignore-probes
|
||
|
|
||
|
# pass client's IP address to the server and prevent against attempts
|
||
|
# to inject bad contents
|
||
|
http-request del-header x-forwarded-for
|
||
|
option forwardfor
|
||
|
|
||
|
# enable HTTP compression of text contents
|
||
|
compression algo deflate gzip
|
||
|
compression type text/ application/javascript application/xhtml+xml image/x-icon
|
||
|
|
||
|
# enable HTTP caching of any cacheable content
|
||
|
http-request cache-use cache
|
||
|
http-response cache-store cache
|
||
|
|
||
|
default_backend app1
|
||
|
|
||
|
# The cache instance used by the frontend (200MB, 10MB max object, 1 hour max)
|
||
|
# May be consulted using "show cache" on the CLI socket
|
||
|
cache cache
|
||
|
total-max-size 200 # RAM cache size in megabytes
|
||
|
max-object-size 10485760 # max cacheable object size in bytes
|
||
|
max-age 3600 # max cache duration in seconds
|
||
|
process-vary on # handle the Vary header (otherwise don't cache)
|
||
|
|
||
|
# First application
|
||
|
backend app1
|
||
|
# Algorithm:
|
||
|
# - roundrobin is usually better for short requests,
|
||
|
# - leastconn is better for mixed slow ones, and long transfers,
|
||
|
# - random is generally good when using multiple load balancers
|
||
|
balance random
|
||
|
|
||
|
# abort if the client clicks on stop.
|
||
|
option abortonclose
|
||
|
|
||
|
# insert a session cookie for user stickiness
|
||
|
cookie app1 insert indirect nocache
|
||
|
|
||
|
# check the servers' health using HTTP requests
|
||
|
option httpchk
|
||
|
http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com
|
||
|
|
||
|
# do not overload the servers (100 concurrent conns max each)
|
||
|
server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s
|
||
|
server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s
|
||
|
server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s
|
||
|
server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s
|