diff options
Diffstat (limited to 'examples')
-rw-r--r-- | examples/basic-config-edge.cfg | 124 | ||||
-rw-r--r-- | examples/content-sw-sample.cfg | 65 | ||||
-rw-r--r-- | examples/errorfiles/400.http | 9 | ||||
-rw-r--r-- | examples/errorfiles/403.http | 9 | ||||
-rw-r--r-- | examples/errorfiles/408.http | 9 | ||||
-rw-r--r-- | examples/errorfiles/500.http | 9 | ||||
-rw-r--r-- | examples/errorfiles/502.http | 9 | ||||
-rw-r--r-- | examples/errorfiles/503.http | 9 | ||||
-rw-r--r-- | examples/errorfiles/504.http | 9 | ||||
-rw-r--r-- | examples/errorfiles/README | 9 | ||||
-rw-r--r-- | examples/haproxy.init | 137 | ||||
-rw-r--r-- | examples/option-http_proxy.cfg | 54 | ||||
-rw-r--r-- | examples/quick-test.cfg | 29 | ||||
-rw-r--r-- | examples/socks4.cfg | 55 | ||||
-rw-r--r-- | examples/transparent_proxy.cfg | 55 | ||||
-rw-r--r-- | examples/wurfl-example.cfg | 41 |
16 files changed, 632 insertions, 0 deletions
diff --git a/examples/basic-config-edge.cfg b/examples/basic-config-edge.cfg new file mode 100644 index 0000000..26aee68 --- /dev/null +++ b/examples/basic-config-edge.cfg @@ -0,0 +1,124 @@ +# This configuration creates a classical reverse-proxy and load balancer for +# public services. It presents ports 80 and 443 (with 80 redirecting to 443), +# enables caching up to one hour, and load-balances the service on a farm of +# 4 servers on private IP addresses which are checked using HTTP checks and +# by maintaining stickiness via session cookies. It offloads TLS processing +# and enables HTTP compression. It uses HAProxy 2.4. + +# The global section deals with process-wide settings (security, resource usage) +global + # all file names are relative to the directory containing this config + # file by default + default-path config + + # refuse to start if any warning is emitted at boot (keep configs clean) + zero-warning + + # Security hardening: isolate and drop privileges + chroot /var/empty + user haproxy + group haproxy + + # daemonize + daemon + pidfile /var/run/haproxy-svc1.pid + + # do not keep old processes longer than that after a reload + hard-stop-after 5m + + # The command-line-interface (CLI) used by the admin, by provisionning + # tools, and to transfer sockets during reloads + stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners + stats timeout 1h + + # send logs to stderr for logging via the service manager + log stderr local0 info + + # intermediate security for SSL, from https://ssl-config.mozilla.org/ + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +# default settings common to all HTTP proxies below +defaults http + mode http + option httplog + log global + timeout client 1m + timeout server 1m + timeout connect 10s + timeout http-keep-alive 2m + timeout queue 15s + timeout tunnel 4h # for websocket + +# provide a stats page on port 8181 +frontend stats + bind :8181 + # provide advanced stats (ssl, h2, ...) + stats uri / + stats show-modules + # some users may want to protect the access to their stats and/or to + # enable admin mode on the page from local networks + # stats auth admin:mystats + # stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 } + +# First incoming public service. Supports HTTP/1.x and HTTP/2, using HSTS, +# redirects clear to TLS. Uses a dedicated host name for the stats page. +frontend pub1 + bind :80 name clear + bind :443 name secure ssl crt pub1.pem alpn h2,http/1.1 + option socket-stats # provide per-bind line stats + + # set HSTS for one year after all responses + http-after-response set-header Strict-Transport-Security "max-age=31536000" + http-request redirect scheme https code 301 if !{ ssl_fc } + + # silently ignore connect probes and pre-connect without request + option http-ignore-probes + + # pass client's IP address to the server and prevent against attempts + # to inject bad contents + http-request del-header x-forwarded-for + option forwardfor + + # enable HTTP compression of text contents + compression algo deflate gzip + compression type text/ application/javascript application/xhtml+xml image/x-icon + + # enable HTTP caching of any cacheable content + http-request cache-use cache + http-response cache-store cache + + default_backend app1 + +# The cache instance used by the frontend (200MB, 10MB max object, 1 hour max) +# May be consulted using "show cache" on the CLI socket +cache cache + total-max-size 200 # RAM cache size in megabytes + max-object-size 10485760 # max cacheable object size in bytes + max-age 3600 # max cache duration in seconds + process-vary on # handle the Vary header (otherwise don't cache) + +# First application +backend app1 + # Algorithm: + # - roundrobin is usually better for short requests, + # - leastconn is better for mixed slow ones, and long transfers, + # - random is generally good when using multiple load balancers + balance random + + # abort if the client clicks on stop. + option abortonclose + + # insert a session cookie for user stickiness + cookie app1 insert indirect nocache + + # check the servers' health using HTTP requests + option httpchk + http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com + + # do not overload the servers (100 concurrent conns max each) + server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s + server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s + server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s + server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s diff --git a/examples/content-sw-sample.cfg b/examples/content-sw-sample.cfg new file mode 100644 index 0000000..e54f976 --- /dev/null +++ b/examples/content-sw-sample.cfg @@ -0,0 +1,65 @@ +# +# This is a sample configuration. It illustrates how to separate static objects +# traffic from dynamic traffic, and how to dynamically regulate the server load. +# +# It listens on 192.168.1.10:80, and directs all requests for Host 'img' or +# URIs starting with /img or /css to a dedicated group of servers. URIs +# starting with /admin/stats deliver the stats page. +# + +global + maxconn 10000 + stats socket /var/run/haproxy.stat mode 600 level admin + log 127.0.0.1 local0 + uid 200 + gid 200 + chroot /var/empty + daemon + +# The public 'www' address in the DMZ +frontend public + bind 192.168.1.10:80 name clear + #bind 192.168.1.10:443 ssl crt /etc/haproxy/haproxy.pem + mode http + log global + option httplog + option dontlognull + monitor-uri /monitoruri + maxconn 8000 + timeout client 30s + + stats uri /admin/stats + use_backend static if { hdr_beg(host) -i img } + use_backend static if { path_beg /img /css } + default_backend dynamic + +# The static backend backend for 'Host: img', /img and /css. +backend static + mode http + balance roundrobin + option prefer-last-server + retries 2 + option redispatch + timeout connect 5s + timeout server 5s + option httpchk HEAD /favicon.ico + server statsrv1 192.168.1.8:80 check inter 1000 + server statsrv2 192.168.1.9:80 check inter 1000 + +# the application servers go here +backend dynamic + mode http + balance roundrobin + retries 2 + option redispatch + timeout connect 5s + timeout server 30s + timeout queue 30s + option httpchk HEAD /login.php + cookie DYNSRV insert indirect nocache + fullconn 4000 # the servers will be used at full load above this number of connections + server dynsrv1 192.168.1.1:80 minconn 50 maxconn 500 cookie s1 check inter 1000 + server dynsrv2 192.168.1.2:80 minconn 50 maxconn 500 cookie s2 check inter 1000 + server dynsrv3 192.168.1.3:80 minconn 50 maxconn 500 cookie s3 check inter 1000 + server dynsrv4 192.168.1.4:80 minconn 50 maxconn 500 cookie s4 check inter 1000 + diff --git a/examples/errorfiles/400.http b/examples/errorfiles/400.http new file mode 100644 index 0000000..e223e38 --- /dev/null +++ b/examples/errorfiles/400.http @@ -0,0 +1,9 @@ +HTTP/1.0 400 Bad request
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>400 Bad request</h1> +Your browser sent an invalid request. +</body></html> + diff --git a/examples/errorfiles/403.http b/examples/errorfiles/403.http new file mode 100644 index 0000000..a67e807 --- /dev/null +++ b/examples/errorfiles/403.http @@ -0,0 +1,9 @@ +HTTP/1.0 403 Forbidden
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>403 Forbidden</h1> +Request forbidden by administrative rules. +</body></html> + diff --git a/examples/errorfiles/408.http b/examples/errorfiles/408.http new file mode 100644 index 0000000..aafb130 --- /dev/null +++ b/examples/errorfiles/408.http @@ -0,0 +1,9 @@ +HTTP/1.0 408 Request Time-out
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>408 Request Time-out</h1> +Your browser didn't send a complete request in time. +</body></html> + diff --git a/examples/errorfiles/500.http b/examples/errorfiles/500.http new file mode 100644 index 0000000..9c3be96 --- /dev/null +++ b/examples/errorfiles/500.http @@ -0,0 +1,9 @@ +HTTP/1.0 500 Internal Server Error
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>500 Internal Server Error</h1> +An internal server error occurred. +</body></html> + diff --git a/examples/errorfiles/502.http b/examples/errorfiles/502.http new file mode 100644 index 0000000..94b35d4 --- /dev/null +++ b/examples/errorfiles/502.http @@ -0,0 +1,9 @@ +HTTP/1.0 502 Bad Gateway
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>502 Bad Gateway</h1> +The server returned an invalid or incomplete response. +</body></html> + diff --git a/examples/errorfiles/503.http b/examples/errorfiles/503.http new file mode 100644 index 0000000..48fde58 --- /dev/null +++ b/examples/errorfiles/503.http @@ -0,0 +1,9 @@ +HTTP/1.0 503 Service Unavailable
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>503 Service Unavailable</h1> +No server is available to handle this request. +</body></html> + diff --git a/examples/errorfiles/504.http b/examples/errorfiles/504.http new file mode 100644 index 0000000..f925184 --- /dev/null +++ b/examples/errorfiles/504.http @@ -0,0 +1,9 @@ +HTTP/1.0 504 Gateway Time-out
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>504 Gateway Time-out</h1> +The server didn't respond in time. +</body></html> + diff --git a/examples/errorfiles/README b/examples/errorfiles/README new file mode 100644 index 0000000..a882632 --- /dev/null +++ b/examples/errorfiles/README @@ -0,0 +1,9 @@ +These files are default error files that can be customized +if necessary. They are complete HTTP responses, so that +everything is possible, including using redirects or setting +special headers. + +They can be used with the 'errorfile' keyword like this : + + errorfile 503 /etc/haproxy/errors/503.http + diff --git a/examples/haproxy.init b/examples/haproxy.init new file mode 100644 index 0000000..cc120d8 --- /dev/null +++ b/examples/haproxy.init @@ -0,0 +1,137 @@ +#!/bin/sh +# +# chkconfig: - 85 15 +# description: HAProxy is a TCP/HTTP reverse proxy which is particularly suited \ +# for high availability environments. +# processname: haproxy +# config: /etc/haproxy/haproxy.cfg +# pidfile: /var/run/haproxy.pid + +# Script Author: Simon Matter <simon.matter@invoca.ch> +# Version: 2004060600 + +# Source function library. +if [ -f /etc/init.d/functions ]; then + . /etc/init.d/functions +elif [ -f /etc/rc.d/init.d/functions ] ; then + . /etc/rc.d/init.d/functions +else + exit 0 +fi + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 + +# This is our service name +BASENAME=`basename $0` +if [ -L $0 ]; then + BASENAME=`find $0 -name $BASENAME -printf %l` + BASENAME=`basename $BASENAME` +fi + +BIN=/usr/sbin/$BASENAME + +CFG=/etc/$BASENAME/$BASENAME.cfg +[ -f $CFG ] || exit 1 + +PIDFILE=/var/run/$BASENAME.pid +LOCKFILE=/var/lock/subsys/$BASENAME + +RETVAL=0 + +start() { + quiet_check + if [ $? -ne 0 ]; then + echo "Errors found in configuration file, check it with '$BASENAME check'." + return 1 + fi + + echo -n "Starting $BASENAME: " + daemon $BIN -D -f $CFG -p $PIDFILE + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch $LOCKFILE + return $RETVAL +} + +stop() { + echo -n "Shutting down $BASENAME: " + killproc $BASENAME -USR1 + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && rm -f $LOCKFILE + [ $RETVAL -eq 0 ] && rm -f $PIDFILE + return $RETVAL +} + +restart() { + quiet_check + if [ $? -ne 0 ]; then + echo "Errors found in configuration file, check it with '$BASENAME check'." + return 1 + fi + stop + start +} + +reload() { + if ! [ -s $PIDFILE ]; then + return 0 + fi + + quiet_check + if [ $? -ne 0 ]; then + echo "Errors found in configuration file, check it with '$BASENAME check'." + return 1 + fi + $BIN -D -f $CFG -p $PIDFILE -sf $(cat $PIDFILE) +} + +check() { + $BIN -c -q -V -f $CFG +} + +quiet_check() { + $BIN -c -q -f $CFG +} + +rhstatus() { + status $BASENAME +} + +condrestart() { + [ -e $LOCKFILE ] && restart || : +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + restart + ;; + reload) + reload + ;; + condrestart) + condrestart + ;; + status) + rhstatus + ;; + check) + check + ;; + *) + echo $"Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}" + exit 1 +esac + +exit $? diff --git a/examples/option-http_proxy.cfg b/examples/option-http_proxy.cfg new file mode 100644 index 0000000..8b28f67 --- /dev/null +++ b/examples/option-http_proxy.cfg @@ -0,0 +1,54 @@ +# +# demo config for Proxy mode +# + +global + maxconn 20000 + ulimit-n 16384 + log 127.0.0.1 local0 + uid 200 + gid 200 + chroot /var/empty + daemon + +frontend test-proxy + bind 192.168.200.10:8080 + mode http + log global + option httplog + option dontlognull + maxconn 8000 + timeout client 30s + + # layer3: Valid users + acl allow_host src 192.168.200.150/32 + http-request deny if !allow_host + + # layer7: prevent private network relaying + acl forbidden_dst url_ip 192.168.0.0/24 + acl forbidden_dst url_ip 172.16.0.0/12 + acl forbidden_dst url_ip 10.0.0.0/8 + http-request deny if forbidden_dst + + default_backend test-proxy-srv + + +backend test-proxy-srv + mode http + timeout connect 5s + timeout server 5s + retries 2 + + # layer7: Only GET method is valid + acl valid_method method GET + http-request deny if !valid_method + + # take IP address from URL's authority + # and drop scheme+authority from URI + http-request set-dst url_ip + http-request set-dst-port url_port + http-request set-uri %[pathq] + server next-hop 0.0.0.0 + + # layer7: protect bad reply + http-response deny if { res.hdr(content-type) audio/mp3 } diff --git a/examples/quick-test.cfg b/examples/quick-test.cfg new file mode 100644 index 0000000..f27eeff --- /dev/null +++ b/examples/quick-test.cfg @@ -0,0 +1,29 @@ +# Basic config mapping a listening IP:port to another host's IP:port with +# support for HTTP/1 and 2. + +global + strict-limits # refuse to start if insufficient FDs/memory + # add some process-wide tuning here if required + + # A stats socket may be added to check live metrics if the load generators + # do not report them. + # stats socket /tmp/haproxy.sock level admin + # stats timeout 1h + +defaults + mode http + balance random # power-of-two-choices + timeout client 60s + timeout server 60s + timeout connect 1s + +listen p + # this is the address and port we'll listen to, the ones to aim the + # load generators at + bind :8000 + + # create a certificate and uncomment this for SSL + # bind :8443 ssl crt my-cert.pem alpn h2,http/1.1 + + # Put the server's IP address and port below + server s1 172.31.32.33:8000 diff --git a/examples/socks4.cfg b/examples/socks4.cfg new file mode 100644 index 0000000..2cbd417 --- /dev/null +++ b/examples/socks4.cfg @@ -0,0 +1,55 @@ +global + log /dev/log local0 + log /dev/log local1 notice + stats timeout 30s + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + +listen SMTP-20025 + bind 0.0.0.0:20025 + mode tcp + option tcplog + maxconn 2000 + timeout connect 5000 + timeout client 50000 + timeout server 50000 + option tcp-check + server SMTPS1 192.0.2.1:25 check inter 30000 fastinter 1000 + server SMTPS2_Via_SocksProxy1 192.0.2.2:25 socks4 127.0.0.1:1080 check-via-socks4 check inter 30000 fastinter 1000 backup + +listen SSL-20080 + bind 0.0.0.0:20080 + mode tcp + option tcplog + maxconn 2000 + timeout connect 5000 + timeout client 50000 + timeout server 50000 + option tcp-check + server HTTPS1_Via_SocksProxy1 192.0.2.1:443 ssl verify none socks4 127.0.0.1:1080 check inter 30000 fastinter 1000 + server HTTPS2 192.0.2.2:443 ssl verify none check inter 30000 fastinter 1000 backup + +# HAProxy web ui +listen stats + bind 0.0.0.0:20936 + mode http + log global + + maxconn 10 + timeout client 100s + timeout server 100s + timeout connect 100s + timeout queue 100s + + stats enable + stats uri /haproxy?stats + stats realm HAProxy\ Statistics + stats admin if TRUE + stats show-node diff --git a/examples/transparent_proxy.cfg b/examples/transparent_proxy.cfg new file mode 100644 index 0000000..a8cf6d9 --- /dev/null +++ b/examples/transparent_proxy.cfg @@ -0,0 +1,55 @@ +# +# This is an example of how to configure HAProxy to be used as a 'full transparent proxy' for a single backend server. +# +# Note that to actually make this work extra firewall/nat rules are required. +# Also HAProxy needs to be compiled with support for this, in HAProxy1.5-dev19 you can check if this is the case with "haproxy -vv". +# + +global +defaults + timeout client 30s + timeout server 30s + timeout connect 30s + +frontend MyFrontend + bind 192.168.1.22:80 + default_backend TransparentBack_http + +backend TransparentBack_http + mode http + source 0.0.0.0 usesrc client + server MyWebServer 192.168.0.40:80 + +# +# To create the the nat rules perform the following: +# +# ### (FreeBSD 8) ### +# --- Step 1 --- +# ipfw is needed to get 'reply traffic' back to the HAProxy process, this can be achieved by configuring a rule like this: +# fwd localhost tcp from 192.168.0.40 80 to any in recv em0 +# +# The following would be even better but this did not seam to work on the pfSense2.1 distribution of FreeBSD 8.3: +# fwd 127.0.0.1:80 tcp from any 80 to any in recv ${outside_iface} uid ${proxy_uid} +# +# If only 'pf' is currently used some additional steps are needed to load and configure ipfw: +# You need to configure this to always run on startup: +# +# /sbin/kldload ipfw +# /sbin/sysctl net.inet.ip.pfil.inbound="pf" net.inet6.ip6.pfil.inbound="pf" net.inet.ip.pfil.outbound="pf" net.inet6.ip6.pfil.outbound="pf" +# /sbin/sysctl net.link.ether.ipfw=1 +# ipfw add 10 fwd localhost tcp from 192.168.0.40 80 to any in recv em0 +# +# the above does the following: +# - load the ipfw kernel module +# - set pf as the outer firewall to keep control of routing packets for example to route them to a non-default gateway +# - enable ipfw +# - set a rule to catches reply traffic on em0 coming from the webserver +# +# --- Step 2 --- +# To also make the client connection transparent its possible to redirect incoming requests to HAProxy with a pf rule: +# rdr on em1 proto tcp from any to 192.168.0.40 port 80 -> 192.168.1.22 +# here em1 is the interface that faces the clients, and traffic that is originally send straight to the webserver is redirected to HAProxy +# +# ### (FreeBSD 9) (OpenBSD 4.4) ### +# pf supports "divert-reply" which is probably better suited for the job above then ipfw.. +# diff --git a/examples/wurfl-example.cfg b/examples/wurfl-example.cfg new file mode 100644 index 0000000..52df68e --- /dev/null +++ b/examples/wurfl-example.cfg @@ -0,0 +1,41 @@ +# +# This is an example of how to configure HAProxy to be used with WURFL Device Detection module. +# +# HAProxy needs to be compiled with support for this. See README section 1.3 +# + +global + + # The WURFL data file + wurfl-data-file /usr/share/wurfl/wurfl.zip + + # WURFL patches definition (as much as needed, patches will be applied in the same order as specified in this conf file) + #wurfl-patch-file /path/to/patch1.xml; + + #wurfl-cache-size 100000 + ## no cache + #wurfl-cache-size 0 + + wurfl-information-list-separator | + + # list of WURFL capabilities, virtual capabilities, property names planned to be used in injected headers + wurfl-information-list wurfl_id model_name + +defaults + mode http + timeout connect 30s + timeout client 30s + timeout server 30s + +frontend TheFrontend + bind 192.168.1.22:80 + default_backend TheBackend + + # inject a header called X-Wurfl-All with all the WURFL information listed in wurfl-information-list + http-request set-header X-Wurfl-All %[wurfl-get-all()] + + # inject a header called X-WURFL-PROPERTIES with the "wurfl_id" information (should be listed in wurfl-information-list) + #http-request set-header X-WURFL-PROPERTIES %[wurfl-get(wurfl_id)] + +backend TheBackend + server TheWebServer 192.168.0.40:80 |