# This configuration creates a classical reverse-proxy and load balancer for # public services. It presents ports 80 and 443 (with 80 redirecting to 443), # enables caching up to one hour, and load-balances the service on a farm of # 4 servers on private IP addresses which are checked using HTTP checks and # by maintaining stickiness via session cookies. It offloads TLS processing # and enables HTTP compression. It uses HAProxy 2.4. # The global section deals with process-wide settings (security, resource usage) global # all file names are relative to the directory containing this config # file by default default-path config # refuse to start if any warning is emitted at boot (keep configs clean) zero-warning # Security hardening: isolate and drop privileges chroot /var/empty user haproxy group haproxy # daemonize daemon pidfile /var/run/haproxy-svc1.pid # do not keep old processes longer than that after a reload hard-stop-after 5m # The command-line-interface (CLI) used by the admin, by provisionning # tools, and to transfer sockets during reloads stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners stats timeout 1h # send logs to stderr for logging via the service manager log stderr local0 info # intermediate security for SSL, from https://ssl-config.mozilla.org/ ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets # default settings common to all HTTP proxies below defaults http mode http option httplog log global timeout client 1m timeout server 1m timeout connect 10s timeout http-keep-alive 2m timeout queue 15s timeout tunnel 4h # for websocket # provide a stats page on port 8181 frontend stats bind :8181 # provide advanced stats (ssl, h2, ...) stats uri / stats show-modules # some users may want to protect the access to their stats and/or to # enable admin mode on the page from local networks # stats auth admin:mystats # stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 } # First incoming public service. Supports HTTP/1.x and HTTP/2, using HSTS, # redirects clear to TLS. Uses a dedicated host name for the stats page. frontend pub1 bind :80 name clear bind :443 name secure ssl crt pub1.pem alpn h2,http/1.1 option socket-stats # provide per-bind line stats # set HSTS for one year after all responses http-after-response set-header Strict-Transport-Security "max-age=31536000" http-request redirect scheme https code 301 if !{ ssl_fc } # silently ignore connect probes and pre-connect without request option http-ignore-probes # pass client's IP address to the server and prevent against attempts # to inject bad contents http-request del-header x-forwarded-for option forwardfor # enable HTTP compression of text contents compression algo deflate gzip compression type text/ application/javascript application/xhtml+xml image/x-icon # enable HTTP caching of any cacheable content http-request cache-use cache http-response cache-store cache default_backend app1 # The cache instance used by the frontend (200MB, 10MB max object, 1 hour max) # May be consulted using "show cache" on the CLI socket cache cache total-max-size 200 # RAM cache size in megabytes max-object-size 10485760 # max cacheable object size in bytes max-age 3600 # max cache duration in seconds process-vary on # handle the Vary header (otherwise don't cache) # First application backend app1 # Algorithm: # - roundrobin is usually better for short requests, # - leastconn is better for mixed slow ones, and long transfers, # - random is generally good when using multiple load balancers balance random # abort if the client clicks on stop. option abortonclose # insert a session cookie for user stickiness cookie app1 insert indirect nocache # check the servers' health using HTTP requests option httpchk http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com # do not overload the servers (100 concurrent conns max each) server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s