From b46aad6df449445a9fc4aa7b32bd40005438e3f7 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 14:18:05 +0200 Subject: Adding upstream version 2.9.5. Signed-off-by: Daniel Baumann --- examples/basic-config-edge.cfg | 131 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 examples/basic-config-edge.cfg (limited to 'examples/basic-config-edge.cfg') diff --git a/examples/basic-config-edge.cfg b/examples/basic-config-edge.cfg new file mode 100644 index 0000000..8ee6bda --- /dev/null +++ b/examples/basic-config-edge.cfg @@ -0,0 +1,131 @@ +# This configuration creates a classical reverse-proxy and load balancer for +# public services. It presents ports 80 and 443 (with 80 redirecting to 443), +# enables caching up to one hour, and load-balances the service on a farm of +# 4 servers on private IP addresses which are checked using HTTP checks and +# by maintaining stickiness via session cookies. It offloads TLS processing +# and enables HTTP compression. It uses HAProxy 2.4. + +# The global section deals with process-wide settings (security, resource usage) +global + # all file names are relative to the directory containing this config + # file by default + default-path config + + # refuse to start if any warning is emitted at boot (keep configs clean) + zero-warning + + # Security hardening: isolate and drop privileges + chroot /var/empty + user haproxy + group haproxy + + # daemonize + daemon + pidfile /var/run/haproxy-svc1.pid + + # do not keep old processes longer than that after a reload + hard-stop-after 5m + + # The command-line-interface (CLI) used by the admin, by provisionning + # tools, and to transfer sockets during reloads + stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners + stats timeout 1h + + # send logs to stderr for logging via the service manager + log stderr local0 info + + # intermediate security for SSL, from https://ssl-config.mozilla.org/ + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +# default settings common to all HTTP proxies below +defaults http + mode http + option httplog + log global + timeout client 1m + timeout server 1m + timeout connect 10s + timeout http-keep-alive 2m + timeout queue 15s + timeout tunnel 4h # for websocket + +# provide a stats page on port 8181 +frontend stats + bind :8181 + # provide advanced stats (ssl, h2, ...) + stats uri / + stats show-modules + # some users may want to protect the access to their stats and/or to + # enable admin mode on the page from local networks + # stats auth admin:mystats + # stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 } + +# First incoming public service. Supports HTTP/1.x, HTTP/2, and HTTP/3 over +# QUIC when built in, uses HSTS, redirects clear to TLS. Uses a dedicated host +# name for the stats page. +frontend pub1 + bind :80 name clear + bind :443 name secure ssl crt pub1.pem + option socket-stats # provide per-bind line stats + +.if feature(QUIC) + # indicate QUIC support for 25 hours + bind quic4@:443 name quic ssl crt pub1.pem allow-0rtt + http-response add-header alt-svc 'h3=":443"; ma=90000' +.endif + + # set HSTS for one year after all responses + http-after-response set-header Strict-Transport-Security "max-age=31536000" + http-request redirect scheme https code 301 if !{ ssl_fc } + + # silently ignore connect probes and pre-connect without request + option http-ignore-probes + + # pass client's IP address to the server and prevent against attempts + # to inject bad contents + http-request del-header x-forwarded-for + option forwardfor + + # enable HTTP compression of text contents + compression algo deflate gzip + compression type text/ application/javascript application/xhtml+xml image/x-icon + + # enable HTTP caching of any cacheable content + http-request cache-use cache + http-response cache-store cache + + default_backend app1 + +# The cache instance used by the frontend (200MB, 10MB max object, 1 hour max) +# May be consulted using "show cache" on the CLI socket +cache cache + total-max-size 200 # RAM cache size in megabytes + max-object-size 10485760 # max cacheable object size in bytes + max-age 3600 # max cache duration in seconds + process-vary on # handle the Vary header (otherwise don't cache) + +# First application +backend app1 + # Algorithm: + # - roundrobin is usually better for short requests, + # - leastconn is better for mixed slow ones, and long transfers, + # - random is generally good when using multiple load balancers + balance random + + # abort if the client clicks on stop. + option abortonclose + + # insert a session cookie for user stickiness + cookie app1 insert indirect nocache + + # check the servers' health using HTTP requests + option httpchk + http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com + + # do not overload the servers (100 concurrent conns max each) + server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s + server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s + server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s + server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s -- cgit v1.2.3