From b46aad6df449445a9fc4aa7b32bd40005438e3f7 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 14:18:05 +0200 Subject: Adding upstream version 2.9.5. Signed-off-by: Daniel Baumann --- examples/basic-config-edge.cfg | 131 +++++++++++++ examples/content-sw-sample.cfg | 65 +++++++ examples/errorfiles/400.http | 9 + examples/errorfiles/403.http | 9 + examples/errorfiles/408.http | 9 + examples/errorfiles/500.http | 9 + examples/errorfiles/502.http | 9 + examples/errorfiles/503.http | 9 + examples/errorfiles/504.http | 9 + examples/errorfiles/README | 9 + examples/haproxy.init | 137 +++++++++++++ examples/lua/README | 7 + examples/lua/event_handler.lua | 28 +++ examples/lua/mailers.lua | 426 +++++++++++++++++++++++++++++++++++++++++ examples/option-http_proxy.cfg | 54 ++++++ examples/quick-test.cfg | 29 +++ examples/socks4.cfg | 55 ++++++ examples/transparent_proxy.cfg | 55 ++++++ examples/wurfl-example.cfg | 41 ++++ 19 files changed, 1100 insertions(+) create mode 100644 examples/basic-config-edge.cfg create mode 100644 examples/content-sw-sample.cfg create mode 100644 examples/errorfiles/400.http create mode 100644 examples/errorfiles/403.http create mode 100644 examples/errorfiles/408.http create mode 100644 examples/errorfiles/500.http create mode 100644 examples/errorfiles/502.http create mode 100644 examples/errorfiles/503.http create mode 100644 examples/errorfiles/504.http create mode 100644 examples/errorfiles/README create mode 100644 examples/haproxy.init create mode 100644 examples/lua/README create mode 100644 examples/lua/event_handler.lua create mode 100644 examples/lua/mailers.lua create mode 100644 examples/option-http_proxy.cfg create mode 100644 examples/quick-test.cfg create mode 100644 examples/socks4.cfg create mode 100644 examples/transparent_proxy.cfg create mode 100644 examples/wurfl-example.cfg (limited to 'examples') diff --git a/examples/basic-config-edge.cfg b/examples/basic-config-edge.cfg new file mode 100644 index 0000000..8ee6bda --- /dev/null +++ b/examples/basic-config-edge.cfg @@ -0,0 +1,131 @@ +# This configuration creates a classical reverse-proxy and load balancer for +# public services. It presents ports 80 and 443 (with 80 redirecting to 443), +# enables caching up to one hour, and load-balances the service on a farm of +# 4 servers on private IP addresses which are checked using HTTP checks and +# by maintaining stickiness via session cookies. It offloads TLS processing +# and enables HTTP compression. It uses HAProxy 2.4. + +# The global section deals with process-wide settings (security, resource usage) +global + # all file names are relative to the directory containing this config + # file by default + default-path config + + # refuse to start if any warning is emitted at boot (keep configs clean) + zero-warning + + # Security hardening: isolate and drop privileges + chroot /var/empty + user haproxy + group haproxy + + # daemonize + daemon + pidfile /var/run/haproxy-svc1.pid + + # do not keep old processes longer than that after a reload + hard-stop-after 5m + + # The command-line-interface (CLI) used by the admin, by provisionning + # tools, and to transfer sockets during reloads + stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners + stats timeout 1h + + # send logs to stderr for logging via the service manager + log stderr local0 info + + # intermediate security for SSL, from https://ssl-config.mozilla.org/ + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +# default settings common to all HTTP proxies below +defaults http + mode http + option httplog + log global + timeout client 1m + timeout server 1m + timeout connect 10s + timeout http-keep-alive 2m + timeout queue 15s + timeout tunnel 4h # for websocket + +# provide a stats page on port 8181 +frontend stats + bind :8181 + # provide advanced stats (ssl, h2, ...) + stats uri / + stats show-modules + # some users may want to protect the access to their stats and/or to + # enable admin mode on the page from local networks + # stats auth admin:mystats + # stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 } + +# First incoming public service. Supports HTTP/1.x, HTTP/2, and HTTP/3 over +# QUIC when built in, uses HSTS, redirects clear to TLS. Uses a dedicated host +# name for the stats page. +frontend pub1 + bind :80 name clear + bind :443 name secure ssl crt pub1.pem + option socket-stats # provide per-bind line stats + +.if feature(QUIC) + # indicate QUIC support for 25 hours + bind quic4@:443 name quic ssl crt pub1.pem allow-0rtt + http-response add-header alt-svc 'h3=":443"; ma=90000' +.endif + + # set HSTS for one year after all responses + http-after-response set-header Strict-Transport-Security "max-age=31536000" + http-request redirect scheme https code 301 if !{ ssl_fc } + + # silently ignore connect probes and pre-connect without request + option http-ignore-probes + + # pass client's IP address to the server and prevent against attempts + # to inject bad contents + http-request del-header x-forwarded-for + option forwardfor + + # enable HTTP compression of text contents + compression algo deflate gzip + compression type text/ application/javascript application/xhtml+xml image/x-icon + + # enable HTTP caching of any cacheable content + http-request cache-use cache + http-response cache-store cache + + default_backend app1 + +# The cache instance used by the frontend (200MB, 10MB max object, 1 hour max) +# May be consulted using "show cache" on the CLI socket +cache cache + total-max-size 200 # RAM cache size in megabytes + max-object-size 10485760 # max cacheable object size in bytes + max-age 3600 # max cache duration in seconds + process-vary on # handle the Vary header (otherwise don't cache) + +# First application +backend app1 + # Algorithm: + # - roundrobin is usually better for short requests, + # - leastconn is better for mixed slow ones, and long transfers, + # - random is generally good when using multiple load balancers + balance random + + # abort if the client clicks on stop. + option abortonclose + + # insert a session cookie for user stickiness + cookie app1 insert indirect nocache + + # check the servers' health using HTTP requests + option httpchk + http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com + + # do not overload the servers (100 concurrent conns max each) + server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s + server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s + server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s + server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s diff --git a/examples/content-sw-sample.cfg b/examples/content-sw-sample.cfg new file mode 100644 index 0000000..e54f976 --- /dev/null +++ b/examples/content-sw-sample.cfg @@ -0,0 +1,65 @@ +# +# This is a sample configuration. It illustrates how to separate static objects +# traffic from dynamic traffic, and how to dynamically regulate the server load. +# +# It listens on 192.168.1.10:80, and directs all requests for Host 'img' or +# URIs starting with /img or /css to a dedicated group of servers. URIs +# starting with /admin/stats deliver the stats page. +# + +global + maxconn 10000 + stats socket /var/run/haproxy.stat mode 600 level admin + log 127.0.0.1 local0 + uid 200 + gid 200 + chroot /var/empty + daemon + +# The public 'www' address in the DMZ +frontend public + bind 192.168.1.10:80 name clear + #bind 192.168.1.10:443 ssl crt /etc/haproxy/haproxy.pem + mode http + log global + option httplog + option dontlognull + monitor-uri /monitoruri + maxconn 8000 + timeout client 30s + + stats uri /admin/stats + use_backend static if { hdr_beg(host) -i img } + use_backend static if { path_beg /img /css } + default_backend dynamic + +# The static backend backend for 'Host: img', /img and /css. +backend static + mode http + balance roundrobin + option prefer-last-server + retries 2 + option redispatch + timeout connect 5s + timeout server 5s + option httpchk HEAD /favicon.ico + server statsrv1 192.168.1.8:80 check inter 1000 + server statsrv2 192.168.1.9:80 check inter 1000 + +# the application servers go here +backend dynamic + mode http + balance roundrobin + retries 2 + option redispatch + timeout connect 5s + timeout server 30s + timeout queue 30s + option httpchk HEAD /login.php + cookie DYNSRV insert indirect nocache + fullconn 4000 # the servers will be used at full load above this number of connections + server dynsrv1 192.168.1.1:80 minconn 50 maxconn 500 cookie s1 check inter 1000 + server dynsrv2 192.168.1.2:80 minconn 50 maxconn 500 cookie s2 check inter 1000 + server dynsrv3 192.168.1.3:80 minconn 50 maxconn 500 cookie s3 check inter 1000 + server dynsrv4 192.168.1.4:80 minconn 50 maxconn 500 cookie s4 check inter 1000 + diff --git a/examples/errorfiles/400.http b/examples/errorfiles/400.http new file mode 100644 index 0000000..e223e38 --- /dev/null +++ b/examples/errorfiles/400.http @@ -0,0 +1,9 @@ +HTTP/1.0 400 Bad request +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +

400 Bad request

+Your browser sent an invalid request. + + diff --git a/examples/errorfiles/403.http b/examples/errorfiles/403.http new file mode 100644 index 0000000..a67e807 --- /dev/null +++ b/examples/errorfiles/403.http @@ -0,0 +1,9 @@ +HTTP/1.0 403 Forbidden +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +

403 Forbidden

+Request forbidden by administrative rules. + + diff --git a/examples/errorfiles/408.http b/examples/errorfiles/408.http new file mode 100644 index 0000000..aafb130 --- /dev/null +++ b/examples/errorfiles/408.http @@ -0,0 +1,9 @@ +HTTP/1.0 408 Request Time-out +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +

408 Request Time-out

+Your browser didn't send a complete request in time. + + diff --git a/examples/errorfiles/500.http b/examples/errorfiles/500.http new file mode 100644 index 0000000..9c3be96 --- /dev/null +++ b/examples/errorfiles/500.http @@ -0,0 +1,9 @@ +HTTP/1.0 500 Internal Server Error +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +

500 Internal Server Error

+An internal server error occurred. + + diff --git a/examples/errorfiles/502.http b/examples/errorfiles/502.http new file mode 100644 index 0000000..94b35d4 --- /dev/null +++ b/examples/errorfiles/502.http @@ -0,0 +1,9 @@ +HTTP/1.0 502 Bad Gateway +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +

502 Bad Gateway

+The server returned an invalid or incomplete response. + + diff --git a/examples/errorfiles/503.http b/examples/errorfiles/503.http new file mode 100644 index 0000000..48fde58 --- /dev/null +++ b/examples/errorfiles/503.http @@ -0,0 +1,9 @@ +HTTP/1.0 503 Service Unavailable +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +

503 Service Unavailable

+No server is available to handle this request. + + diff --git a/examples/errorfiles/504.http b/examples/errorfiles/504.http new file mode 100644 index 0000000..f925184 --- /dev/null +++ b/examples/errorfiles/504.http @@ -0,0 +1,9 @@ +HTTP/1.0 504 Gateway Time-out +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +

504 Gateway Time-out

+The server didn't respond in time. + + diff --git a/examples/errorfiles/README b/examples/errorfiles/README new file mode 100644 index 0000000..a882632 --- /dev/null +++ b/examples/errorfiles/README @@ -0,0 +1,9 @@ +These files are default error files that can be customized +if necessary. They are complete HTTP responses, so that +everything is possible, including using redirects or setting +special headers. + +They can be used with the 'errorfile' keyword like this : + + errorfile 503 /etc/haproxy/errors/503.http + diff --git a/examples/haproxy.init b/examples/haproxy.init new file mode 100644 index 0000000..cc120d8 --- /dev/null +++ b/examples/haproxy.init @@ -0,0 +1,137 @@ +#!/bin/sh +# +# chkconfig: - 85 15 +# description: HAProxy is a TCP/HTTP reverse proxy which is particularly suited \ +# for high availability environments. +# processname: haproxy +# config: /etc/haproxy/haproxy.cfg +# pidfile: /var/run/haproxy.pid + +# Script Author: Simon Matter +# Version: 2004060600 + +# Source function library. +if [ -f /etc/init.d/functions ]; then + . /etc/init.d/functions +elif [ -f /etc/rc.d/init.d/functions ] ; then + . /etc/rc.d/init.d/functions +else + exit 0 +fi + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 + +# This is our service name +BASENAME=`basename $0` +if [ -L $0 ]; then + BASENAME=`find $0 -name $BASENAME -printf %l` + BASENAME=`basename $BASENAME` +fi + +BIN=/usr/sbin/$BASENAME + +CFG=/etc/$BASENAME/$BASENAME.cfg +[ -f $CFG ] || exit 1 + +PIDFILE=/var/run/$BASENAME.pid +LOCKFILE=/var/lock/subsys/$BASENAME + +RETVAL=0 + +start() { + quiet_check + if [ $? -ne 0 ]; then + echo "Errors found in configuration file, check it with '$BASENAME check'." + return 1 + fi + + echo -n "Starting $BASENAME: " + daemon $BIN -D -f $CFG -p $PIDFILE + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch $LOCKFILE + return $RETVAL +} + +stop() { + echo -n "Shutting down $BASENAME: " + killproc $BASENAME -USR1 + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && rm -f $LOCKFILE + [ $RETVAL -eq 0 ] && rm -f $PIDFILE + return $RETVAL +} + +restart() { + quiet_check + if [ $? -ne 0 ]; then + echo "Errors found in configuration file, check it with '$BASENAME check'." + return 1 + fi + stop + start +} + +reload() { + if ! [ -s $PIDFILE ]; then + return 0 + fi + + quiet_check + if [ $? -ne 0 ]; then + echo "Errors found in configuration file, check it with '$BASENAME check'." + return 1 + fi + $BIN -D -f $CFG -p $PIDFILE -sf $(cat $PIDFILE) +} + +check() { + $BIN -c -q -V -f $CFG +} + +quiet_check() { + $BIN -c -q -f $CFG +} + +rhstatus() { + status $BASENAME +} + +condrestart() { + [ -e $LOCKFILE ] && restart || : +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + restart + ;; + reload) + reload + ;; + condrestart) + condrestart + ;; + status) + rhstatus + ;; + check) + check + ;; + *) + echo $"Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}" + exit 1 +esac + +exit $? diff --git a/examples/lua/README b/examples/lua/README new file mode 100644 index 0000000..620d832 --- /dev/null +++ b/examples/lua/README @@ -0,0 +1,7 @@ +These files are example lua scripts that can be customized +if necessary. + +They can be loaded with the 'lua-load' keyword like this: + + lua-load /path/to/lua_script.lua + diff --git a/examples/lua/event_handler.lua b/examples/lua/event_handler.lua new file mode 100644 index 0000000..41ed712 --- /dev/null +++ b/examples/lua/event_handler.lua @@ -0,0 +1,28 @@ +-- haproxy event-handling from Lua +-- +-- This file serves as a demo to show you the various events that +-- can be handled directly from custom lua functions. +-- Events captured from lua will be printed directly to STDOUT +-- It may not be exhaustive, please refer to the lua documentation +-- in doc/lua-api/index.rst for up-to-date content and further explanations + +-- subscribe to every SERVER family events, this is the equivalent of doing: +-- core.event_sub({"SERVER_ADD", "SERVER_DEL", "SERVER_UP", "SERVER_DOWN"}, ...) +core.event_sub({"SERVER"}, function(event, data) + -- This function will be called when: + -- - new server is added from the CLI (SERVER_ADD) + -- - existing server is removed from the CLI (SERVER_DEL) + -- - existing server state changes from UP to DOWN (SERVER_DOWN) + -- - existing server state changes from DOWN to UP (SERVER_UP) + -- If the server still exists at the time the function is called, data["reference"] + -- contains a valid reference to the lua server object related to the event + -- + sv_status = data["reference"] ~= nil and data["reference"]:get_stats().status or "DELETED" + print("[DEBUG - FROM LUA]", "EventType." .. event .. ": " .. + "server " .. data["proxy_name"] .. "/" .. data["name"] .. " " .. + "is " .. sv_status) +end) +-- Please note that you may also use Server.event_sub() method to subscribe to events +-- relative to a specific server only. See the lua documentation for more information. + +-- New event families will be added over time... diff --git a/examples/lua/mailers.lua b/examples/lua/mailers.lua new file mode 100644 index 0000000..47a8356 --- /dev/null +++ b/examples/lua/mailers.lua @@ -0,0 +1,426 @@ +-- haproxy mailers implementation in lua +-- +-- Provides a pure lua alternative to tcpcheck mailers. +-- +-- To be loaded using "lua-load" from haproxy configuration to handle +-- email-alerts directly from lua and disable legacy tcpcheck implementation. + +local SYSLOG_LEVEL = { + ["EMERG"] = 0, + ["ALERT"] = 1, + ["CRIT"] = 2, + ["ERROR"] = 3, + ["WARN"] = 4, + ["NOTICE"] = 5, + ["INFO"] = 6, + ["DEBUG"] = 7 +} + +local mailqueue = core.queue() + +-- smtp : send SMTP message +-- +-- Copyright 2018 Thierry Fournier +-- +-- This function is compliant with HAProxy cosockets +-- EHLO was replaced with HELO for better compatibility with +-- basic mail server implementations +-- +-- should contain the full server address (including port) in the +-- same format used in haproxy config file. It will be passed as it is to +-- tcp::connect() without explicit port argument. See Socket.connect() +-- manual for more information. +-- +-- The function will abort after ms +function smtp_send_email(server, timeout, domain, from, to, data) + local ret + local reason + local tcp = core.tcp() + local smtp_wait_code = function(tcp, code) + local ret + -- Read headers until we reac a 2.. code. + while true do + -- read line + ret = tcp:receive("*l") + if ret == nil then + return false, "Connection unexpectedly closed" + end + -- expected code + if string.match(ret, code) ~= nil then + return true, nil + end + -- other code + if string.match(ret, '^%d%d%d ') ~= nil then + return false, ret + end + -- other informational message, wait. + end + end + + if timeout ~= nil and timeout > 0 then + tcp:settimeout(timeout / 1000) + end + + if tcp:connect(server) == nil then + return false, "Can't connect to \""..server.."\"" + end + + ret, reason = smtp_wait_code(tcp, '^220 ') + if ret == false then + tcp:close() + return false, reason + end + + if tcp:send("HELO " .. domain .. "\r\n") == nil then + tcp:close() + return false, "Connection unexpectedly closed" + end + + ret, reason = smtp_wait_code(tcp, '^250 ') + if ret == false then + tcp:close() + return false, reason + end + + if tcp:send("MAIL FROM: <" .. from .. ">\r\n") == nil then + tcp:close() + return false, "Connection unexpectedly closed" + end + + ret, reason = smtp_wait_code(tcp, '^250 ') + if ret == false then + tcp:close() + return false, reason + end + + if tcp:send("RCPT TO: <" .. to .. ">\r\n") == nil then + tcp:close() + return false, "Connection unexpectedly closed" + end + + ret, reason = smtp_wait_code(tcp, '^250 ') + if ret == false then + tcp:close() + return false, reason + end + + if tcp:send("DATA\r\n") == nil then + tcp:close() + return false, "Connection unexpectedly closed" + end + + ret, reason = smtp_wait_code(tcp, '^354 ') + if ret == false then + tcp:close() + return false, reason + end + + if tcp:send(data .. "\r\n.\r\n") == nil then + tcp:close() + return false, "Connection unexpectedly closed" + end + + ret, reason = smtp_wait_code(tcp, '^250 ') + if ret == false then + tcp:close() + return false, reason + end + + if tcp:send("QUIT\r\n") == nil then + tcp:close() + return false, "Connection unexpectedly closed" + end + + ret, reason = smtp_wait_code(tcp, '^221 ') + if ret == false then + tcp:close() + return false, reason + end + + tcp:close() + return true, nil +end + +local function send_email_alert(srv, level, message, when) + local mailers = srv:get_proxy():get_mailers() + + if mailers == nil then + return -- nothing to do + end + + if level > mailers.log_level then + return + end + + -- email sending is performed asynchronously thanks to mailqueue + local job = {} + + job.mailconf = mailers + job.when = when + job.msg = message + + -- enqueue email job + mailqueue:push(job) + +end + +local function srv_get_check_details(check) + local c = core.concat() + + c:add(", ") + c:add(string.format("reason: %s", check.reason.desc)) + if check.reason.code ~= nil + then + c:add(string.format(", code: %d", check.reason.code)) + end + if check.duration >= 0 + then + c:add(string.format(", check duration: %dms", check.duration)) + end + + return c:dump() +end + +local function srv_get_status_details(srv, requeued) + local c = core.concat() + + c:add(string.format("%d active and %d backup servers left.", + srv:get_proxy():get_srv_act(), + srv:get_proxy():get_srv_bck())) + c:add(" ") + c:add(string.format("%d sessions active, %d requeued, %d remaining in queue", + srv:get_cur_sess(), + requeued, + srv:get_pend_conn())) + return c:dump() +end + +local function srv_state_handler(event, data, when) + local server = data.reference + local state = data.state + local c = core.concat() + local log_level = SYSLOG_LEVEL["ALERT"] + local message + + if server == nil then + -- server already removed, can't do much + return + end + + if state.admin then + -- don't report if is related to an administrative change and not + -- directly due to an operational change + return + end + + -- we don't send an alert if the server was previously stopping + if state.old_state == "STOPPING" or server:is_draining() then + log_level = SYSLOG_LEVEL["NOTICE"] + end + + -- prepare the message + c:add(string.format("Server %s/%s is %s", + server:get_proxy():get_name(), + server:get_name(), + state.new_state == "RUNNING" and "UP" or "DOWN")) + + if server:tracking() + then + -- server is tracking another server, it means that the operational + -- state change is inherited + c:add(string.format(" via %s/%s", + server:tracking():get_proxy():get_name(), + server:tracking():get_name())) + end + + if state.check ~= nil + then + c:add(srv_get_check_details(state.check)) + else + c:add(state.cause) + end + + c:add(". ") + c:add(srv_get_status_details(server, state.requeued)) + send_email_alert(server, log_level, c:dump(), when) +end + +local function srv_admin_handler(event, data, when) + local server = data.reference + local admin = data.admin + local c = core.concat() + + if server == nil then + -- server already removed, can't do much + return + end + + -- only send an email when server is entering drain state and not under maint + if not (not admin.old_admin["DRAIN"] and + admin.new_admin["DRAIN"] and + not admin.new_admin["MAINT"]) then + return + end + + -- prepare the message + c:add(string.format("Server %s/%s enters drain state", + server:get_proxy():get_name(), + server:get_name())) + + if server:tracking() and admin.new_admin["IDRAIN"] + then + -- server is tracking another server and IDRAIN is set, it means + -- that the admin state change is inherited + c:add(string.format(" via %s/%s", + server:tracking():get_proxy():get_name(), + server:tracking():get_name())) + end + + c:add(". ") + c:add(srv_get_status_details(server, admin.requeued)) + send_email_alert(server, SYSLOG_LEVEL["NOTICE"], c:dump(), when) +end + +local function srv_check_handler(event, data, when) + local server = data.reference + local check = data.check + local c = core.concat() + + if server == nil then + -- server already removed, can't do much + return + end + + -- we will always send an email, prepare the message + c:add(string.format("%s check for %sserver %s/%s ", + check.agent and "Agent" or "Health", + server:is_backup() and "backup " or "", + server:get_proxy():get_name(), + server:get_name())) + + if check.result == "CONDPASS" then + c:add("conditionally succeeded") + elseif check.result == "PASSED" then + c:add("succeeded") + else + c:add("failed") + end + + c:add(srv_get_check_details(check)) + + c:add(", status: ") + if check.health.cur >= check.health.rise then + -- good + c:add(string.format("%d/%d %s", + check.health.cur - check.health.rise + 1, + check.health.fall, + server:get_weight() and "UP" or "DRAIN")) + else + -- bad + c:add(string.format("%d/%d DOWN", + check.health.cur, + check.health.rise)) + end + + send_email_alert(server, SYSLOG_LEVEL["INFO"], c:dump(), when) +end + +-- single function for multiple event types since all events come +-- from the same subscription to reduce memory footprint +local function srv_event_dispatch(event, data, mgmt, when) + if event == "SERVER_STATE" then srv_state_handler(event, data, when) end + if event == "SERVER_ADMIN" then srv_admin_handler(event, data, when) end + if event == "SERVER_CHECK" then srv_check_handler(event, data, when) end +end + +local function mailers_track_server_events(srv) + local mailer_conf = srv:get_proxy():get_mailers() + + -- don't track server events if the parent proxy did not enable email alerts + if mailer_conf == nil + then return + end + + -- email alerts are enabled, track server state and admin changes + local subscriptions = {"SERVER_STATE", "SERVER_ADMIN"} + + if mailer_conf.track_server_health + then + -- track server check events as well (this event source is expensive) + table.insert(subscriptions, "SERVER_CHECK") + end + + -- perform the event subscription from the server + srv:event_sub(subscriptions, srv_event_dispatch) +end + +local function srv_event_add(event, data) + -- do nothing if the server was already removed + if data.reference == nil + then return + end + + -- server still exists, check if it can be tracked for email alerts + mailers_track_server_events(data.reference) +end + + +-- disable legacy email-alerts since email-alerts will be sent from lua directly +core.disable_legacy_mailers() + +-- event subscriptions are purposely performed in an init function to prevent +-- email alerts from being generated too early (when process is starting up) +core.register_init(function() + + -- do nothing if not on primary thread + -- this prevents emails from being sent multiple times when + -- lua-load-per-thread is used to load the script since the task + -- will be started on each haproxy thread + if core.thread > 1 then core.done() end + + -- subscribe to SERVER_ADD to be notified when new servers are added + core.event_sub({"SERVER_ADD"}, srv_event_add) + + -- loop through existing backends to detect existing servers + for backend_name, backend in pairs(core.backends) do + for srv_name, srv in pairs(backend.servers) do + mailers_track_server_events(srv) + end + end + +end) + +-- mail queue +core.register_task(function() + while true + do + local job = mailqueue:pop_wait() + + if job ~= nil then + local date = os.date("%a, %d %b %Y %T %z (%Z)", job.when) + local c = core.concat() + + -- prepare email body + c:add(string.format("From: %s\r\n", job.mailconf.smtp_from)) + c:add(string.format("To: %s\r\n", job.mailconf.smtp_to)) + c:add(string.format("Date: %s\r\n", date)) + c:add(string.format("Subject: [HAProxy Alert] %s\r\n", job.msg)) + c:add("\r\n") + c:add(string.format("%s\r\n", job.msg)) + + -- send email to all mailservers + for name, mailsrv in pairs(job.mailconf.mailservers) do + -- finally, send email to server + local ret, reason = smtp_send_email(mailsrv, + job.mailconf.mailservers_timeout, + job.mailconf.smtp_hostname, + job.mailconf.smtp_from, + job.mailconf.smtp_to, + c:dump()) + if ret == false then + core.Warning("Can't send email alert to ".. name .. ": " .. reason) + end + end + end + end +end) diff --git a/examples/option-http_proxy.cfg b/examples/option-http_proxy.cfg new file mode 100644 index 0000000..8b28f67 --- /dev/null +++ b/examples/option-http_proxy.cfg @@ -0,0 +1,54 @@ +# +# demo config for Proxy mode +# + +global + maxconn 20000 + ulimit-n 16384 + log 127.0.0.1 local0 + uid 200 + gid 200 + chroot /var/empty + daemon + +frontend test-proxy + bind 192.168.200.10:8080 + mode http + log global + option httplog + option dontlognull + maxconn 8000 + timeout client 30s + + # layer3: Valid users + acl allow_host src 192.168.200.150/32 + http-request deny if !allow_host + + # layer7: prevent private network relaying + acl forbidden_dst url_ip 192.168.0.0/24 + acl forbidden_dst url_ip 172.16.0.0/12 + acl forbidden_dst url_ip 10.0.0.0/8 + http-request deny if forbidden_dst + + default_backend test-proxy-srv + + +backend test-proxy-srv + mode http + timeout connect 5s + timeout server 5s + retries 2 + + # layer7: Only GET method is valid + acl valid_method method GET + http-request deny if !valid_method + + # take IP address from URL's authority + # and drop scheme+authority from URI + http-request set-dst url_ip + http-request set-dst-port url_port + http-request set-uri %[pathq] + server next-hop 0.0.0.0 + + # layer7: protect bad reply + http-response deny if { res.hdr(content-type) audio/mp3 } diff --git a/examples/quick-test.cfg b/examples/quick-test.cfg new file mode 100644 index 0000000..f27eeff --- /dev/null +++ b/examples/quick-test.cfg @@ -0,0 +1,29 @@ +# Basic config mapping a listening IP:port to another host's IP:port with +# support for HTTP/1 and 2. + +global + strict-limits # refuse to start if insufficient FDs/memory + # add some process-wide tuning here if required + + # A stats socket may be added to check live metrics if the load generators + # do not report them. + # stats socket /tmp/haproxy.sock level admin + # stats timeout 1h + +defaults + mode http + balance random # power-of-two-choices + timeout client 60s + timeout server 60s + timeout connect 1s + +listen p + # this is the address and port we'll listen to, the ones to aim the + # load generators at + bind :8000 + + # create a certificate and uncomment this for SSL + # bind :8443 ssl crt my-cert.pem alpn h2,http/1.1 + + # Put the server's IP address and port below + server s1 172.31.32.33:8000 diff --git a/examples/socks4.cfg b/examples/socks4.cfg new file mode 100644 index 0000000..2cbd417 --- /dev/null +++ b/examples/socks4.cfg @@ -0,0 +1,55 @@ +global + log /dev/log local0 + log /dev/log local1 notice + stats timeout 30s + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + +listen SMTP-20025 + bind 0.0.0.0:20025 + mode tcp + option tcplog + maxconn 2000 + timeout connect 5000 + timeout client 50000 + timeout server 50000 + option tcp-check + server SMTPS1 192.0.2.1:25 check inter 30000 fastinter 1000 + server SMTPS2_Via_SocksProxy1 192.0.2.2:25 socks4 127.0.0.1:1080 check-via-socks4 check inter 30000 fastinter 1000 backup + +listen SSL-20080 + bind 0.0.0.0:20080 + mode tcp + option tcplog + maxconn 2000 + timeout connect 5000 + timeout client 50000 + timeout server 50000 + option tcp-check + server HTTPS1_Via_SocksProxy1 192.0.2.1:443 ssl verify none socks4 127.0.0.1:1080 check inter 30000 fastinter 1000 + server HTTPS2 192.0.2.2:443 ssl verify none check inter 30000 fastinter 1000 backup + +# HAProxy web ui +listen stats + bind 0.0.0.0:20936 + mode http + log global + + maxconn 10 + timeout client 100s + timeout server 100s + timeout connect 100s + timeout queue 100s + + stats enable + stats uri /haproxy?stats + stats realm HAProxy\ Statistics + stats admin if TRUE + stats show-node diff --git a/examples/transparent_proxy.cfg b/examples/transparent_proxy.cfg new file mode 100644 index 0000000..a8cf6d9 --- /dev/null +++ b/examples/transparent_proxy.cfg @@ -0,0 +1,55 @@ +# +# This is an example of how to configure HAProxy to be used as a 'full transparent proxy' for a single backend server. +# +# Note that to actually make this work extra firewall/nat rules are required. +# Also HAProxy needs to be compiled with support for this, in HAProxy1.5-dev19 you can check if this is the case with "haproxy -vv". +# + +global +defaults + timeout client 30s + timeout server 30s + timeout connect 30s + +frontend MyFrontend + bind 192.168.1.22:80 + default_backend TransparentBack_http + +backend TransparentBack_http + mode http + source 0.0.0.0 usesrc client + server MyWebServer 192.168.0.40:80 + +# +# To create the the nat rules perform the following: +# +# ### (FreeBSD 8) ### +# --- Step 1 --- +# ipfw is needed to get 'reply traffic' back to the HAProxy process, this can be achieved by configuring a rule like this: +# fwd localhost tcp from 192.168.0.40 80 to any in recv em0 +# +# The following would be even better but this did not seam to work on the pfSense2.1 distribution of FreeBSD 8.3: +# fwd 127.0.0.1:80 tcp from any 80 to any in recv ${outside_iface} uid ${proxy_uid} +# +# If only 'pf' is currently used some additional steps are needed to load and configure ipfw: +# You need to configure this to always run on startup: +# +# /sbin/kldload ipfw +# /sbin/sysctl net.inet.ip.pfil.inbound="pf" net.inet6.ip6.pfil.inbound="pf" net.inet.ip.pfil.outbound="pf" net.inet6.ip6.pfil.outbound="pf" +# /sbin/sysctl net.link.ether.ipfw=1 +# ipfw add 10 fwd localhost tcp from 192.168.0.40 80 to any in recv em0 +# +# the above does the following: +# - load the ipfw kernel module +# - set pf as the outer firewall to keep control of routing packets for example to route them to a non-default gateway +# - enable ipfw +# - set a rule to catches reply traffic on em0 coming from the webserver +# +# --- Step 2 --- +# To also make the client connection transparent its possible to redirect incoming requests to HAProxy with a pf rule: +# rdr on em1 proto tcp from any to 192.168.0.40 port 80 -> 192.168.1.22 +# here em1 is the interface that faces the clients, and traffic that is originally send straight to the webserver is redirected to HAProxy +# +# ### (FreeBSD 9) (OpenBSD 4.4) ### +# pf supports "divert-reply" which is probably better suited for the job above then ipfw.. +# diff --git a/examples/wurfl-example.cfg b/examples/wurfl-example.cfg new file mode 100644 index 0000000..52df68e --- /dev/null +++ b/examples/wurfl-example.cfg @@ -0,0 +1,41 @@ +# +# This is an example of how to configure HAProxy to be used with WURFL Device Detection module. +# +# HAProxy needs to be compiled with support for this. See README section 1.3 +# + +global + + # The WURFL data file + wurfl-data-file /usr/share/wurfl/wurfl.zip + + # WURFL patches definition (as much as needed, patches will be applied in the same order as specified in this conf file) + #wurfl-patch-file /path/to/patch1.xml; + + #wurfl-cache-size 100000 + ## no cache + #wurfl-cache-size 0 + + wurfl-information-list-separator | + + # list of WURFL capabilities, virtual capabilities, property names planned to be used in injected headers + wurfl-information-list wurfl_id model_name + +defaults + mode http + timeout connect 30s + timeout client 30s + timeout server 30s + +frontend TheFrontend + bind 192.168.1.22:80 + default_backend TheBackend + + # inject a header called X-Wurfl-All with all the WURFL information listed in wurfl-information-list + http-request set-header X-Wurfl-All %[wurfl-get-all()] + + # inject a header called X-WURFL-PROPERTIES with the "wurfl_id" information (should be listed in wurfl-information-list) + #http-request set-header X-WURFL-PROPERTIES %[wurfl-get(wurfl_id)] + +backend TheBackend + server TheWebServer 192.168.0.40:80 -- cgit v1.2.3