1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# This configuration creates a classical reverse-proxy and load balancer for
# public services. It presents ports 80 and 443 (with 80 redirecting to 443),
# enables caching up to one hour, and load-balances the service on a farm of
# 4 servers on private IP addresses which are checked using HTTP checks and
# by maintaining stickiness via session cookies. It offloads TLS processing
# and enables HTTP compression. It uses HAProxy 2.4.
# The global section deals with process-wide settings (security, resource usage)
global
# all file names are relative to the directory containing this config
# file by default
default-path config
# refuse to start if any warning is emitted at boot (keep configs clean)
zero-warning
# Security hardening: isolate and drop privileges
chroot /var/empty
user haproxy
group haproxy
# daemonize
daemon
pidfile /var/run/haproxy-svc1.pid
# do not keep old processes longer than that after a reload
hard-stop-after 5m
# The command-line-interface (CLI) used by the admin, by provisionning
# tools, and to transfer sockets during reloads
stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners
stats timeout 1h
# send logs to stderr for logging via the service manager
log stderr local0 info
# intermediate security for SSL, from https://ssl-config.mozilla.org/
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# default settings common to all HTTP proxies below
defaults http
mode http
option httplog
log global
timeout client 1m
timeout server 1m
timeout connect 10s
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h # for websocket
# provide a stats page on port 8181
frontend stats
bind :8181
# provide advanced stats (ssl, h2, ...)
stats uri /
stats show-modules
# some users may want to protect the access to their stats and/or to
# enable admin mode on the page from local networks
# stats auth admin:mystats
# stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 }
# First incoming public service. Supports HTTP/1.x, HTTP/2, and HTTP/3 over
# QUIC when built in, uses HSTS, redirects clear to TLS. Uses a dedicated host
# name for the stats page.
frontend pub1
bind :80 name clear
bind :443 name secure ssl crt pub1.pem
option socket-stats # provide per-bind line stats
.if feature(QUIC)
# indicate QUIC support for 25 hours
bind quic4@:443 name quic ssl crt pub1.pem allow-0rtt
http-response add-header alt-svc 'h3=":443"; ma=90000'
.endif
# set HSTS for one year after all responses
http-after-response set-header Strict-Transport-Security "max-age=31536000"
http-request redirect scheme https code 301 if !{ ssl_fc }
# silently ignore connect probes and pre-connect without request
option http-ignore-probes
# pass client's IP address to the server and prevent against attempts
# to inject bad contents
http-request del-header x-forwarded-for
option forwardfor
# enable HTTP compression of text contents
compression algo deflate gzip
compression type text/ application/javascript application/xhtml+xml image/x-icon
# enable HTTP caching of any cacheable content
http-request cache-use cache
http-response cache-store cache
default_backend app1
# The cache instance used by the frontend (200MB, 10MB max object, 1 hour max)
# May be consulted using "show cache" on the CLI socket
cache cache
total-max-size 200 # RAM cache size in megabytes
max-object-size 10485760 # max cacheable object size in bytes
max-age 3600 # max cache duration in seconds
process-vary on # handle the Vary header (otherwise don't cache)
# First application
backend app1
# Algorithm:
# - roundrobin is usually better for short requests,
# - leastconn is better for mixed slow ones, and long transfers,
# - random is generally good when using multiple load balancers
balance random
# abort if the client clicks on stop.
option abortonclose
# insert a session cookie for user stickiness
cookie app1 insert indirect nocache
# check the servers' health using HTTP requests
option httpchk
http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com
# do not overload the servers (100 concurrent conns max each)
server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s
server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s
server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s
server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s
|
