Merging upstream version 1.46.3.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-07-24 09:54:23 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-07-24 09:54:44 +0000
commit: 836b47cb7e99a977c5a23b059ca1d0b5065d310e (patch)
tree: 1604da8f482d02effa033c94a84be42bc0c848c3 /docs/Running-behind-haproxy.md
parent: Releasing debian version 1.44.3-2. (diff)
download: netdata-836b47cb7e99a977c5a23b059ca1d0b5065d310e.tar.xz
netdata-836b47cb7e99a977c5a23b059ca1d0b5065d310e.zip
1 files changed, 0 insertions, 297 deletions
diff --git a/docs/Running-behind-haproxy.md b/docs/Running-behind-haproxy.md
deleted file mode 100644
index 4c9c32cc4..000000000
--- a/docs/Running-behind-haproxy.md
+++ /dev/null
@@ -1,297 +0,0 @@
-<!--
-title: "Netdata via HAProxy"
-custom_edit_url: "https://github.com/netdata/netdata/edit/master/docs/Running-behind-haproxy.md"
-sidebar_label: "Netdata via HAProxy"
-learn_status: "Published"
-learn_topic_type: "Tasks"
-learn_rel_path: "Configuration/Secure your nodes"
--->
-
-# Netdata via HAProxy
-
-> HAProxy is a free, very fast and reliable solution offering high availability, load balancing, 
-> and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic websites 
-> and powers quite a number of the world's most visited ones.
-
-If Netdata is running on a host running HAProxy, rather than connecting to Netdata from a port number, a domain name can
-be pointed at HAProxy, and HAProxy can redirect connections to the Netdata port. This can make it possible to connect to
-Netdata at `https://example.com` or `https://example.com/netdata/`, which is a much nicer experience then
-`http://example.com:19999`.
-
-To proxy requests from [HAProxy](https://github.com/haproxy/haproxy) to Netdata, 
-the following configuration can be used:
-
-## Default Configuration
-
-For all examples, set the mode to `http`
-
-```conf
-defaults
-    mode    http
-```
-
-## Simple Configuration
-
-A simple example where the base URL, say `http://example.com`, is used with no subpath:
-
-### Frontend
-
-Create a frontend to receive the request.
-
-```conf
-frontend http_frontend
-    ## HTTP ipv4 and ipv6 on all ips ##
-    bind :::80 v4v6
-
-    default_backend     netdata_backend
-```
-
-### Backend
-
-Create the Netdata backend which will send requests to port `19999`.
-
-```conf
-backend netdata_backend
-    option       forwardfor
-    server       netdata_local     127.0.0.1:19999
-
-    http-request set-header Host %[src]
-    http-request set-header X-Forwarded-For %[src]
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request set-header Connection "keep-alive"
-```
-
-## Configuration with subpath
-
-An example where the base URL is used with a subpath `/netdata/`:
-
-### Frontend
-
-To use a subpath, create an ACL, which will set a variable based on the subpath.
-
-```conf
-frontend http_frontend
-    ## HTTP ipv4 and ipv6 on all ips ##
-    bind :::80 v4v6
-
-    # URL begins with /netdata
-    acl is_netdata url_beg  /netdata
-
-    # if trailing slash is missing, redirect to /netdata/
-    http-request redirect scheme https drop-query append-slash if is_netdata ! { path_beg /netdata/ }
-
-    ## Backends ##
-    use_backend     netdata_backend       if is_netdata
-
-    # Other requests go here (optional)
-    # put netdata_backend here if no others are used
-    default_backend www_backend
-```
-
-### Backend
-
-Same as simple example, except remove `/netdata/` with regex.
-
-```conf
-backend netdata_backend
-    option      forwardfor
-    server      netdata_local     127.0.0.1:19999
-
-    http-request set-path %[path,regsub(^/netdata/,/)]
-
-    http-request set-header Host %[src]
-    http-request set-header X-Forwarded-For %[src]
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request set-header Connection "keep-alive"
-```
-
-## Using TLS communication
-
-TLS can be used by adding port `443` and a cert to the frontend. 
-This example will only use Netdata if host matches example.com (replace with your domain).
-
-### Frontend
-
-This frontend uses a certificate list.
-
-```conf
-frontend https_frontend
-    ## HTTP ##
-    bind :::80 v4v6
-    # Redirect all HTTP traffic to HTTPS with 301 redirect
-    redirect scheme https code 301 if !{ ssl_fc }
-
-    ## HTTPS ##
-    # Bind to all v4/v6 addresses, use a list of certs in file
-    bind :::443 v4v6 ssl crt-list /etc/letsencrypt/certslist.txt
-
-    ## ACL ##
-    # Optionally check host for Netdata
-    acl is_example_host  hdr_sub(host) -i example.com
-
-    ## Backends ##
-    use_backend     netdata_backend       if is_example_host
-    # Other requests go here (optional)
-    default_backend www_backend
-```
-
-In the cert list file place a mapping from a certificate file to the domain used:
-
-`/etc/letsencrypt/certslist.txt`:
-
-```txt
-example.com /etc/letsencrypt/live/example.com/example.com.pem
-```
-
-The file `/etc/letsencrypt/live/example.com/example.com.pem` should contain the key and 
-certificate (in that order) concatenated into a `.pem` file.:
-
-```sh
-cat /etc/letsencrypt/live/example.com/fullchain.pem \
-    /etc/letsencrypt/live/example.com/privkey.pem > \
-    /etc/letsencrypt/live/example.com/example.com.pem
-```
-
-### Backend
-
-Same as simple, except set protocol `https`.
-
-```conf
-backend netdata_backend
-    option forwardfor
-    server      netdata_local     127.0.0.1:19999
-
-    http-request add-header X-Forwarded-Proto https
-    http-request set-header Host %[src]
-    http-request set-header X-Forwarded-For %[src]
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request set-header Connection "keep-alive"
-```
-
-## Enable authentication
-
-To use basic HTTP Authentication, create an authentication list:
-
-```conf
-# HTTP Auth
-userlist basic-auth-list
-  group is-admin
-  # Plaintext password
-  user admin password passwordhere groups is-admin
-```
-
-You can create a hashed password using the `mkpassword` utility.
-
-```sh
- printf "passwordhere" | mkpasswd --stdin --method=sha-256
-$5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1
-```
-
-Replace `passwordhere` with hash:
-
-```conf
-user admin password $5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1 groups is-admin
-```
-
-Now add at the top of the backend:
-
-```conf
-acl devops-auth http_auth_group(basic-auth-list) is-admin
-http-request auth realm netdata_local unless devops-auth
-```
-
-## Full Example
-
-Full example configuration with HTTP auth over TLS with subpath:
-
-```conf
-global
-    maxconn     20000
-
-    log         /dev/log local0
-    log         /dev/log local1 notice
-    user        haproxy
-    group       haproxy
-    pidfile     /run/haproxy.pid
-
-    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
-    stats timeout 30s
-    daemon
-
-    tune.ssl.default-dh-param 4096  # Max size of DHE key
-
-    # Default ciphers to use on SSL-enabled listening sockets.
-    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
-    ssl-default-bind-options no-sslv3
-
-defaults
-    log     global
-    mode    http
-    option  httplog
-    option  dontlognull
-    timeout connect 5000
-    timeout client  50000
-    timeout server  50000
-    errorfile 400 /etc/haproxy/errors/400.http
-    errorfile 403 /etc/haproxy/errors/403.http
-    errorfile 408 /etc/haproxy/errors/408.http
-    errorfile 500 /etc/haproxy/errors/500.http
-    errorfile 502 /etc/haproxy/errors/502.http
-    errorfile 503 /etc/haproxy/errors/503.http
-    errorfile 504 /etc/haproxy/errors/504.http
-
-frontend https_frontend
-    ## HTTP ##
-    bind :::80 v4v6
-    # Redirect all HTTP traffic to HTTPS with 301 redirect
-    redirect scheme https code 301 if !{ ssl_fc }
-
-    ## HTTPS ##
-    # Bind to all v4/v6 addresses, use a list of certs in file
-    bind :::443 v4v6 ssl crt-list /etc/letsencrypt/certslist.txt
-
-    ## ACL ##
-    # Optionally check host for Netdata
-    acl is_example_host  hdr_sub(host) -i example.com
-    acl is_netdata       url_beg  /netdata
-
-    http-request redirect scheme https drop-query append-slash if is_netdata ! { path_beg /netdata/ }
-
-    ## Backends ##
-    use_backend     netdata_backend       if is_example_host is_netdata
-    default_backend www_backend
-
-# HTTP Auth
-userlist basic-auth-list
-    group is-admin
-    # Hashed password
-    user admin password $5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1 groups is-admin
-
-## Default server(s) (optional)##
-backend www_backend
-    mode        http
-    balance     roundrobin
-    timeout     connect 5s
-    timeout     server  30s
-    timeout     queue   30s
-
-    http-request add-header 'X-Forwarded-Proto: https'
-    server      other_server 111.111.111.111:80 check
-
-backend netdata_backend
-    acl devops-auth http_auth_group(basic-auth-list) is-admin
-    http-request auth realm netdata_local unless devops-auth
-
-    option forwardfor
-    server      netdata_local     127.0.0.1:19999
-
-    http-request set-path %[path,regsub(^/netdata/,/)]
-
-    http-request add-header X-Forwarded-Proto https
-    http-request set-header Host %[src]
-    http-request set-header X-Forwarded-For %[src]
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request set-header Connection "keep-alive"
-```
-
-
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-07-24 09:54:23 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-07-24 09:54:44 +0000
commit	836b47cb7e99a977c5a23b059ca1d0b5065d310e (patch)
tree	1604da8f482d02effa033c94a84be42bc0c848c3 /docs/Running-behind-haproxy.md
parent	Releasing debian version 1.44.3-2. (diff)
download	netdata-836b47cb7e99a977c5a23b059ca1d0b5065d310e.tar.xz netdata-836b47cb7e99a977c5a23b059ca1d0b5065d310e.zip