Created
April 2, 2020 02:41
-
-
Save CQBinh/aeca468c9a0433d6b531a7ee9a0d33d9 to your computer and use it in GitHub Desktop.
haproxy.cfg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/yyy.sock mode 660 level yyy | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| maxconn 2048 | |
| tune.ssl.default-dh-param 2048 | |
| # Default SSL material locations | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS | |
| ssl-default-bind-options no-sslv3 | |
| defaults | |
| option forwardfor | |
| option http-server-close | |
| log global | |
| mode http | |
| option httplog | |
| option dontlognull | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| frontend http | |
| bind *:80 | |
| mode http | |
| redirect scheme https code 301 if !{ ssl_fc } | |
| default_backend xxx | |
| frontend https | |
| bind *:443 | |
| option forwardfor | |
| option forwardfor except 127.0.0.0/8 | |
| # ddos protect | |
| acl HAS_CF_CONNECTING_IP hdr_cnt(CF-Connecting-IP) eq 1 | |
| acl HAS_X_FORWARDED_FOR hdr_cnt(X-Forwarded-For) eq 1 | |
| tcp-request content track-sc0 hdr_ip(CF-Connecting-IP,-1) if HTTP HAS_CF_CONNECTING_IP | |
| tcp-request content track-sc0 hdr_ip(X-Forwarded-For,-1) if HTTP !HAS_CF_CONNECTING_IP HAS_X_FORWARDED_FOR | |
| # Stick Table Definitions | |
| # - conn_cur: count active connections | |
| # - conn_rate(3s): average incoming connection rate over 3 seconds | |
| # - http_err_rate(10s): Monitors the number of errors generated by an IP over a period of 10 seconds | |
| # - http_req_rate(10s): Monitors the number of request sent by an IP over a period of 10 seconds | |
| stick-table type ip size 500k expire 30s store conn_cur,conn_rate(3s),http_req_rate(10s),http_err_rate(10s) | |
| # TARPIT the new connection if the client already has 10 opened | |
| http-request tarpit if { src_conn_cur ge 10 } | |
| # TARPIT the new connection if the client has opened more than 20 connections in 3 seconds | |
| http-request tarpit if { src_conn_rate ge 20 } | |
| # TARPIT the connection if the client has passed the HTTP error rate (10s) | |
| http-request tarpit if { sc0_http_err_rate() gt 20 } | |
| # TARPIT the connection if the client has passed the HTTP request rate (10s) | |
| http-request tarpit if { sc0_http_req_rate() gt 100 } | |
| # For country blocking and blacklists, if no CF-Connecting-IP is present, use the last value of X-Forwarded-For | |
| acl HAS_CF_CONNECTING_IP req.fhdr(CF-Connecting-IP) -m found | |
| http-request set-header CF-Connecting-IP %[req.hdr_ip(X-Forwarded-For,-1)] if !HAS_CF_CONNECTING_IP | |
| tcp-request inspect-delay 5s | |
| # end ddos protect | |
| reqadd X-Forwarded-Proto:\ https | |
| acl app_stats path_beg -i /stats | |
| use_backend be_stats if app_stats | |
| # xxx | |
| acl xxx_api_dev_req hdr(host) -i api-dev.xxx.zzzz -i www.api-dev.xxx.zzzz | |
| use_backend xxx_api_dev if xxx_api_dev_req | |
| acl xxx_dev_req hdr(host) -i dev.xxx.zzzz -i www.dev.xxx.zzzz -i aaa-dev.xxx.zzzz | |
| use_backend xxx_dev if xxx_dev_req | |
| acl xxx_aaa_dev_req hdr(host) -i aaa-dev.xxx.zzzz | |
| use_backend xxx_aaa_dev if xxx_aaa_dev_req | |
| acl xxx_x_req hdr(host) -i x.xxx.zzzz -i aaa-dev.xxx.zzzz | |
| use_backend x if xxx_x_req | |
| acl xxx_api_req hdr(host) -i api.xxx.zzzz -i www.api.xxx.zzzz | |
| use_backend xxx_api if xxx_api_req | |
| acl xxx_req hdr(host) -i xxx.zzzz -i www.xxx.zzzz | |
| use_backend xxx if xxx_req | |
| acl xxx_aaa_req hdr(host) -i aaa.xxx.zzzz | |
| use_backend xxx_aaa if xxx_aaa_req | |
| acl xxx_yyy_req hdr(host) -i zxc.xxx.zzzz -i www.zxc.xxx.zzzz | |
| use_backend xxx_yyy if xxx_yyy_req | |
| acl xxx_yyy_dev_req hdr(host) -i zxc-dev.xxx.zzzz -i www.zxc-dev.xxx.zzzz | |
| use_backend xxx_yyy_dev if xxx_yyy_dev_req | |
| default_backend xxx | |
| backend xxx_api_dev | |
| server app1 000.111.38.108:3009 check | |
| backend xxx_dev | |
| server app1 000.111.38.108:3010 check | |
| backend xxx_aaa_dev | |
| redirect scheme https if !{ ssl_fc } | |
| server app1 000.111.38.108:3011 check | |
| backend x | |
| redirect scheme https if !{ ssl_fc } | |
| server app 000.111.38.108:3011 check | |
| backend xxx_api | |
| redirect scheme https if !{ ssl_fc } | |
| server app1 000.111.43.199:3009 check | |
| server app2 000.111.158.47:3009 check | |
| server app3 000.111.159.11:3009 check | |
| server app4 000.111.159.14:3009 check | |
| backend xxx | |
| redirect scheme https if !{ ssl_fc } | |
| server app1 000.111.158.28:3010 check | |
| backend xxx_aaa | |
| redirect scheme https if !{ ssl_fc } | |
| server app1 000.111.158.28:3011 check | |
| backend xxx_yyy | |
| redirect scheme https if !{ ssl_fc } | |
| server app1 000.111.158.28:8003 check | |
| backend xxx_yyy_dev | |
| redirect scheme https if !{ ssl_fc } | |
| server app1 000.111.38.108:8003 check | |
| backend be_stats | |
| server stats1 localhost:6060 | |
| stats enable | |
| stats hide-version # Hide HAProxy version | |
| stats realm Haproxy Statistics | |
| stats uri / | |
| stats auth xxx:xxx.zzzz@2020 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment