Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Stack Exchange HAProxy
# This is an example of the Stack Exchange Tier 1 HAProxy config
# The only things that have been changed from what we are running are:
# 1. User names have been removed
# 2. All Passwords have been remove
# 3. IPs have been changed to use the example/documentation ranges
# 4. Rate limit numbers have been changed to randome numbers, don't read into them
userlist stats-auth
group admin users $admin_user
user $admin_user insecure-password $some_password
group readonly users $some_user
user $some_user insecure-password $some_other_password
global
daemon
stats socket /var/run/haproxy-t1.stat level admin
maxconn 100000
pidfile /var/run/haproxy-t1.pid
log 127.0.0.1 local0
log 192.0.2.17 local0
tune.bufsize 16384
tune.maxrewrite 1024
spread-checks 4
log-send-hostname ny-lb05
defaults
errorfile 503 /etc/haproxy-shared/errors/503.http
errorfile 502 /etc/haproxy-shared/errors/502.http
mode http
timeout connect 15s
timeout client 60s
timeout server 150s
timeout queue 60s
timeout http-request 15s
timeout http-keep-alive 15s
option httplog
option redispatch
option dontlognull
balance source
backend be_api_1.1
mode http
balance roundrobin
reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2
reqirep ^([^\ ]*)\ /1.1/(.*) \1\ /\2
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_api
mode http
balance roundrobin
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackexchange.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_area51_stackexchange_com
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:area51.stackexchange.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_careers
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:careers.stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_internal_api
mode http
balance roundrobin
option http-server-close
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_meta_so
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:meta.stackoverflow.com
server ny-web10 203.0.113.110:80 check
server ny-web11 203.0.113.111:80 check
backend be_mobile
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:mobile.stackexchange.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_openid
mode http
balance roundrobin
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:openid.stackexchange.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_others
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:serverfault.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_so
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_so_crawler
mode http
balance roundrobin
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_sstatic
mode http
balance roundrobin
acl HTTP_OK status 200:399
rspidel ^Cache-Control:.* unless HTTP_OK
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:sstatic.net
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_stackauth
mode http
balance roundrobin
reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackauth.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
frontend fe_stackauth
bind 198.51.100.21:80 name stackauth
bind 198.51.100.145:80 name stackauth
log global
stick-table type ip size 999k expire 1m store conn_rate(30s)
capture request header Referer len 64
capture request header User-Agent len 128
capture request header Host len 64
capture request header X-Forwarded-For len 64
capture request header Accept-Encoding len 64
capture response header Content-Encoding len 64
capture response header X-Page-View len 1
capture response header X-Route-Name len 64
capture response header X-Account-Id len 7
capture response header X-Sql-Count len 4
capture response header X-Sql-Duration-Ms len 7
capture response header X-AspNet-Duration-Ms len 7
capture response header X-Application-Id len 5
capture response header X-Request-Guid len 36
capture response header X-Redis-Count len 4
capture response header X-Redis-Duration-Ms len 7
capture response header X-Http-Count len 4
capture response header X-Http-Duration-Ms len 7
capture response header X-TE-Count len 4
capture response header X-TE-Duration-Ms len 7
rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms):
maxconn 40000
option http-server-close
option forwardfor
option httplog
acl source_is_serious_abuse src_conn_rate(fe_stackauth) gt 20
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
acl api_only_ips src -f /etc/haproxy-shared/api-only-ips
acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist
acl is_crawler src -f /etc/haproxy-shared/crawlers
acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua
acl source_is_abuser src_get_gpc0(fe_stackauth) gt 0
tcp-request connection track-sc1 src if !source_is_abuser
default_backend be_stackauth
frontend http-in
bind 198.51.100.16:80 name stackexchange
bind 198.51.100.17:80 name careers
bind 198.51.100.30:80 name careers.sstatic.net
bind 198.51.100.18:80 name openid
bind 198.51.100.24:80 name misc
bind 198.51.100.140:80 name stackexchange
bind 198.51.100.141:80 name careers
bind 198.51.100.154:80 name careers.sstatic.net
bind 198.51.100.142:80 name openid
bind 198.51.100.148:80 name misc
log global
stick-table type ip size 999k expire 1m store conn_rate(30s)
capture request header Referer len 64
capture request header User-Agent len 128
capture request header Host len 64
capture request header X-Forwarded-For len 64
capture request header Accept-Encoding len 64
capture response header Content-Encoding len 64
capture response header X-Page-View len 1
capture response header X-Route-Name len 64
capture response header X-Account-Id len 7
capture response header X-Sql-Count len 4
capture response header X-Sql-Duration-Ms len 7
capture response header X-AspNet-Duration-Ms len 7
capture response header X-Application-Id len 5
capture response header X-Request-Guid len 36
capture response header X-Redis-Count len 4
capture response header X-Redis-Duration-Ms len 7
capture response header X-Http-Count len 4
capture response header X-Http-Duration-Ms len 7
capture response header X-TE-Count len 4
capture response header X-TE-Duration-Ms len 7
rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms):
maxconn 40000
option http-server-close
option forwardfor
option httplog
acl source_is_serious_abuse src_conn_rate(http-in) gt 1000
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
acl api_only_ips src -f /etc/haproxy-shared/api-only-ips
acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist
acl is_crawler src -f /etc/haproxy-shared/crawlers
acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua
acl source_is_abuser src_get_gpc0(http-in) gt 2
acl is_feeds path_beg /feeds/
acl is_internal_api path_beg /api/
acl is_careers hdr_beg(host) -i careers. jobs.
acl is_so hdr_end(host) -i stackoverflow.com
acl is_sstatic hdr_end(host) -i sstatic.net
acl is_stackauth hdr_end(host) -i stackauth.com
acl is_se hdr_end(host) -i stackexchange.com
acl is_area51 hdr(host) -i area51.stackexchange.com
acl is_mobile hdr(host) -i mobile.stackexchange.com
acl is_stackexchange_com hdr(host) -i stackexchange.com
acl is_meta_so hdr_end(host) -i meta.stackoverflow.com
acl is_dev_meta_webapps hdr_end(host) -i meta.dev.webapps.stackexchange.com
acl is_dev_fb hdr_end(host) -i fb.dev.stackoverflow.com
acl is_api_2 hdr(host) -i api.stackexchange.com
acl is_api hdr_sub(host) -i api
acl is_api_1.0 path_beg /1.0/
acl is_api_1.1 path_beg /1.1/
acl is_api_root path /
acl is_api_static path_beg -i /admin /content /crossdomain.xml /clientaccesspolicy.xml /robots.txt
acl is_dev hdr_beg(host) -i dev.
acl is_dev_discuss hdr_end(host) -i discuss.dev.area51.stackexchange.com
acl is_openid hdr_beg(host) -i openid.stackexchange.com
acl is_80 dst_port 80
acl is_ssl hdr_beg(X-SSL) -i yes
acl is_chat_yodeya hdr(host) -i chat.yodeya.com chat.miyodeya.com
acl is_bam_yodeya hdr(host) -i bam.yodeya.com bam.miyodeya.com
acl is_launchparty_yodeya hdr(host) -i launchparty.yodeya.com launchparty.miyodeya.com
acl is_me_yodeya hdr(host) -i me.yodeya.com me.miyodeya.com
acl is_kindle hdr_sub(user-agent) Silk-Accelerated
acl is_akamai hdr(host) -i sstatic-a.akamaihd.net
redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_chat_yodeya
redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_bam_yodeya
redirect prefix http://meta.judaism.stackexchange.com/questions/1134 code 301 if is_launchparty_yodeya
redirect prefix http://judaism.stackexchange.com code 301 if is_me_yodeya
redirect prefix https://openid.stackexchange.com code 301 if is_80 is_openid !is_ssl
tcp-request connection track-sc1 src if !source_is_abuser
use_backend be_internal_api if is_internal_api !is_careers
use_backend be_api_1.1 if is_api is_api_1.0
use_backend be_api_1.1 if is_api is_api_1.1
use_backend be_api if is_api_2
use_backend be_api_1.1 if is_api is_api_static
use_backend be_api_1.1 if is_api is_api_root
use_backend be_bad_api if is_api
use_backend be_sstatic if is_sstatic
use_backend be_sstatic if is_akamai
use_backend be_mobile if is_mobile
use_backend be_area51_stackexchange_com if is_area51
use_backend be_area51_stackexchange_com if is_stackexchange_com
use_backend be_meta_so if is_meta_so
use_backend be_careers if is_careers
use_backend be_so_crawler if is_so is_crawler
use_backend be_so_crawler if is_so is_crawler_ua
use_backend be_so if is_so
use_backend be_stackauth if is_stackauth
use_backend be_openid if is_openid
default_backend be_others
backend be_api_only
mode http
errorfile 503 /etc/haproxy-shared/errors/503apionly.http
backend be_bad_api
mode http
errorfile 403 /etc/haproxy-shared/errors/403.http
backend be_go-away
mode http
errorfile 503 /etc/haproxy-shared/errors/503rate.http
backend be_no_ssl
mode http
errorfile 503 /etc/haproxy-shared/errors/503nossl.http
listen t1_internal_stats
bind 203.0.113.15:7001
mode http
balance roundrobin
stats enable
stats uri /ilovestats
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN

rhacker commented Dec 20, 2014

nice, thanks for the beautiful configuration :3

zigmo commented Mar 27, 2015

thanks!

wputra commented May 23, 2015

awesome

robbat2 commented Jun 26, 2015

backend be_go-away
backend be_no_ssl
Seem to be unused; did you previously do something interesting with be_no_ssl?

akae commented Jul 14, 2015

I feel curious about the fact you are not using nbproc, which kind of CPU is running this haproxy?
Thanks for sharing this configuration, it's highly illustrative.

Are you no longer using the source port exhaustion workaround discussed here[1]?

  1. http://brokenhaze.com/blog/2014/03/25/how-stack-exchange-gets-the-most-out-of-haproxy/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment