Skip to content

Instantly share code, notes, and snippets.

@davidbirdsong
Created September 28, 2016 21:00
Show Gist options
  • Save davidbirdsong/b0970da66b4f5a716c33a2bef087b467 to your computer and use it in GitHub Desktop.
Save davidbirdsong/b0970da66b4f5a716c33a2bef087b467 to your computer and use it in GitHub Desktop.
global
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.sock mode 600 level admin
maxconn 10240
user produser
group produser
log-tag gp_proxy
# daemon
description general purpose proxy, no image traffic through here
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC-SHA
defaults
timeout connect 3s
timeout client 63s
timeout server 30s
stats enable
stats show-node
stats refresh 5s
option httplog
option http-server-close
frontend gp-tls
bind 162.248.206.75:443 ssl crt /data/secure/ssl/pems
bind 127.0.0.1:8001
mode tcp
log 127.0.0.1:5116 local2
option contstats
tcp-request inspect-delay 10s
tcp-request content accept if HTTP
# https://api.fastly.com/public-ip-list
tcp-request content accept if { src 23.235.32.0/20 }
tcp-request content accept if { src 43.249.72.0/22 }
tcp-request content accept if { src 103.244.50.0/24 }
tcp-request content accept if { src 103.245.222.0/2 }
tcp-request content accept if { src 103.245.224.0/24 }
tcp-request content accept if { src 104.156.80.0/20 }
tcp-request content accept if { src 151.101.0.0/16 }
tcp-request content accept if { src 157.52.64.0/18 }
tcp-request content accept if { src 172.111.64.0/18 }
tcp-request content accept if { src 185.31.16.0/22 }
tcp-request content accept if { src 199.27.72.0/21 }
tcp-request content accept if { src 199.232.0.0/16 }
tcp-request content accept if { src 202.21.128.0/24 }
tcp-request content accept if { src 203.57.145.0/24 }
tcp-request content accept if { src 127.0.0.1 }
use_backend cdn-parsers if ! HTTP
default_backend auth-proxy
backend cdn-parsers
mode tcp
log 127.0.0.1:5116 local2
option tcplog
timeout server 30m
balance leastconn
server sjc1-b3-5:5563 sjc1-b3-5:5563 check
server sjc1-b4-24:5563 sjc1-b4-24:5563 check
server sjc1-b3-5:5566 sjc1-b3-5:5566 check
server sjc1-b4-24:5566 sjc1-b4-24:5566 check
backend auth-proxy
option httpclose
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-SSL-Session-ID %[ssl_fc_session_id,hex]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
mode http
server sjc1-b1-12:4043 sjc1-b1-12:4043 check
server sjc1-b1-5:4043 sjc1-b1-5:4043 backup check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment