davidbirdsong/gist:b0970da66b4f5a716c33a2bef087b467

## gistfile1.txt
global
	pidfile     /var/run/haproxy.pid
	stats socket /var/run/haproxy.sock mode 600 level admin
	maxconn     10240
	user        produser
	group       produser
	log-tag     gp_proxy
	# daemon
	description general purpose proxy, no image traffic through here


	tune.ssl.default-dh-param 2048
        ssl-default-bind-options no-sslv3
        ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC-SHA

defaults
	timeout connect         3s
	timeout client          63s
	timeout server          30s
	stats                   enable
	stats                   show-node
	stats refresh           5s
	option 			httplog
	option 			http-server-close

frontend gp-tls

	bind 162.248.206.75:443 ssl crt /data/secure/ssl/pems
	bind 127.0.0.1:8001
	mode tcp
	log 127.0.0.1:5116 local2
	option contstats
	tcp-request inspect-delay 10s
	tcp-request content accept if HTTP

	# https://api.fastly.com/public-ip-list
	tcp-request content accept if  { src 23.235.32.0/20 }
	tcp-request content accept if  { src 43.249.72.0/22 }
	tcp-request content accept if  { src 103.244.50.0/24 }
	tcp-request content accept if  { src 103.245.222.0/2 }
	tcp-request content accept if  { src 103.245.224.0/24 }
	tcp-request content accept if  { src 104.156.80.0/20 }
	tcp-request content accept if  { src 151.101.0.0/16 }
	tcp-request content accept if  { src 157.52.64.0/18 }
	tcp-request content accept if  { src 172.111.64.0/18 }
	tcp-request content accept if  { src 185.31.16.0/22 }
	tcp-request content accept if  { src 199.27.72.0/21 }
	tcp-request content accept if  { src 199.232.0.0/16 }
	tcp-request content accept if  { src 202.21.128.0/24 }
	tcp-request content accept if  { src 203.57.145.0/24 }
	tcp-request content accept if  { src 127.0.0.1 }

	use_backend cdn-parsers if ! HTTP
	default_backend auth-proxy

backend cdn-parsers
	mode tcp
	log 127.0.0.1:5116 local2
	option tcplog

	timeout server 30m
	balance leastconn

	server sjc1-b3-5:5563 sjc1-b3-5:5563 check
	server sjc1-b4-24:5563 sjc1-b4-24:5563 check
	server sjc1-b3-5:5566 sjc1-b3-5:5566 check
	server sjc1-b4-24:5566 sjc1-b4-24:5566 check

backend auth-proxy
	option httpclose
  http-request set-header X-Forwarded-Proto https if  { ssl_fc }
  http-request set-header X-SSL-Session-ID  %[ssl_fc_session_id,hex]
  http-request set-header X-SSL-Issuer      %{+Q}[ssl_c_i_dn]

	mode http
	server sjc1-b1-12:4043 sjc1-b1-12:4043 check
	server sjc1-b1-5:4043 sjc1-b1-5:4043 backup check
	global
	pidfile /var/run/haproxy.pid
	stats socket /var/run/haproxy.sock mode 600 level admin
	maxconn 10240
	user produser
	group produser
	log-tag gp_proxy
	# daemon
	description general purpose proxy, no image traffic through here


	tune.ssl.default-dh-param 2048
	ssl-default-bind-options no-sslv3
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC-SHA

	defaults
	timeout connect 3s
	timeout client 63s
	timeout server 30s
	stats enable
	stats show-node
	stats refresh 5s
	option httplog
	option http-server-close

	frontend gp-tls

	bind 162.248.206.75:443 ssl crt /data/secure/ssl/pems
	bind 127.0.0.1:8001
	mode tcp
	log 127.0.0.1:5116 local2
	option contstats
	tcp-request inspect-delay 10s
	tcp-request content accept if HTTP

	# https://api.fastly.com/public-ip-list
	tcp-request content accept if { src 23.235.32.0/20 }
	tcp-request content accept if { src 43.249.72.0/22 }
	tcp-request content accept if { src 103.244.50.0/24 }
	tcp-request content accept if { src 103.245.222.0/2 }
	tcp-request content accept if { src 103.245.224.0/24 }
	tcp-request content accept if { src 104.156.80.0/20 }
	tcp-request content accept if { src 151.101.0.0/16 }
	tcp-request content accept if { src 157.52.64.0/18 }
	tcp-request content accept if { src 172.111.64.0/18 }
	tcp-request content accept if { src 185.31.16.0/22 }
	tcp-request content accept if { src 199.27.72.0/21 }
	tcp-request content accept if { src 199.232.0.0/16 }
	tcp-request content accept if { src 202.21.128.0/24 }
	tcp-request content accept if { src 203.57.145.0/24 }
	tcp-request content accept if { src 127.0.0.1 }

	use_backend cdn-parsers if ! HTTP
	default_backend auth-proxy

	backend cdn-parsers
	mode tcp
	log 127.0.0.1:5116 local2
	option tcplog

	timeout server 30m
	balance leastconn

	server sjc1-b3-5:5563 sjc1-b3-5:5563 check
	server sjc1-b4-24:5563 sjc1-b4-24:5563 check
	server sjc1-b3-5:5566 sjc1-b3-5:5566 check
	server sjc1-b4-24:5566 sjc1-b4-24:5566 check

	backend auth-proxy
	option httpclose
	http-request set-header X-Forwarded-Proto https if { ssl_fc }
	http-request set-header X-SSL-Session-ID %[ssl_fc_session_id,hex]
	http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]

	mode http
	server sjc1-b1-12:4043 sjc1-b1-12:4043 check
	server sjc1-b1-5:4043 sjc1-b1-5:4043 backup check