Skip to content

Instantly share code, notes, and snippets.

@dch dch/haproxy.conf.j2
Created Feb 22, 2019

Embed
What would you like to do?
# refer to http://cbonte.github.io/haproxy-dconv/1.7/configuration.html
# and http://cbonte.github.io/haproxy-dconv/1.7/management.html
global
daemon
pidfile /var/run/haproxy.pid
log 127.0.0.1 format rfc5424 local0
# drop privileges
chroot /var/empty
group www
user www
stats socket /var/run/haproxy.sock mode 660 user root group wheel level admin
ssl-default-bind-options force-tlsv12
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!EXP:!LOW:!MD5:!aNULL:!eNULL
# ssl-dh-param-file /usr/local/etc/haproxy/diffie-hellman.cfg
maxconn 4096
spread-checks 5
# hard-stop-after 15m
defaults
log global
mode http
option httplog
option dontlognull
option log-health-checks
monitor-uri /_haproxy_health_check
# load balancing is tricky
# roundrobin only really matters when we have multiple non-backup backends
balance roundrobin
# forwardfor and http-server-close ensure that backends get the actual IP
# via the X-Forwarded-For header, but still have the benefits of HTTP
# KeepAlive for performance
option forwardfor
option redispatch
retries 3
# these need to be long enough to accommodate large view responses from couchdb
timeout connect 10s
option http-keep-alive
option tcpka
# health check settings all have defaults of 2 seconds which generates
# a lot of unnecessary traffic. Note that TCP connection failures will
# trigger a check & down state very quickly anyway so this is really
# just to catch layer 7 (HTTP) issues in addition to network ones.
# inter: interval between checks when backend is UP
# downinter: interval between checks when backend is DOWN
# fastinter: interval between checks when backend is changing state
default-server inter 15s downinter 60s fastinter 5s
# see https://www.rabbitmq.com/reliability.html and also
# https://deviantony.wordpress.com/2014/10/30/rabbitmq-and-haproxy-a-timeout-issue/
frontend rabbitmq_tcp
mode tcp
bind {{ net.private.ip.haproxy }}:{{ config.rabbitmq.primary_port }}
option tcplog
default_backend rabbitmq_backend
backend rabbitmq_backend
mode tcp
option tcplog
option tcp-check
tcp-check send-binary 414d515000000901 # <<"AMQP", 0, 0, 9, 1>>
tcp-check expect string AMQP
# ensure that non-heartbeat sending clients like python or perl aren't
# arbitrarily disconnected, but if one side closes client-fin ensures the
# connection is still freed up reasonably promptly.
timeout client-fin 30s
timeout tunnel 24h
timeout client 24h
timeout server 24h
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.