Created
February 22, 2019 07:23
-
-
Save dch/22b96d24cd5c312bdf17ba489094d36f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # refer to http://cbonte.github.io/haproxy-dconv/1.7/configuration.html | |
| # and http://cbonte.github.io/haproxy-dconv/1.7/management.html | |
| global | |
| daemon | |
| pidfile /var/run/haproxy.pid | |
| log 127.0.0.1 format rfc5424 local0 | |
| # drop privileges | |
| chroot /var/empty | |
| group www | |
| user www | |
| stats socket /var/run/haproxy.sock mode 660 user root group wheel level admin | |
| ssl-default-bind-options force-tlsv12 | |
| tune.ssl.default-dh-param 2048 | |
| ssl-default-bind-options no-sslv3 | |
| ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!EXP:!LOW:!MD5:!aNULL:!eNULL | |
| # ssl-dh-param-file /usr/local/etc/haproxy/diffie-hellman.cfg | |
| maxconn 4096 | |
| spread-checks 5 | |
| # hard-stop-after 15m | |
| defaults | |
| log global | |
| mode http | |
| option httplog | |
| option dontlognull | |
| option log-health-checks | |
| monitor-uri /_haproxy_health_check | |
| # load balancing is tricky | |
| # roundrobin only really matters when we have multiple non-backup backends | |
| balance roundrobin | |
| # forwardfor and http-server-close ensure that backends get the actual IP | |
| # via the X-Forwarded-For header, but still have the benefits of HTTP | |
| # KeepAlive for performance | |
| option forwardfor | |
| option redispatch | |
| retries 3 | |
| # these need to be long enough to accommodate large view responses from couchdb | |
| timeout connect 10s | |
| option http-keep-alive | |
| option tcpka | |
| # health check settings all have defaults of 2 seconds which generates | |
| # a lot of unnecessary traffic. Note that TCP connection failures will | |
| # trigger a check & down state very quickly anyway so this is really | |
| # just to catch layer 7 (HTTP) issues in addition to network ones. | |
| # inter: interval between checks when backend is UP | |
| # downinter: interval between checks when backend is DOWN | |
| # fastinter: interval between checks when backend is changing state | |
| default-server inter 15s downinter 60s fastinter 5s | |
| # see https://www.rabbitmq.com/reliability.html and also | |
| # https://deviantony.wordpress.com/2014/10/30/rabbitmq-and-haproxy-a-timeout-issue/ | |
| frontend rabbitmq_tcp | |
| mode tcp | |
| bind {{ net.private.ip.haproxy }}:{{ config.rabbitmq.primary_port }} | |
| option tcplog | |
| default_backend rabbitmq_backend | |
| backend rabbitmq_backend | |
| mode tcp | |
| option tcplog | |
| option tcp-check | |
| tcp-check send-binary 414d515000000901 # <<"AMQP", 0, 0, 9, 1>> | |
| tcp-check expect string AMQP | |
| # ensure that non-heartbeat sending clients like python or perl aren't | |
| # arbitrarily disconnected, but if one side closes client-fin ensures the | |
| # connection is still freed up reasonably promptly. | |
| timeout client-fin 30s | |
| timeout tunnel 24h | |
| timeout client 24h | |
| timeout server 24h |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment