-
-
Save ewdurbin/d8a42c30a04d6cb5763431200acaecde to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
log /dev/log local0 | |
log /dev/log local1 notice | |
chroot /var/lib/haproxy | |
stats socket /run/haproxy/admin.sock mode 660 level admin | |
stats timeout 30s | |
user haproxy | |
group haproxy | |
daemon | |
maxconn 4096 | |
ca-base /etc/ssl/certs | |
crt-base /etc/ssl/private | |
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP | |
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP | |
ssl-server-verify required | |
# increase DH Param bits to match certificate bits | |
tune.ssl.default-dh-param 2048 | |
# Configure some default bind options | |
# - Disable SSLv3.0 | |
# - Disable TLS Tickets | |
ssl-default-bind-options no-sslv3 no-tls-tickets | |
# lower your record size to improve Time to First Byte (TTFB) | |
tune.ssl.maxrecord 1400 | |
# Allow SSL sessions to last for ~2 hours in order to improve the session | |
# hit rate. | |
tune.ssl.lifetime 2h | |
# Allow more entries in the session cache to improve session cache hit rate | |
tune.ssl.cachesize 500000 | |
# Lower the amount of space we reserve for header rewriting | |
tune.maxrewrite 1024 | |
defaults | |
log global | |
mode http | |
retries 3 | |
option httpchk | |
option httplog | |
option http-server-close | |
option splice-auto | |
option redispatch | |
balance roundrobin | |
timeout connect 5000 | |
timeout client 50000 | |
timeout server 50000 | |
monitor-uri /_haproxy_status | |
errorfile 400 /etc/haproxy/errors/400.http | |
errorfile 403 /etc/haproxy/errors/403.http | |
errorfile 408 /etc/haproxy/errors/408.http | |
errorfile 500 /etc/haproxy/errors/500.http | |
errorfile 502 /etc/haproxy/errors/502.http | |
errorfile 503 /etc/haproxy/errors/503.http | |
errorfile 504 /etc/haproxy/errors/504.http | |
listen tls: | |
# Advertise http/1.1 over NPN to enable TLS False Start | |
bind :20001 ssl npn h2,http/1.1 crt ev.python.org.pem | |
bind :20002 ssl npn h2,http/1.1 crt ev.python.org.pem | |
bind :20003 ssl npn h2,http/1.1 crt star.python.org.pem | |
bind :20005 ssl npn h2,http/1.1 crt star.pypa.io.pem | |
bind :20006 ssl npn h2,http/1.1 crt speed.pypy.org.pem | |
bind :20007 ssl npn h2,http/1.1 crt www.pycon.org.pem | |
bind :20008 ssl npn h2,http/1.1 crt jython.org.pem | |
bind :20009 ssl npn h2,http/1.1 crt pypy.org.pem | |
bind 0.0.0.0:443 ssl npn h2,http/1.1 crt ev.python.org.pem crt star.python.org.pem crt star.pypa.io.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem | |
bind :::443 ssl npn h2,http/1.1 crt ev.python.org.pem crt star.python.org.pem crt star.pypa.io.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem | |
bind :20010 ssl npn h2,http/1.1 crt ev.python.org.pem crt star.python.org.pem crt star.pypa.io.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem | |
mode tcp | |
option tcplog | |
use-server http2 if { ssl_fc_npn -i h2 } | |
server http2 127.0.0.1:19000 weight 0 | |
server default 127.0.0.1:19001 | |
frontend main | |
bind :20000 | |
bind 0.0.0.0:80 | |
bind :::80 | |
bind 127.0.0.1:19001 # This is our TLS socket. | |
# Custom logging format, this is the same as the normal "httplog" in | |
# HAProxy except information about the TLS connection is included. | |
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %sslv/%sslc\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r | |
# Capture the user agent in the log | |
capture request header User-Agent len 512 | |
acl letsencrypt-well-known-acl path_beg /.well-known/acme-challenge/ | |
use_backend letsencrypt-well-known if letsencrypt-well-known-acl | |
# Determine if this request has TLS on the client side or not. | |
acl is_tls dst_port 19001 | |
acl our_domains hdr(host) -i -f /etc/haproxy/our_domains | |
# Deny requests that are not served from this host | |
http-request deny if !our_domains !letsencrypt-well-known-acl | |
# Remove any of the X-Forwarded-* headers from this request, Fastly gives | |
# us these headers in a different way and we have nothing else that would | |
# give us these headers. | |
http-request del-header X-Forwarded-For | |
http-request del-header X-Forwarded-Proto | |
# Tell the backend servers whether this request is being served via TLS or | |
# not. This should pretty much *always* be yes since we unconditionally | |
# redirect to HTTPS in HAProxy. | |
http-request set-header X-Forwarded-Proto https if is_tls | |
http-request set-header X-Forwarded-Proto http if !is_tls | |
# Redirect all HTTP traffic to HTTPS | |
redirect code 301 scheme https if !is_tls !letsencrypt-well-known-acl | |
# Dispatch to the redirect backend for any redirects we have, we're going | |
# to do this here after the HTTP -> HTTPS redirect even though this will | |
# result in an extra redirect because we want to give this domain a chance | |
# to assert a HSTS response. | |
use_backend redirect if { hdr(host) -i cheeseshop.python.org } | |
use_backend redirect if { hdr(host) -i jobs.python.org } | |
use_backend redirect if { hdr(host) -i packages.python.org } | |
use_backend redirect if { hdr(host) -i planet.python.org } | |
use_backend redirect if { hdr(host) -i python.org } | |
use_backend redirect if { hdr(host) -i pypa.io } | |
use_backend redirect if { hdr(host) -i www.pycon.org } | |
use_backend redirect if { hdr(host) -i jython.org } | |
use_backend redirect if { hdr(host) -i jython.com } | |
use_backend redirect if { hdr(host) -i www.jython.com } | |
use_backend redirect if { hdr(host) -i jython.net } | |
use_backend redirect if { hdr(host) -i www.jython.net } | |
use_backend redirect if { hdr(host) -i pypy.org } | |
# Dispatch requests to the proper backend. | |
use_backend buildbot-master if { hdr(host) -i buildbot.python.org } | |
use_backend docs if { hdr(host) -i docs.python.org } | |
use_backend docs if { hdr(host) -i doc.python.org } | |
use_backend downloads if { hdr(host) -i www.python.org } { path_beg -i /ftp/ } | |
use_backend codespeed-cpython if { hdr(host) -i speed.python.org } | |
use_backend codespeed-pypy if { hdr(host) -i speed.pypy.org } | |
use_backend console if { hdr(host) -i console.python.org } | |
use_backend hg if { hdr(host) -i hg.python.org } | |
use_backend pypa-bootstrap if { hdr(host) -i bootstrap.pypa.io } | |
use_backend pypy-web if { hdr(host) -i www.pypy.org } | |
frontend fastly | |
bind :20004 ssl force-tlsv12 crt lb.psf.io.pem | |
# Adjust timeouts, Fastly can maintain long persistent connections to the | |
# backend server and thus we can keep these open for a long time. | |
timeout client 86400 | |
# Determine if this request is valid, We mandate that a Fastly-Token is | |
# sent with all requests coming from Fastly and that this token matched the | |
# value we expect. | |
http-request deny unless { hdr(Fastly-Token) -f /etc/haproxy/fastly_token } | |
# Determine if this request has TLS on the client side or not. | |
acl is_tls hdr_cnt(Fastly-SSL) gt 0 | |
# Remove any of the X-Forwarded-* headers from this request, Fastly gives | |
# us these headers in a different way. | |
http-request del-header X-Forwarded-For | |
http-request del-header X-Forwarded-Proto | |
# Tell the backend servers the original client IP address. | |
http-request set-header X-Forwarded-For %[hdr(Fastly-Client-IP)] if { hdr_cnt(Fastly-Client-IP) gt 0 } | |
# Tell the backend servers whether this request is being served via TLS or | |
# not. This should pretty much *always* be yes since Fastly should be | |
# configured to unconditionally redirect to HTTPS. | |
http-request set-header X-Forwarded-Proto https if is_tls | |
http-request set-header X-Forwarded-Proto http if !is_tls | |
# Strip out the headers from Fastly, we don't want to pass these to the | |
# backend, any value from them that needs to be passed backwards should be | |
# aliased to a "standard"-ish value and implemented whether it's coming via | |
# Fastly or not. | |
http-request del-header Fastly-Client-IP | |
http-request del-header Fastly-SSL | |
http-request del-header Fastly-Token | |
# Dispatch to the redirect backend for any redirects we have. | |
use_backend redirect if { hdr(host) -i cheeseshop.python.org } | |
use_backend redirect if { hdr(host) -i jobs.python.org } | |
use_backend redirect if { hdr(host) -i packages.python.org } | |
use_backend redirect if { hdr(host) -i planet.python.org } | |
use_backend redirect if { hdr(host) -i python.org } | |
use_backend redirect if { hdr(host) -i pypa.io } | |
use_backend redirect if { hdr(host) -i www.pycon.org } | |
use_backend redirect if { hdr(host) -i jython.org } | |
use_backend redirect if { hdr(host) -i jython.com } | |
use_backend redirect if { hdr(host) -i www.jython.com } | |
use_backend redirect if { hdr(host) -i jython.net } | |
use_backend redirect if { hdr(host) -i www.jython.net } | |
use_backend redirect if { hdr(host) -i pypy.org } | |
# Dispatch requests to the proper backend. | |
use_backend buildbot-master if { hdr(host) -i buildbot.python.org } | |
use_backend docs if { hdr(host) -i docs.python.org } | |
use_backend docs if { hdr(host) -i doc.python.org } | |
use_backend downloads if { hdr(host) -i www.python.org } { path_beg -i /ftp/ } | |
use_backend codespeed-cpython if { hdr(host) -i speed.python.org } | |
use_backend codespeed-pypy if { hdr(host) -i speed.pypy.org } | |
use_backend console if { hdr(host) -i console.python.org } | |
use_backend hg if { hdr(host) -i hg.python.org } | |
use_backend pypa-bootstrap if { hdr(host) -i bootstrap.pypa.io } | |
use_backend pypy-web if { hdr(host) -i www.pypy.org } | |
backend redirect | |
server redirect 127.0.0.1:19002 | |
backend buildbot-master | |
option httpchk GET /all/#/about HTTP/1.1\r\nHost:\ buildbot.python.org | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
timeout client 30s | |
timeout connect 5s | |
timeout server 25s | |
timeout tunnel 3600s | |
server buildbot-master 10.132.80.210:9000 check ssl force-tlsv12 verifyhost buildbot-master.psf.io ca-file PSF_CA.pem | |
backend docs | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
server docs 10.132.84.132:9000 check ssl force-tlsv12 verifyhost docs.psf.io ca-file PSF_CA.pem | |
backend downloads | |
option httpchk HEAD /_check HTTP/1.1\r\nHost:\ www.python.org | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
server downloads 10.132.109.52:9000 check ssl force-tlsv12 verifyhost downloads.psf.io ca-file PSF_CA.pem | |
backend codespeed-cpython | |
option httpchk HEAD / HTTP/1.1\r\nHost:\ speed.python.org | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
server codespeed-cpython 10.132.142.144:9000 check ssl force-tlsv12 verifyhost codespeed.psf.io ca-file PSF_CA.pem | |
backend codespeed-pypy | |
option httpchk HEAD / HTTP/1.1\r\nHost:\ speed.pypy.org | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
server codespeed-pypy 10.132.142.144:9001 check ssl force-tlsv12 verifyhost codespeed.psf.io ca-file PSF_CA.pem | |
backend console | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
http-request replace-header Host ^.*$ www.pythonanywhere.com | |
http-request deny unless { path_beg -i /static/ } or { path_beg -i /python-dot-org-console/ } or { path_beg -i /python-dot-org-live-consoles-status } | |
server console www.pythonanywhere.com:443 ssl force-tlsv12 verifyhost www.pythonanywhere.com ca-file ca-certificates.crt | |
backend hg | |
option httpchk GET /test/rev/ea32503c754c HTTP/1.1\r\nHost:\ hg.python.org | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
server hg 10.132.127.204:9000 check ssl force-tlsv12 verifyhost hg.psf.io ca-file PSF_CA.pem | |
backend pypa-bootstrap | |
option httpchk HEAD / HTTP/1.1\r\nHost:\ bootstrap.pypa.io | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
server pypa-bootstrap 10.132.13.29:9000 check ssl force-tlsv12 verifyhost bootstrap.pypa.psf.io ca-file PSF_CA.pem | |
backend pypy-web | |
option httpchk HEAD / HTTP/1.1\r\nHost:\ pypy-web.psf.io | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000 | |
server pypy-web 10.132.62.199:9000 check ssl force-tlsv12 verifyhost pypy-web.psf.io ca-file PSF_CA.pem | |
backend letsencrypt-well-known | |
option httpchk GET /.well-known/acme-challenge/sentinel HTTP/1.1\r\nHost:\ salt.psf.io | |
# http://gnuterrypratchett.com/ | |
http-response set-header X-Clacks-Overhead GNU\ Terry\ Pratchett | |
# Add HSTS headers for anything that is configured to have them. | |
http-response set-header Strict-Transport-Security max-age=315360000;\ includeSubDomains;\ preload | |
server letsencrypt-well-known 10.132.68.69:9000 check ssl force-tlsv12 verifyhost salt.psf.io ca-file PSF_CA.pem | |
listen hg_ssh | |
bind :20100 | |
mode tcp | |
option tcplog | |
option tcp-check | |
server hg-ssh 10.132.127.204:22 check | |
listen buildbot_worker | |
bind :20101 | |
mode tcp | |
option tcplog | |
option tcp-check | |
timeout client 86400 | |
timeout server 86400 | |
server buildbot-master-worker 10.132.80.210:9020 check | |
listen buildbot_worker_direct | |
bind :9020 | |
mode tcp | |
option tcplog | |
option tcp-check | |
timeout client 86400 | |
timeout server 86400 | |
server buildbot-master-worker 10.132.80.210:9020 check | |
listen stats | |
bind 127.0.0.1:4646 | |
bind 10.132.169.156:4646 | |
mode http | |
log global | |
stats enable | |
stats hide-version | |
stats refresh 30s | |
stats show-node | |
stats uri /haproxy?stats |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment