-
-
Save genediazjr/b7fd350a59b1e3b6fa07 to your computer and use it in GitHub Desktop.
HAProxy with SSL on Debian to nginx and node backends
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo "deb http://ftp.debian.org/debian sid main" >> /etc/apt/sources.list | |
| echo "deb http://ftp.debian.org/debian experimental main" >> /etc/apt/sources.list | |
| apt-get update | |
| apt-get -t sid install libc6 libc6-dev libc6-dbg | |
| # reboot machine | |
| apt-get -t experimental install haproxy | |
| vim /etc/default/haproxy | |
| -------------------------------------------- | |
| ENABLED=1 | |
| -------------------------------------------- | |
| vim /etc/rsyslog.conf | |
| -------------------------------------------- | |
| # provides UDP syslog reception | |
| $ModLoad imudp | |
| $UDPServerRun 514 | |
| -------------------------------------------- | |
| vim /etc/rsyslog.d/30-haproxy.conf | |
| -------------------------------------------- | |
| local1.* -/home/admin/log/haproxy_1.log | |
| & ~ | |
| -------------------------------------------- | |
| vim /etc/logrotate.d/haproxy | |
| -------------------------------------------- | |
| /home/admin/log/haproxy*.log{ | |
| rotate 4 | |
| weekly | |
| missingok | |
| notifempty | |
| compress | |
| delaycompress | |
| sharedscripts | |
| postrotate | |
| reload rsyslog >/dev/null 2>&1 || true | |
| endscript | |
| } | |
| -------------------------------------------- | |
| haproxy --version | |
| /etc/init.d/rsyslog restart | |
| vim /etc/haproxy/haproxy.cfg | |
| # dont forget to open up the custom ports |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| user haproxy | |
| group haproxy | |
| daemon | |
| chroot /var/lib/haproxy | |
| ca-base /home/admin/ssl | |
| crt-base /home/admin/ssl | |
| ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL | |
| defaults | |
| log global | |
| mode http | |
| option forwardfor | |
| option http-server-close | |
| timeout connect 5s | |
| timeout client 30s | |
| timeout server 30s | |
| timeout tunnel 1h | |
| errorfile 400 /home/admin/errors/400.http | |
| errorfile 403 /home/admin/errors/403.http | |
| errorfile 408 /home/admin/errors/408.http | |
| errorfile 500 /home/admin/errors/500.http | |
| errorfile 502 /home/admin/errors/502.http | |
| errorfile 503 /home/admin/errors/503.http | |
| errorfile 504 /home/admin/errors/504.http | |
| frontend public | |
| bind :80 | |
| redirect scheme https code 301 if !{ ssl_fc } | |
| bind :443 ssl crt example.com.pem npn http/1.0,http/1.1,spdy/2,spdy/3 | |
| use_backend websocket if { path_beg /websocket/ } | |
| default_backend nginx | |
| backend websocket | |
| reqadd X-Forwarded-Proto:\ https | |
| balance leastconn | |
| option httpchk GET /websocket | |
| timeout check 500ms | |
| server websocket1 websocket.example.com:443 check-ssl ssl ca-file example.com.pem inter 500ms | |
| backend nginx | |
| reqadd X-Forwarded-Proto:\ https | |
| balance leastconn | |
| option httpchk GET | |
| timeout check 500ms | |
| server nginx1 127.0.0.1:8080 check-ssl ssl ca-file example.com.pem inter 500ms | |
| frontend stats | |
| bind :19861 ssl crt example.com.pem | |
| default_backend stats | |
| backend stats | |
| stats enable | |
| stats hide-version | |
| stats realm Haproxy\ Statistics | |
| stats uri /stats | |
| stats auth admin:password |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment