Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
haproxytechblog / blog20220909-01.sh
Last active Sep 16, 2022
Verify OAuth JWT tokens with HAProxy
View blog20220909-01.sh
$ openssl x509 -pubkey -noout -in ./myaccount.pem > pubkey.pem
@haproxytechblog
haproxytechblog / blog20220822-01.cfg
Created Aug 22, 2022
Path-based Routing with HAProxy
View blog20220822-01.cfg
frontend mysite
bind :80
# route to a backend based on path's prefix
use_backend app-a if { path /a } || { path_beg /a/ }
use_backend app-b if { path /b } || { path_beg /b/ }
backend app-a
# strip the prefix '/a' off of the path
http-request replace-path /a(/)?(.*) /\2
@haproxytechblog
haproxytechblog / blog20220805-01.sh
Last active Aug 5, 2022
Restrict API Access with Client Certificates (mTLS)
View blog20220805-01.sh
$ openssl req \
-newkey rsa:2048 \
-nodes \
-x509 \
-days 3650 \
-keyout root-ca.key \
-out root-ca.crt
@haproxytechblog
haproxytechblog / blog20220729-01.cfg
Created Jul 29, 2022
Log Forwarding with HAProxy and Syslog
View blog20220729-01.cfg
log-forward syslog
# Accepts incoming TCP messages
bind 0.0.0.0:514
# Accepts incoming UDP messages
dgram-bind 0.0.0.0:514
# Sends outgoing messages via UDP
log 172.25.0.12:514 local0
@haproxytechblog
haproxytechblog / blog20220722-01.cfg
Last active Jul 22, 2022
Preserve stick table data when reloading HAProxy
View blog20220722-01.cfg
peers mypeers
peer garfield 127.0.0.1:10000
@haproxytechblog
haproxytechblog / blog20220718-01.cfg
Last active Jul 27, 2022
HAProxy Data Plane API 2.6
View blog20220718-01.cfg
global
# Uses a UDP port
log 192.168.56.30:514 local0
@haproxytechblog
haproxytechblog / blog20220610-01.sh
Created Jun 10, 2022
Custom Resources with HAProxy Kubernetes Ingress Controller
View blog20220610-01.sh
$ kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
componentstatuses cs v1 false ComponentStatus
configmaps cm v1 true ConfigMap
endpoints ep v1 true Endpoints
events ev v1 true Event
limitranges limits v1 true LimitRange
namespaces ns v1 false Namespace
nodes no v1 false Node
@haproxytechblog
haproxytechblog / blog20220601-01.sh
Created Jun 2, 2022
Announcing HAProxy Kubernetes Ingress Controller 1.8
View blog20220601-01.sh
setcap cap_net_bind_service=+ep haproxy
@haproxytechblog
haproxytechblog / blog20220516-01.cfg
Created May 16, 2022
Enable Sticky Sessions in HAProxy
View blog20220516-01.cfg
frontend mywebapp
bind :80
mode http
default_backend webservers
backend webservers
mode http
balance roundrobin
cookie SERVER insert indirect nocache
server web1 192.168.56.20:80 check cookie web1
@haproxytechblog
haproxytechblog / blog20220401-01.cfg
Last active Apr 11, 2022
CVE-2022-22965 Spring4Shell Remote Code Execution Mitigation
View blog20220401-01.cfg
frontend fe_main
...
option http-buffer-request
http-request deny if { query -i -m sub class.module.classLoader.resources.context.parent.pipeline springframework.context.support.FileSystemXmlApplicationContext }
http-request deny if { req.hdrs -i -m sub class.module.classLoader.resources.context.parent.pipeline springframework.context.support.FileSystemXmlApplicationContext }
http-request deny if { req.body -i -m sub class.module.classLoader.resources.context.parent.pipeline springframework.context.support.FileSystemXmlApplicationContext }