Last active
August 4, 2020 20:44
-
-
Save haproxytechblog/34b06e911dd0180d22a89d323d4fc124 to your computer and use it in GitHub Desktop.
HAProxy 2.0 and Beyond
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| log stdout local0 | |
| log fd@1 local0 | |
| log stdout format raw local0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend fe_main | |
| mode http | |
| bind *:80 | |
| bind *:443 ssl crt /etc/haproxy/certs/www.example.com.pem alpn h2,http/1.1 | |
| http-request redirect scheme https unless { ssl_fc } | |
| default_backend be_main | |
| backend be_main | |
| mode http | |
| server server1 192.168.1.13:443 ssl verify none alpn h2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend fe_main | |
| bind :443 ssl crt /path/to/cert.pem alpn h2 | |
| default_backend be_servers | |
| backend be_main | |
| default-server ssl verify none alpn h2 check maxconn 50 | |
| server grpc1 10.1.0.11:3000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend fe_main | |
| bind :3001 ssl crt /path/to/cert.pem alpn h2 | |
| acl is_otherservice_path path /AnotherService/SomeFunction | |
| use_backend be_otherservers if is_otherservice_path | |
| default_backend be_main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend fe_main | |
| bind :443 tfo ssl crt /etc/haproxy/certs/www.example.com.pem alpn h2,http/1.1 | |
| default_backend be_main | |
| backend be_main | |
| default-server ssl verify none alpn h2 check maxconn 50 | |
| retry-on all-retryable-errors | |
| http-request disable-l7-retry if METH_POST | |
| server server1 192.168.1.13:443 | |
| server server2 192.168.1.14:443 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| program <name> | |
| command </path/to/executable> [args] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| program dataplane-api | |
| command /usr/sbin/dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --config-file /etc/haproxy/haproxy.cfg --reload-cmd "systemctl reload haproxy" --reload-delay 5 --userlist api |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo "show proc" | socat /var/run/haproxy.master.sock - | |
| #<PID> <type> <relative PID> <reloads> <uptime> | |
| 6393 master 0 0 10d 03h02m01s | |
| # workers | |
| 6396 worker 1 0 10d 03h02m01s | |
| # programs | |
| 6394 dataplane-api - 0 10d 03h02m01s | |
| 6395 spoa-mirror - 0 10d 03h02m01s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| program spoa-mirror | |
| command /usr/sbin/spoa-mirror -r0 -u"http://staging.local/" | |
| frontend fe_main | |
| bind :80 | |
| filter spoe engine traffic-mirror config mirror.cfg | |
| default_backend be_main | |
| backend be_main | |
| server server1 192.168.1.13:80 | |
| backend spoe-traffic-mirror | |
| mode tcp | |
| balance roundrobin | |
| timeout connect 5s | |
| timeout server 1m | |
| server spoa1 127.0.0.1:12345 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [traffic-mirror] | |
| spoe-agent spoe-traffic-mirror | |
| log global | |
| messages mirror | |
| option set-on-error err | |
| option set-process-time ptime | |
| option set-total-time ttime | |
| option var-prefix spoe | |
| timeout hello 500ms | |
| timeout idle 10s | |
| timeout processing 100ms | |
| use-backend spoe-traffic-mirror | |
| spoe-message mirror | |
| args arg_method=method arg_path=url arg_ver=req.ver arg_hdrs=req.hdrs_bin arg_body=req.body | |
| # 10% chance to mirror traffic | |
| event on-frontend-http-request if { rand(100) le 10 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ make TARGET=linux2628 EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend stats | |
| bind *:8404 | |
| # Enable Prometheus Exporter | |
| http-request use-service prometheus-exporter if { path /metrics } | |
| stats enable | |
| stats uri /stats | |
| stats refresh 10s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| peers mypeers | |
| bind :10001 ssl crt mycerts/pem | |
| default-server ssl verify none | |
| server haproxy2 192.168.1.24:10000 | |
| server haproxy1 #local peer | |
| table src_tracking type string size 10m store http_req_rate(10s),http_req_cnt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend fe_main | |
| http-request track-sc0 src table mypeers/src_tracking |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo "show peers" | socat /var/run/haproxy.sock - | |
| 0xc04aa0: [13/May/2019:02:26:04] id=mypeers state=0 flags=0x3 resync_timeout=<PAST> task_calls=30 | |
| 0xc068a0: id=haproxy2(remote) addr=192.168.1.24:10000 status=CONN reconnect=3s confirm=0 flags=0x0 | |
| 0xc06780: id=haproxy1(local) addr=192.168.1.14:10001 status=NONE reconnect=<NEVER> confirm=0 flags=0x0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| backend be_main | |
| balance random(2) | |
| default-server ssl verify none alpn h2 check maxconn 50 | |
| server server1 192.168.1.13:443 tfo | |
| server server2 192.168.1.14:443 tfo | |
| server server3 192.168.1.15:443 tfo | |
| server server4 192.168.1.16:443 tfo | |
| server server5 192.168.1.17:443 tfo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| log stderr local0 | |
| log 127.0.0.1:10001 sample 1:10 local0 | |
| log 127.0.0.2:10002 sample 2-3,8-11:11 local0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| May 13 11:37:40 localhost haproxy[16129]: 192.168.1.3:40624 [13/May/2019:11:37:40.518] fe_main be_main/server2 0/0/0/0/0 200 191 - - ---- 1/1/0/0/0 0/0 "GET /?i=10 HTTP/1.1" | |
| May 13 11:37:40 localhost haproxy[16129]: 192.168.1.3:40644 [13/May/2019:11:37:40.611] fe_main be_main/server2 0/0/0/1/1 200 191 - - ---- 1/1/0/0/0 0/0 "GET /?i=20 HTTP/1.1" | |
| May 13 11:37:40 localhost haproxy[16129]: 192.168.1.3:40664 [13/May/2019:11:37:40.724] fe_main be_main/server2 0/0/0/0/0 200 191 - - ---- 1/1/0/0/0 0/0 "GET /?i=30 HTTP/1.1" | |
| May 13 11:37:40 localhost haproxy[16129]: 192.168.1.3:40684 [13/May/2019:11:37:40.831] fe_main be_main/server2 0/0/0/0/0 200 191 - - ---- 1/1/0/0/0 0/0 "GET /?i=40 HTTP/1.1" | |
| May 13 11:37:40 localhost haproxy[16129]: 192.168.1.3:40704 [13/May/2019:11:37:40.959] fe_main be_main/server2 0/0/0/1/1 200 191 - - ---- 1/1/0/0/0 0/0 "GET /?i=50 HTTP/1.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| May 13 15:13:06 localhost haproxy[27579]: 192.168.1.3:41516 [13/May/2019:15:13:06.134] fe_main be_main/server1 0/0/0/0/0 200 2077 - - ---- 1/1/0/0/0 0/0 "GET /?id=2 HTTP/1.1" | |
| May 13 15:13:06 localhost haproxy[27579]: 192.168.1.3:41518 [13/May/2019:15:13:06.145] fe_main be_main/server2 0/0/0/1/1 200 191 - - ---- 1/1/0/0/0 0/0 "GET /?id=3 HTTP/1.1" | |
| May 13 15:13:06 localhost haproxy[27579]: 192.168.1.3:41528 [13/May/2019:15:13:06.201] fe_main be_main/server1 0/0/0/1/1 200 2077 - - ---- 1/1/0/0/0 0/0 "GET /?id=8 HTTP/1.1" | |
| May 13 15:13:06 localhost haproxy[27579]: 192.168.1.3:41530 [13/May/2019:15:13:06.212] fe_main be_main/server2 0/0/0/2/2 200 191 - - ---- 1/1/0/0/0 0/0 "GET /?id=9 HTTP/1.1" | |
| May 13 15:13:06 localhost haproxy[27579]: 192.168.1.3:41532 [13/May/2019:15:13:06.222] fe_main be_main/server1 0/0/0/1/1 200 2077 - - ---- 1/1/0/0/0 0/0 "GET /?id=10 HTTP/1.1" | |
| May 13 15:13:06 localhost haproxy[27579]: 192.168.1.3:41534 [13/May/2019:15:13:06.232] fe_main be_main/server2 0/0/0/2/2 200 192 - - ---- 1/1/0/0/0 0/0 "GET /?id=11 HTTP/1.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo "show activity" | socat /var/run/haproxy.sock - | |
| thread_id: 1 (1..4) | |
| date_now: 1557729853.190497 | |
| loops: 4306 1405 4235 1601 | |
| wake_cache: 1756 134 1724 215 | |
| wake_tasks: 638 113 618 191 | |
| wake_signal: 0 0 0 0 | |
| poll_exp: 2394 247 2342 406 | |
| poll_drop: 588 49 578 91 | |
| poll_dead: 0 0 0 0 | |
| poll_skip: 0 0 0 0 | |
| fd_skip: 0 0 0 0 | |
| fd_lock: 4 1 1 3 | |
| fd_del: 0 0 0 0 | |
| conn_dead: 0 0 0 0 | |
| stream: 108 116 85 199 | |
| empty_rq: 2224 84 2201 113 | |
| long_rq: 0 0 0 0 | |
| ctxsw: 1470 400 1376 686 | |
| tasksw: 1400 342 1333 586 | |
| cpust_ms_tot: 0 0 0 0 | |
| cpust_ms_1s: 0 0 0 0 | |
| cpust_ms_15s: 0 0 0 0 | |
| avg_loop_us: 36 17 44 24 | |
| accepted: 4 13 9 8 | |
| accq_pushed: 10 8 8 8 | |
| accq_full: 0 0 0 0 | |
| accq_ring: 0 0 0 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo "show profiling" |socat /var/run/haproxy.sock - | |
| Per-task CPU profiling : auto # set profiling tasks {on|auto|off} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs {cpu_calls:%[cpu_calls]|cpu_ns_tot:%[cpu_ns_tot]| cpu_ns_avg:%[cpu_ns_avg]|lat_ns_tot:%[lat_ns_tot]|lat_ns_avg:%[lat_ns_avg]} %{+Q}r" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq {cpu_calls:%[cpu_calls]|cpu_ns_tot:%[cpu_ns_tot]| cpu_ns_avg:%[cpu_ns_avg]|lat_ns_tot:%[lat_ns_tot]|lat_ns_avg:%[lat_ns_avg]}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend fe_main | |
| bind :443 tfo ssl crt /etc/haproxy/certs/www.example.com.pem alpn h2,http/1.1 | |
| default_backend be_main | |
| backend be_main | |
| default-server ssl verify none alpn h2 check maxconn 20 | |
| retry-on all-retryable-errors | |
| http-request disable-l7-retry if METH_POST | |
| server server1 192.168.1.13:443 tfo | |
| server server2 192.168.1.14:443 tfo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend fe_main | |
| bind :80 | |
| http-request do-resolve(txn.dstip,mydns) hdr(Host),lower | |
| http-request capture var(txn.dstip) len 40 | |
| # return 503 when the variable is not set, | |
| # which mean DNS resolution error | |
| use_backend be_503 unless { var(txn.dstip) -m found } | |
| default_backend be_main | |
| backend be_503 | |
| # dummy backend used to return 503. | |
| # You can use the 'errorfile' directive to send a nice | |
| # 503 error page to end users. | |
| errorfile 503 /etc/haproxy/errorfiles/503sorry.http | |
| backend be_main | |
| # rule to prevent HAProxy from reconnecting to services | |
| # on the local network (forged DNS name used to scan the network) | |
| http-request deny if { var(txn.dstip) -m ip 127.0.0.0/8 10.0.0.0/8 } | |
| http-request set-dst var(txn.dstip) | |
| server clear 0.0.0.0:80 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment