Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
Created December 2, 2019 23:22
Show Gist options
  • Save haproxytechblog/a76d3eb833015ca3f38e7ac9de0fcc39 to your computer and use it in GitHub Desktop.
Save haproxytechblog/a76d3eb833015ca3f38e7ac9de0fcc39 to your computer and use it in GitHub Desktop.
HAProxy 2.1 Sample Config
#
# This is the ultimate HAProxy 2.0 "Getting Started" config
# It demonstrates many of the features available which are now available
# While you may not need all of these things, this can serve
# as a reference for your own configurations.
#
# Have questions? Check out our community Slack:
# https://slack.haproxy.org/
#
global
# master-worker required for `program` section
# enable here or start with -Ws
master-worker
mworker-max-reloads 3
# enable core dumps
set-dumpable
user haproxy
group haproxy
log stdout local0
stats socket 127.0.0.1:9999 level admin expose-fd listeners
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
# New strict-limits
strict-limits
# New directive to support misconfigured servers
h1-case-adjust cache-control CaChE-CoNtRoL
defaults
mode http
log global
timeout client 5s
timeout server 5s
timeout connect 5s
option redispatch
option httplog
program dataplane-api
command /usr/sbin/haproxy-dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --config-file /etc/haproxy/haproxy.cfg --reload-cmd "systemctl reload haproxy" --reload-delay 5 --userlist api
program spoa-mirror
command /usr/sbin/spoa-mirror -r0 -u"http://192.168.1.7/"
program whoami
# Prints username 'haproxy' to logs
command /usr/bin/whoami
# New user and group directives
user haproxy
group haproxy
peers mypeers
bind :10001 ssl crt /etc/haproxy/certs/www.example.com.pem
default-server ssl verify none
server PC #local peer. name must match local server name
table src_tracking type string size 10m store http_req_rate(10s),http_req_cnt
resolvers dns
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
hold valid 10s
hold obsolete 30s
userlist api
user admin password $5$aVnIFECJ$2QYP64eTTXZ1grSjwwdoQxK/AP8kcOflEO1Q5fc.5aA
frontend stats
bind *:8404
# Enable Prometheus Exporter
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
frontend fe_main
bind :80
bind :443 tfo ssl crt /etc/haproxy/certs/www.example.com.pem alpn h2,http/1.1
# Enable log sampling
# One out of 10 requests would be logged to this source
log 127.0.0.1:10001 sample 1:10 local0
# For every 11 requests, log requests 2, 3, and 8-11
log 127.0.0.1:10002 sample 2-3,8-11:11 local0
# Log profiling data
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r cpu_calls:%[cpu_calls] cpu_ns_tot:%[cpu_ns_tot] cpu_ns_avg:%[cpu_ns_avg] lat_ns_tot:%[lat_ns_tot] lat_ns_avg:%[lat_ns_avg]"
# gRPC path matching
acl is_grpc_codename path /CodenameCreator/KeepGettingCodenames
# Dynamic 'do-resolve' trusted hosts
acl dynamic_hosts req.hdr(Host) api.local admin.local haproxy.com
# Activate Traffic Mirror
filter spoe engine traffic-mirror config mirror.cfg
# Redirect if not SSL
http-request redirect scheme https unless { ssl_fc }
# Enable src tracking
http-request track-sc0 src table mypeers/src_tracking
# Enable rate limiting
# Return 429 Too Many Requests if client averages more than
# 10 requests in 10 seconds.
# (duration defined in stick table in peers section)
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 }
# Enable local resolving of Host if within dynamic_hosts ACL
# Allows connecting to dynamic IP address specified in Host header
# Useful for DNS split view or split horizon
http-request do-resolve(txn.dstip,dns) hdr(Host),lower if dynamic_hosts
http-request capture var(txn.dstip) len 40 if dynamic_hosts
# return 503 when dynamic_hosts matches but the variable
# txn.dstip is not set which mean DNS resolution error
# otherwise route to be_dynamic
use_backend be_503 if dynamic_hosts !{ var(txn.dstip) -m found }
use_backend be_dynamic if dynamic_hosts
# route to gRPC path
use_backend be_grpc if is_grpc_codename
# Route PHP requests to FastCGI app
use_backend phpapp if { path_end .php }
default_backend be_main
backend be_main
default-server ssl verify none alpn h2 check maxconn 50
# Enable Power of Two Random Choices Algorithm
balance random(2)
# Enable Layer 7 retries
retry-on all-retryable-errors
retries 3
# retrying POST requests can be dangerous
# make sure you understand the implications before removing
http-request disable-l7-retry if METH_POST
server server1 192.168.1.13:443 tfo
server server2 192.168.1.14:443 tfo
server server3 192.168.1.15:443 tfo
server server4 192.168.1.16:443 tfo
server server5 192.168.1.17:443 tfo
# New fetch methods:
http-response add-header SERVER_NAME "%[srv_name]"
http-response add-header SERVER_QUEUE "%[srv_queue(server1)]"
http-response add-header UUID "%[uuid]"
# New 'sha2' converter:
# set a value to hash, such as a username
http-response set-var(res.username) str("JOE SMITH")
# create hash with combined username and secret and convert to hexadecimal
http-response set-var(res.checksum) var(res.username),concat("secret"),sha2(256),hex
# Save full cookie header value
http-response set-var(res.cookieval) str(),concat("Username=",res.username,"|"),concat("",res.checksum)
# set cookie. Creates header 'set-cookie: Username=JOE SMITH|4DA485B06BB9D30DF34AC4BB1696BA9DA850DB074727E87C4B05448BD07218DF'
http-response set-header Set-Cookie %[var(res.cookieval)]
backend be_grpc
default-server ssl verify none alpn h2 check maxconn 50
server grpc1 10.1.0.11:3000
server grpc2 10.1.0.12:3000
backend be_dynamic
default-server ssl verify none check maxconn 50
# rule to prevent HAProxy from reconnecting to services
# on the local network (forged DNS name used to scan the network)
http-request deny if { var(txn.dstip) -m ip 127.0.0.0/8 10.0.0.0/8 }
http-request set-dst var(txn.dstip)
server dynamic 0.0.0.0:0
backend spoe-traffic-mirror
mode tcp
balance roundrobin
timeout connect 5s
timeout server 1m
server spoa1 127.0.0.1:12345
server spoa2 10.1.0.20:12345
backend be_503
# dummy backend used to return 503.
# You can use the 'errorfile' directive to send a nice
# 503 error page to end users.
errorfile 503 /etc/haproxy/errorfiles/503sorry.http
# New section for FastCGI
fcgi-app php-fpm
log-stderr global
option keep-conn
docroot /var/www/html
index index.php
path-info ^(/.+\.php)(/.*)?$
backend phpapp
# User FastCGI
use-fcgi-app php-fpm
server server1 127.0.0.1:9000 proto fcgi
backend wonky_server
# Enable case-sensitive header option
option h1-case-adjust-bogus-server
server server2 127.0.0.1:8081 check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment