Last active
January 22, 2021 15:36
-
-
Save haproxytechblog/cd7c330e50ce4b070d04eeb2b6709c67 to your computer and use it in GitHub Desktop.
Announcing HAProxy Kubernetes Ingress Controller 1.5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.k8s.io/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: web-ingress | |
| namespace: default | |
| annotations: | |
| haproxy.org/ssl-redirect: "true" | |
| haproxy.org/ssl-redirect-code: "301" | |
| haproxy.org/ssl-certificate: "default/tls-secret" | |
| # ... other ingress settings... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: haproxy-kubernetes-ingress | |
| namespace: default | |
| data: | |
| global-config-snippet: | | |
| ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets | |
| ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
| tune.ssl.default-dh-param 2048 | |
| tune.bufsize 32768 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| run: web | |
| name: web | |
| annotations: | |
| haproxy.org/backend-config-snippet: | | |
| stick-table type binary size 1000 store http_req_rate(5s) | |
| http-request track-sc0 url32+src | |
| http-request deny if { url32+src,table_http_req_rate() gt 50 } | |
| # ... other service settings... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| run: web | |
| name: web | |
| annotations: | |
| haproxy.org/server-ca: "default/server-tls-secret" | |
| haproxy.org/server-crt: "default/client-tls-secret" | |
| # ... other service settings... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.k8s.io/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: web-ingress | |
| namespace: default | |
| annotations: | |
| haproxy.org/ssl-redirect: "true" | |
| haproxy.org/ssl-redirect-code: "301" | |
| haproxy.org/ssl-certificate: "default/tls-secret" | |
| haproxy.org/auth-type: basic-auth | |
| haproxy.org/auth-secret: "default/logins" | |
| # ... other ingress settings... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: customerrors | |
| namespace: default | |
| data: | |
| 503: |- | |
| HTTP/1.0 503 Service Unavailable | |
| Cache-Control: no-cache | |
| Connection: close | |
| Content-Type: text/html | |
| <html><body><h1>Oops, that's embarassing!</h1> | |
| <p>There are no servers available to handle your request.</p> | |
| </body></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| args: | |
| - --configmap-errorfile=default/customerrors |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend http | |
| mode http | |
| bind 0.0.0.0:80 name bind_1 | |
| bind :::80 v4v6 name bind_2 | |
| http-request set-var(txn.host) req.hdr(Host),field(1,:),lower | |
| http-request set-var(txn.path) path | |
| http-request set-var(txn.base) base | |
| http-request deny deny_status 403 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } or { var(txn.host) -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } | |
| http-request capture "hdr(Referer)" len 128 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/18288779858306557702.lst } or { var(txn.host) -f /etc/haproxy/maps/18288779858306557702.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/18288779858306557702.lst } | |
| http-request capture "hdr(User-Agent)" len 128 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/15330672981640189476.lst } or { var(txn.host) -f /etc/haproxy/maps/15330672981640189476.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/15330672981640189476.lst } | |
| use_backend echo-echo-3-http-echo-8080 if { var(txn.host) echo.k8s.local } { var(txn.path) -m beg /echo-3 } | |
| use_backend echo-echo-2-http-echo-8080 if { var(txn.host) echo.k8s.local } { var(txn.path) -m beg /echo-2 } | |
| use_backend echo-echo-3-http-echo-8080 if { var(txn.host) echo-3.k8s.local } | |
| use_backend echo-echo-2-http-echo-8080 if { var(txn.host) echo-2.k8s.local } | |
| use_backend echo-echo-1-http-echo-8443 if { var(txn.host) echo-1.k8s.local } | |
| use_backend echo-echo-3-http-echo-8080 if { var(txn.path) -m beg /echo-3 } | |
| use_backend echo-echo-2-http-echo-8080 if { var(txn.path) -m beg /echo-2 } | |
| default_backend default-haproxy-1-4-kubernetes-ingress-default-backend-8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend http | |
| mode http | |
| bind 0.0.0.0:80 name bind_1 | |
| bind :::80 name bind_2 v4v6 | |
| http-request set-var(txn.base) base | |
| http-request set-var(txn.path) path | |
| http-request set-var(txn.host) req.hdr(Host),field(1,:),lower,map(/etc/haproxy/maps/host.map) | |
| http-request set-var(txn.host) req.hdr(Host),field(1,:),regsub(^[^.]*,,),lower,map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host) -m found } | |
| http-request set-var(txn.match) var(txn.host),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map) | |
| http-request set-var(txn.match) var(txn.host),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.match) -m found } | |
| http-request deny deny_status 403 if { var(txn.match) -m dom 819381936 } { src -f /etc/haproxy/maps/blacklist-2602162148.map } | |
| http-request capture "hdr(Referer)" len 128 if { var(txn.match) -m dom 4205828474 } | |
| http-request capture "hdr(User-Agent)" len 128 if { var(txn.match) -m dom 2786470064 } | |
| use_backend %[var(txn.match),field(1,.)] | |
| default_backend default-haproxy-kubernetes-ingress-default-backend-8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ip route add <pod-network> via <node-ip> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ./kubernetes-ingress -e \ | |
| --configmap=default/haproxy-kubernetes-ingress \ | |
| --program=/usr/bin/haproxy \ | |
| --disable-ipv6 \ | |
| --ipv4-bind-address=10.0.3.100 | |
| --http-bind-port=8080 \ | |
| --https-bind-port=8443 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment