Last active
January 22, 2021 15:36
-
-
Save haproxytechblog/cd7c330e50ce4b070d04eeb2b6709c67 to your computer and use it in GitHub Desktop.
Announcing HAProxy Kubernetes Ingress Controller 1.5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.k8s.io/v1beta1 | |
kind: Ingress | |
metadata: | |
name: web-ingress | |
namespace: default | |
annotations: | |
haproxy.org/ssl-redirect: "true" | |
haproxy.org/ssl-redirect-code: "301" | |
haproxy.org/ssl-certificate: "default/tls-secret" | |
# ... other ingress settings... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: haproxy-kubernetes-ingress | |
namespace: default | |
data: | |
global-config-snippet: | | |
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets | |
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
tune.ssl.default-dh-param 2048 | |
tune.bufsize 32768 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
run: web | |
name: web | |
annotations: | |
haproxy.org/backend-config-snippet: | | |
stick-table type binary size 1000 store http_req_rate(5s) | |
http-request track-sc0 url32+src | |
http-request deny if { url32+src,table_http_req_rate() gt 50 } | |
# ... other service settings... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
run: web | |
name: web | |
annotations: | |
haproxy.org/server-ca: "default/server-tls-secret" | |
haproxy.org/server-crt: "default/client-tls-secret" | |
# ... other service settings... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.k8s.io/v1beta1 | |
kind: Ingress | |
metadata: | |
name: web-ingress | |
namespace: default | |
annotations: | |
haproxy.org/ssl-redirect: "true" | |
haproxy.org/ssl-redirect-code: "301" | |
haproxy.org/ssl-certificate: "default/tls-secret" | |
haproxy.org/auth-type: basic-auth | |
haproxy.org/auth-secret: "default/logins" | |
# ... other ingress settings... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: customerrors | |
namespace: default | |
data: | |
503: |- | |
HTTP/1.0 503 Service Unavailable | |
Cache-Control: no-cache | |
Connection: close | |
Content-Type: text/html | |
<html><body><h1>Oops, that's embarassing!</h1> | |
<p>There are no servers available to handle your request.</p> | |
</body></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
args: | |
- --configmap-errorfile=default/customerrors |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend http | |
mode http | |
bind 0.0.0.0:80 name bind_1 | |
bind :::80 v4v6 name bind_2 | |
http-request set-var(txn.host) req.hdr(Host),field(1,:),lower | |
http-request set-var(txn.path) path | |
http-request set-var(txn.base) base | |
http-request deny deny_status 403 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } or { var(txn.host) -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } | |
http-request capture "hdr(Referer)" len 128 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/18288779858306557702.lst } or { var(txn.host) -f /etc/haproxy/maps/18288779858306557702.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/18288779858306557702.lst } | |
http-request capture "hdr(User-Agent)" len 128 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/15330672981640189476.lst } or { var(txn.host) -f /etc/haproxy/maps/15330672981640189476.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/15330672981640189476.lst } | |
use_backend echo-echo-3-http-echo-8080 if { var(txn.host) echo.k8s.local } { var(txn.path) -m beg /echo-3 } | |
use_backend echo-echo-2-http-echo-8080 if { var(txn.host) echo.k8s.local } { var(txn.path) -m beg /echo-2 } | |
use_backend echo-echo-3-http-echo-8080 if { var(txn.host) echo-3.k8s.local } | |
use_backend echo-echo-2-http-echo-8080 if { var(txn.host) echo-2.k8s.local } | |
use_backend echo-echo-1-http-echo-8443 if { var(txn.host) echo-1.k8s.local } | |
use_backend echo-echo-3-http-echo-8080 if { var(txn.path) -m beg /echo-3 } | |
use_backend echo-echo-2-http-echo-8080 if { var(txn.path) -m beg /echo-2 } | |
default_backend default-haproxy-1-4-kubernetes-ingress-default-backend-8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend http | |
mode http | |
bind 0.0.0.0:80 name bind_1 | |
bind :::80 name bind_2 v4v6 | |
http-request set-var(txn.base) base | |
http-request set-var(txn.path) path | |
http-request set-var(txn.host) req.hdr(Host),field(1,:),lower,map(/etc/haproxy/maps/host.map) | |
http-request set-var(txn.host) req.hdr(Host),field(1,:),regsub(^[^.]*,,),lower,map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host) -m found } | |
http-request set-var(txn.match) var(txn.host),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map) | |
http-request set-var(txn.match) var(txn.host),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.match) -m found } | |
http-request deny deny_status 403 if { var(txn.match) -m dom 819381936 } { src -f /etc/haproxy/maps/blacklist-2602162148.map } | |
http-request capture "hdr(Referer)" len 128 if { var(txn.match) -m dom 4205828474 } | |
http-request capture "hdr(User-Agent)" len 128 if { var(txn.match) -m dom 2786470064 } | |
use_backend %[var(txn.match),field(1,.)] | |
default_backend default-haproxy-kubernetes-ingress-default-backend-8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ip route add <pod-network> via <node-ip> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ./kubernetes-ingress -e \ | |
--configmap=default/haproxy-kubernetes-ingress \ | |
--program=/usr/bin/haproxy \ | |
--disable-ipv6 \ | |
--ipv4-bind-address=10.0.3.100 | |
--http-bind-port=8080 \ | |
--https-bind-port=8443 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment