Skip to content

Instantly share code, notes, and snippets.

@kamigerami
Last active April 30, 2018 05:55
Show Gist options
  • Save kamigerami/b833ab45ea21a2cfa65fd2f962be6166 to your computer and use it in GitHub Desktop.
Save kamigerami/b833ab45ea21a2cfa65fd2f962be6166 to your computer and use it in GitHub Desktop.
haproxy + ssl -> varnish -> back to haproxy for loadbalancing to --> backend0/1/2 (webhost)
# This versions uses ELB loadbalancing
# The ELB points to these two HAProxy hosts
# The C-name of the Domain points to the ELB
# ELB -> HAPROXY 1 or 2 -> Varnish --> HIT or MISS --> HAPROXY 1 or 2 -> Backend 1/2/3
vcl 4.0;
import directors;
backend haproxy1 {
.host = "172.31.xx.235"; # back to HAPROXY-1 internal address
.port = "8080";
.probe = {
.url = "/";
.interval = 5s;
.timeout = 1 s;
.window = 5;
.threshold = 3;
}
}
backend haproxy2 {
.host = "172.31.xx.68"; # back to HAPROXY-2 internal address
.port = "8080";
.probe = {
.url = "/";
.interval = 5s;
.timeout = 1 s;
.window = 5;
.threshold = 3;
}
}
sub vcl_init {
new vdir = directors.round_robin();
vdir.add_backend(haproxy1);
vdir.add_backend(haproxy2);
}
sub vcl_recv {
if (req.http.Cookie) {
unset req.http.Cookie;
}
if (req.http.Accept-Encoding) {
if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
# No point in compressing these
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
set req.http.Accept-Encoding = "deflate";
} else {
# unkown algorithm
unset req.http.Accept-Encoding;
}
}
}
sub vcl_backend_response { # old fetch
set beresp.http.x-url = bereq.url;
set beresp.ttl = 300s;
if (beresp.status == 404) {
set beresp.ttl = 0s;
}
}
sub vcl_deliver {
if (obj.hits > 0) { # Add debug header to see if it's a HIT/MISS and the number of hits, disable when not needed
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
# Please note that obj.hits behaviour changed in 4.0, now it counts per objecthead, not per object
# and obj.hits may not be reset in some cases where bans are in use. See bug 1492 for details.
# So take hits with a grain of salt
set resp.http.X-Cache-Hits = obj.hits;
unset resp.http.x-url;
set resp.http.Access-Control-Allow-Origin = "*";
}
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
tune.ssl.default-dh-param 4096
ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
ssl-default-bind-options no-sslv3 no-tlsv10 # SSLLabs secure
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
maxconn 3000
option forwardfor
option http-server-close
# http-reuse always # only available in newer 1.6 versions
timeout connect 5000
timeout client 50000
timeout server 50000
# stat page
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth user:password
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend incoming
bind :80
bind :443 ssl crt /etc/haproxy/certs/yourcert.pem
reqadd X-Forwarded-Proto:\ https # Adds https header to end of HTTPS request
redirect scheme https if !{ ssl_fc } # redirects http to https if not using ssl already
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
default_backend varnish # forward any traffic to varnish
frontend returning-varnish # returning traffic from varnish
bind 172.31.xx.235:8080 # listening on internal ip
default_backend webhost # all trafic goes to loadbalanced webhosts
acl url_randomimage path_beg /random_image.png # if request goes to this specific url
use_backend randomimage if url_randomimage # use another backend
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend varnish
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server varnish 172.31.xx.254:80 check
backend webhost
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server backend-0 172.31.xx.176:80 check
server backend-1 172.31.xx.174:80 check
server backend-2 172.31.xx.47:80 check
backend randomimage
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server backend-0 172.31.xx.176:80 check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment