Skip to content

Instantly share code, notes, and snippets.

Last active September 13, 2023 19:04
Show Gist options
  • Save kishba/569e207c320d8d09f499 to your computer and use it in GitHub Desktop.
Save kishba/569e207c320d8d09f499 to your computer and use it in GitHub Desktop.
Sample HAProxy HTTPS configuration for Moodle and Ellucian Colleague web apps -- anonymized from Mid Michigan Community College
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
log global
mode http
option httplog
option log-separate-errors # Separate error logs from access logs
balance roundrobin
option dontlognull
option redispatch # Redirect the first dropped HTTP request if another server is in the pool
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 10m # Brandon has used this to import Moodle courses with large question banks
timeout client 10m
timeout server 10m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend load_balancers
## Binding to both test (192.) and production (67.) IP addresses
bind ssl crt /etc/ssl/private/
bind ssl crt /etc/ssl/private/
# Mitigate HTTPoxy
http-request del-header Proxy
# Figure out where to send traffic
# analogous to Apache/Nginx Virtual host directives
## Moodle #############
acl dest_moodle_prod hdr(host) -i
use_backend moodle_prod_nodes if dest_moodle_prod
## Colleague Web API ##
acl dest_webapi hdr(host) -i
use_backend webapi_nodes if dest_webapi
## Self Service ########
acl dest_selfservice hdr(host) -i
use_backend selfservice_nodes if dest_selfservice
## Payment Gateway #####
acl dest_payment hdr(host) -i
use_backend payment_nodes if dest_payment
## WebAdvisor ##########
acl dest_webadvisor hdr(host) -i
use_backend webadvisor_nodes if dest_webadvisor
## Colleague Web UI ##
acl dest_webui hdr(host) -i
acl dest_webui5 hdr(host) -i
use_backend webui_nodes if dest_webui
use_backend webui5_nodes if dest_webui5
backend moodle_prod_nodes
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
# Rather than use the front page, use a custom health check URL:
option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Do NOT inject this cookie; however, if it exists, send the user to the appropriate server
cookie MAPPSERVER indirect nocache preserve
server mapp1 check inter 2000 cookie mapp1
server mapp2 check inter 2000 cookie mapp2
server mapp3 check inter 2000 cookie mapp3 backup
backend webapi_nodes
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /ColleagueApi HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
server webapi-prod check inter 2000
backend selfservice_nodes
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /Student HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Redirect / to /Student where Self Service is running via IIS
redirect location /Student code 302 if { path -i / }
# The Self Service modules sometimes issue redirects to itself so we changed IIS to run on 80 so it will be possible for HAProxy to respond to these requests and redirect to 443
#server selfservice-prod check inter 2000
server selfservice-prod check inter 2000
backend payment_nodes
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /PaymentGateway/css/SiteStyle.css HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
server paygate check inter 2000 ssl verify none
backend webadvisor_nodes
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /mw/mw HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Redirect / to the web advisor root path
redirect location /mw/mw code 302 if { path -i / }
server 2012mweb check inter 2000 ssl verify none
backend webui_nodes
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /UIProduction46/index.htm HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Redirect / and old 4.4 bookmarks to the new installation
redirect location /UIProduction46/index.htm code 302 if { path -i / }
redirect location /UIProduction46/index.htm code 302 if { path -i /UIProduction }
redirect location /UIProduction46/index.htm code 302 if { path -i /UIProduction/ }
redirect location /UIProduction46/index.htm code 302 if { path -i /UIProduction/index.htm }
redirect location /UIProduction46/launch.htm code 302 if { path -i /UIProduction/launch.htm }
server 2012webui check inter 2000 ssl verify none
backend webui5_nodes
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /ui/index.html HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Redirect / to the WebUI launcher page
redirect location /ui/index.html code 302 if { path -i / }
server ui5prod1 check inter 2000 ssl verify none
Copy link

@kishba, the sessions are stored in moodledata via NFS, so i test store in the database and the problem continues. I'm using Centos 7, what linux uses with this config file ??? version of haproxy ???

Search in other sites similar configurations and all works in mi proxy, but all disconect at 3 o4 minutes. So i help me if yoou share you version of linux and the version of haproxy to replicate this in another server

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment