Holger Just meineerde
meineerde
/ haproxy.cfg
Created
July 26, 2017 11:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| defaults | |
| mode http | |
| frontent fe | |
| bind :8080 | |
| use_backend be | |
| backend be | |
| # do whatever... |
meineerde
/ haproxy.cfg
Last active
September 27, 2020 14:08
Build a dynamic SNI value to use in a HAProxy backend connection over SSL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend foo | |
| bind :443 ssl crt /path/to/certs | |
| # Ensure we have a clean state to start with | |
| http-request del-header X-SERVER-SNI | |
| # Set the concatenated value of the SNI value to a temporary header | |
| http-request set-header X-SERVER-SNI haproxy.%[ssl_fc_sni] if { ssl_fc_sni -m found } | |
| # Set the value of the header to a transaction-level variable |
meineerde
/ haproxy.cfg
Last active
December 21, 2017 14:47
HAPROXY: Get the equivalent of a fullbase fetch, that is the concatenation of the host header, the path, and the query string
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Build a new (internal) header containing the required full-base data | |
| # Unfortunately, we can't use variables here since they can't be used to concat data | |
| http-request set-header X-Full-Base %[base] | |
| http-request set-header X-Full-Base %[base]?%[query] if { query -m found } | |
| http-request deny if { req.hdr(X-Full-Base),map(/path/to/url_list.txt) -m found } | |
| # cleanup | |
| http-request del-header X-Full-Base |
meineerde
/ haproxy.cnf
Created
May 19, 2016 15:06
HAPROXY: Use a fetched integer value as checked value in an ACL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First extract the rate into a variable called req.src_http_req_rate | |
| http-request content set-var req.src_http_req_rate %[src_http_req_rate] | |
| # Then use this variable in the acl by subtracting the current rate from the | |
| # value returned from the map. If the result is less than 0, the request rate | |
| # is larger than the allowed value | |
| acl abuse src,map_ip_int(/etc/haproxy/ips.map),sub(req.src_http_req_rate) -m int lt 0 |
meineerde
/ LICENSE.txt
Last active
December 14, 2018 01:40
Update existing OCSP responses in HAProxy. Assuming you have all your SSL certificates in one directory, you can simply call `haproxy_update_ocsp /path/to/haproxy/certificates` with cron every couple of hours. For new certificates, call `haproxy_ocsp /path/to/haproxy/certificates/server.pem` once to fetch the initial OCSP response.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The MIT License (MIT) | |
| Copyright (c) 2015 Holger Just, Planio GmbH | |
| Permission is hereby granted, free of charge, to any person obtaining a copy | |
| of this software and associated documentation files (the "Software"), to deal | |
| in the Software without restriction, including without limitation the rights | |
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| copies of the Software, and to permit persons to whom the Software is | |
| furnished to do so, subject to the following conditions: |
meineerde
/ haproxy.config
Last active
October 20, 2021 09:43
Set all cookies set in the HTTP response to HttpOnly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| acl httponly_cookie res.hdr(Set-Cookie),lower -m sub httponly | |
| rspirep ^(set-cookie:.*) \1;\ HttpOnly if !httponly_cookie |
meineerde
/ haproxy.cnf
Last active
December 9, 2017 18:26
Example HAProxy config which selectively requires client certificates based on SNI "vhost"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| listen tls | |
| bind *:443 | |
| mode tcp | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| # deny clients not sending an SNI header in 5 seconds | |
| tcp-request content reject |
meineerde
/ regex_which_matches_4_byte_utf8_characters.rb
Created
September 24, 2015 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| regex_which_matches_4_byte_utf8_characters = /[\u{ffff}-\u{10FFFF}]/ |
meineerde
/ haproxy_1_5.cnf
Last active
January 19, 2023 02:23
HAPROXY: Redirect all requests to a URL starting with /foo to /bar while retaining everything following it
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # In HAProxy 1.5, we have to jump through some hops to accomplish a rewrite of a request's path... | |
| # We use a temporary header to build our new path from the existing one in the request | |
| # and then directly perform a redirect | |
| # Clean the request and remove any existing header named X-Rewrite | |
| http-request del-header X-REWRITE | |
| # Copy the full request URL into the X-REWRITE request header unchanged | |
| http-request add-header X-REWRITE %[url] if { path_beg /foo } |
meineerde
/ haproxy.cfg
Created
June 23, 2015 09:44
HAProxy: Route requests based on an environment variable
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend http | |
| bind 10.0.0.1:80 | |
| mode http | |
| # Add a new header with the environment variable and the path concatenated | |
| http-request set-header X-ROUTING %[env(SERVER_AUTH)]::%[path] | |
| # Then compare the value using a regular expression with back-references | |
| # We need to use a named capture because of "reasons". Backreferences to normal captures seem to be rejected by HAProxy | |
| use_backend app if { req.hdr(X-ROUTING) -m reg ^(?<auth>.+)==\1 } | |
| # Cleanup in case we hadn't matched yet |