Created
April 11, 2018 13:11
-
-
Save mjudeikis/0a1ae3f9c5f18a39f8d1dc107c31a872 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Global settings | |
#--------------------------------------------------------------------- | |
global | |
maxconn 20000 | |
log /dev/log local0 info | |
stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin | |
#--------------------------------------------------------------------- | |
# common defaults that all the 'listen' and 'backend' sections will | |
# use if not designated in their block | |
#--------------------------------------------------------------------- | |
defaults | |
mode http | |
log global | |
option httplog | |
option dontlognull | |
# option http-server-close | |
option forwardfor except 127.0.0.0/8 | |
option redispatch | |
retries 3 | |
timeout http-request 10s | |
timeout queue 1m | |
timeout connect 10s | |
timeout client 300s | |
timeout server 300s | |
timeout http-keep-alive 10s | |
timeout check 10s | |
maxconn 20000 | |
listen stats | |
bind :9000 | |
mode http | |
stats enable | |
stats uri / | |
frontend atomic-openshift-api | |
bind *:443 | |
default_backend atomic-openshift-router | |
mode tcp | |
option tcplog | |
tcp-request inspect-delay 5s | |
tcp-request content accept if { req_ssl_hello_type 1 } | |
# 129.146.134.212 | |
acl sni req.ssl_sni -m found | |
acl host_api req.ssl_sni -i console.example.com | |
acl host_router req.ssl_sni -m sub -i apps.example.com | |
acl host_api req.ssl_sni -i console.example.com | |
acl host_router req.ssl_sni -m sub -i apps.example.com | |
acl host_router_dev req.ssl_sni -m sub -i apps-dev.example.com | |
acl host_router_prod req.ssl_sni -m sub -i apps-prod.example.com | |
use_backend atomic-openshift-api if host_api | |
use_backend atomic-openshift-router if host_router | |
use_backend atomic-openshift-router-dev if host_router_dev | |
use_backend atomic-openshift-router-prod if host_router_prod | |
backend atomic-openshift-router | |
balance source | |
mode tcp | |
# maximum SSL session ID length is 32 bytes. | |
stick-table type binary len 32 size 30k expire 30m | |
acl clienthello req_ssl_hello_type 1 | |
acl serverhello rep_ssl_hello_type 2 | |
# use tcp content accepts to detects ssl client and server hello. | |
tcp-request inspect-delay 5s | |
tcp-request content accept if clienthello | |
# no timeout on response inspect delay by default. | |
tcp-response content accept if serverhello | |
stick on payload_lv(43,1) if clienthello | |
# Learn on response if server hello. | |
stick store-response payload_lv(43,1) if serverhello | |
option ssl-hello-chk | |
server router1 192.168.0.21:443 check | |
server router2 192.168.0.22:443 check | |
server router3 192.168.0.23:443 check | |
backend atomic-openshift-router-prod | |
balance source | |
mode tcp | |
# maximum SSL session ID length is 32 bytes. | |
stick-table type binary len 32 size 30k expire 30m | |
acl clienthello req_ssl_hello_type 1 | |
acl serverhello rep_ssl_hello_type 2 | |
# use tcp content accepts to detects ssl client and server hello. | |
tcp-request inspect-delay 5s | |
tcp-request content accept if clienthello | |
# no timeout on response inspect delay by default. | |
tcp-response content accept if serverhello | |
stick on payload_lv(43,1) if clienthello | |
# Learn on response if server hello. | |
stick store-response payload_lv(43,1) if serverhello | |
option ssl-hello-chk | |
server router1 192.168.0.21:443 check | |
server router2 192.168.0.22:443 check | |
backend atomic-openshift-router-dev | |
balance source | |
mode tcp | |
# maximum SSL session ID length is 32 bytes. | |
stick-table type binary len 32 size 30k expire 30m | |
acl clienthello req_ssl_hello_type 1 | |
acl serverhello rep_ssl_hello_type 2 | |
# use tcp content accepts to detects ssl client and server hello. | |
tcp-request inspect-delay 5s | |
tcp-request content accept if clienthello | |
# no timeout on response inspect delay by default. | |
tcp-response content accept if serverhello | |
stick on payload_lv(43,1) if clienthello | |
# Learn on response if server hello. | |
stick store-response payload_lv(43,1) if serverhello | |
option ssl-hello-chk | |
server router3 192.168.0.23:443 check | |
backend atomic-openshift-api | |
balance source | |
mode tcp | |
# maximum SSL session ID length is 32 bytes. | |
stick-table type binary len 32 size 30k expire 30m | |
acl clienthello req_ssl_hello_type 1 | |
acl serverhello rep_ssl_hello_type 2 | |
# use tcp content accepts to detects ssl client and server hello. | |
tcp-request inspect-delay 5s | |
tcp-request content accept if clienthello | |
# no timeout on response inspect delay by default. | |
tcp-response content accept if serverhello | |
stick on payload_lv(43,1) if clienthello | |
# Learn on response if server hello. | |
stick store-response payload_lv(43,1) if serverhello | |
option ssl-hello-chk | |
server master0 192.168.0.11:443 check | |
server master1 192.168.0.12:443 check | |
server master2 192.168.0.13:443 check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment