Created
January 6, 2021 00:57
-
-
Save peterska/769f41562f6b045df59df2294b2c20f0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
user haproxy | |
group haproxy | |
log stdout local0 | |
stats socket /run/haproxy.sock user haproxy group haproxy mode 660 level admin | |
tune.ssl.default-dh-param 2048 | |
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |
ssl-default-bind-options no-sslv3 no-tls-tickets | |
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |
ssl-default-server-options no-sslv3 no-tls-tickets | |
maxconn 5000 | |
defaults | |
default-server init-addr none | |
mode http | |
log global | |
option dontlognull | |
option dontlog-normal | |
timeout connect 5s | |
timeout client 30s | |
timeout client-fin 30s | |
timeout server 30s | |
timeout tunnel 10m | |
retries 3 | |
balance roundrobin | |
# Normal resolvers | |
resolvers dns | |
parse-resolv-conf | |
# kubernetes cluster | |
resolvers k8s | |
nameserver coredns1 10.96.0.10:53 | |
timeout retry 2s | |
hold other 5s | |
hold refused 5s | |
hold nx 5s | |
hold timeout 5s | |
hold valid 10s | |
hold obsolete 5s | |
# echo -n "123" | mkpasswd --stdin --method=sha-256 | |
userlist admin | |
user admin password $5$ESZUdND/SlvzxkMJ$/sqrNVNzs.L1LCAi/2Wis6/A9o8xFgq8mOoBTVDUei9 | |
frontend stats | |
option httplog | |
option logasap | |
bind k8s-test.chatswood.skarpetis.com:8404 | |
acl network_allowed src 10.0.1.0/24 127.0.0.1/32 | |
tcp-request connection reject if !network_allowed | |
acl ValidAdminUser http_auth(admin) | |
http-request auth realm admin if !ValidAdminUser | |
# Enable Prometheus Exporter | |
http-request use-service prometheus-exporter if { path /metrics } | |
stats enable | |
stats uri /stats | |
stats refresh 30s | |
######################################## mariadb ########################################################## | |
frontend mariadb | |
bind k8s-test.chatswood.skarpetis.com:3306 | |
bind localhost:3306 | |
mode tcp | |
default_backend mariadb | |
log global | |
option tcplog | |
backend mariadb | |
balance leastconn | |
mode tcp | |
option tcp-check | |
default-server inter 30s downinter 5s fastinter 2s resolvers k8s | |
server mariadb-0 mariadb-0.mariadb.database.svc.cluster.chatswood.skarpetis.com:3306 check | |
######################################### cockroachdb ########################################################## | |
frontend cockroachdb | |
bind k8s-test.chatswood.skarpetis.com:26257 | |
mode tcp | |
default_backend cockroachdb-sql | |
log global | |
option tcplog | |
timeout client 5m | |
backend cockroachdb-sql | |
mode tcp | |
option httpchk GET /health?ready=1 | |
default-server inter 30s downinter 5s fastinter 2s resolvers k8s | |
server cockroachdb-0 cockroachdb-0.cockroachdb.db.svc.cluster.chatswood.skarpetis.com:26257 check port 8080 | |
balance leastconn | |
######################################## https proxying ########################################################## | |
frontend http | |
bind k8s-test.chatswood.skarpetis.com:80 | |
mode http | |
log global | |
option httplog | |
option forwardfor except 10.244.0.0/16 except 127.0.0.1 | |
# strip port from request | |
http-request set-header host %[hdr(host),field(1,:)] | |
acl is_skylake hdr(host) -i skylake.chatswood.skarpetis.com | |
default_backend redirect_https | |
use_backend skylake if is_skylake | |
######################################## https proxying ########################################################## | |
frontend https | |
bind k8s-test.chatswood.skarpetis.com:443 | |
mode http | |
log global | |
option httplog | |
option forwardfor except 10.244.0.0/16 except 127.0.0.1 | |
option contstats | |
# strip port from request | |
http-request set-header host %[hdr(host),field(1,:)] | |
# require user authentication | |
acl admin_authrequired hdr(host) -i prometheus-skylake.chatswood.skarpetis.com || hdr(host) -i alertmanager-skylake.chatswood.skarpetis.com | |
acl ValidAdminUser http_auth(admin) | |
http-request auth realm admin if admin_authrequired !ValidAdminUser | |
acl is_skylake hdr(host) -i skylake.chatswood.skarpetis.com | |
acl is_containers hdr(host) -i containers-skylake.chatswood.skarpetis.com | |
acl is_prometheus hdr(host) -i prometheus-skylake.chatswood.skarpetis.com | |
acl is_alertmanager hdr(host) -i alertmanager-skylake.chatswood.skarpetis.com | |
acl is_grafana hdr(host) -i grafana-skylake.chatswood.skarpetis.com | |
acl is_gitlab hdr(host) -i gitlab.chatswood.skarpetis.com | |
acl is_cockroachdb hdr(host) -i cockroachdb.chatswood.skarpetis.com | |
http-request add-header X-Forwarded-Proto https | |
default_backend b_503 | |
use_backend skylake if is_skylake | |
use_backend containers if is_containers | |
use_backend prometheus if is_prometheus | |
use_backend alertmanager if is_alertmanager | |
use_backend grafana if is_grafana | |
use_backend gitlab if is_gitlab | |
use_backend cockroachdb-https if is_cockroachdb | |
backend redirect_https | |
http-request redirect code 301 scheme https | |
backend b_503 | |
errorfile 503 /etc/haproxy/errorfiles/503.http | |
backend skylake | |
disabled | |
mode http | |
default-server inter 30s downinter 5s fastinter 2s resolvers dns | |
server skylake localhost:80 check | |
balance roundrobin | |
retry-on all-retryable-errors | |
retries 3 | |
http-request disable-l7-retry if METH_POST | |
backend containers | |
mode http | |
option httpchk | |
default-server inter 30s downinter 5s fastinter 2s resolvers k8s | |
server registry-0 registry-0.registry.registry.svc.cluster.chatswood.skarpetis.com:5000 check | |
balance roundrobin | |
retry-on all-retryable-errors | |
retries 3 | |
http-request disable-l7-retry if METH_POST | |
backend prometheus | |
disabled | |
mode http | |
default-server inter 30s downinter 5s fastinter 2s resolvers k8s | |
server prometheus-k8s prometheus-k8s.monitoring.svc.cluster.chatswood.skarpetis.com:9090 check | |
balance roundrobin | |
retry-on all-retryable-errors | |
retries 3 | |
http-request disable-l7-retry if METH_POST | |
backend alertmanager | |
disabled | |
mode http | |
default-server inter 30s downinter 5s fastinter 2s resolvers k8s | |
server alertmanager-main alertmanager-main.monitoring.svc.cluster.chatswood.skarpetis.com:9093 check | |
balance roundrobin | |
retry-on all-retryable-errors | |
retries 3 | |
http-request disable-l7-retry if METH_POST | |
backend grafana | |
disabled | |
mode http | |
default-server inter 30s downinter 5s fastinter 2s resolvers k8s | |
server grafana grafana.monitoring.svc.cluster.chatswood.skarpetis.com:3000 check | |
balance roundrobin | |
retry-on all-retryable-errors | |
retries 3 | |
http-request disable-l7-retry if METH_POST | |
backend gitlab | |
disabled | |
mode http | |
http-check connect | |
http-check send meth GET uri /v1/check ver HTTP/1.1 hdr host gitlab.chatswood.skarpetis.com | |
default-server inter 30s downinter 5s fastinter 2s resolvers k8s | |
server gitlab-0 gitlab-0.gitlab.devel.svc.cluster.chatswood.skarpetis.com:443 check | |
balance roundrobin | |
retry-on all-retryable-errors | |
retries 3 | |
http-request disable-l7-retry if METH_POST | |
backend cockroachdb-https | |
mode http | |
default-server inter 30s downinter 5s fastinter 2s resolvers k8s | |
server cockroachdb-0 cockroachdb-0.cockroachdb.db.svc.cluster.chatswood.skarpetis.com:8080 check | |
balance roundrobin | |
# Enable Layer 7 retries | |
retry-on all-retryable-errors | |
retries 3 | |
http-request disable-l7-retry if METH_POST | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment