Created
September 13, 2017 20:09
-
-
Save pkaeding/0a20024f2b1059de7cade1fdf89651cf to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
daemon | |
pidfile /var/run/haproxy.pid | |
log /dev/log local1 | |
log-send-hostname | |
maxconn 200000 | |
stats socket /var/run/haproxy.stat.sock mode 0666 level user | |
stats socket /var/run/haproxy.adm.sock mode 0600 level admin | |
user nobody | |
group nogroup | |
tune.maxrewrite 1024 | |
tune.ssl.default-dh-param 2048 | |
# see https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.7.3&openssl=1.0.1e&hsts=yes&profile=intermediate | |
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |
ssl-default-bind-options no-sslv3 no-tls-tickets | |
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |
ssl-default-server-options no-sslv3 no-tls-tickets | |
defaults | |
log global | |
mode http | |
option httplog | |
option dontlognull | |
#option dontlog-normal | |
option log-separate-errors | |
#option logasap | |
option log-health-checks | |
timeout connect 500 | |
timeout server 5m | |
# Set the inactivity timeout on the client side for half-closed connections: | |
timeout client-fin 5m | |
timeout client 5m | |
timeout check 3000 | |
timeout http-keep-alive 1s | |
timeout http-request 3s | |
retries 3 | |
option redispatch 1 | |
option abortonclose | |
option httpchk GET /api/ HTTP/1.0\r\nUser-agent:\ HAProxy/HealthCheck\r\nHost:\ healthcheck.example.com | |
default-server maxconn 50000 on-marked-down shutdown-sessions | |
listen stats | |
bind 0.0.0.0:9090 | |
balance | |
mode http | |
no log | |
stats enable | |
stats uri / | |
stats refresh 5s | |
# External-facing haproxy: | |
# Create 2 frontends: | |
# 1. https | |
frontend front-streamer-msdk-443 | |
bind 0.0.0.0:443 ssl crt /etc/haproxy/conf.d/ssl/stream-prod.example.com.pem | |
reqadd X-Forwarded-Proto:\ https | |
# HSTS (15768000 seconds = 6 months) | |
http-response set-header Strict-Transport-Security max-age=15768000 | |
maxconn 200000 | |
stick-table type ip size 200k expire 30s store conn_rate(10s) | |
tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst } | |
tcp-request connection reject if { src_conn_rate ge 100 } | |
tcp-request connection track-sc1 src | |
# convert auth query param to Authorization header if header does not exist | |
acl safe_has_auth_header hdr(Authorization) -m found | |
acl safe_has_auth_param url_reg [?&]auth= | |
http-request set-header Authorization %[urlp(auth)] if safe_has_auth_param !safe_has_auth_header | |
http-request set-log-level silent if safe_has_auth_param | |
# remove auth query param and clean up trailing question marks and amperstands from the query string | |
reqrep ^([^\ :]*)\ \/(.*[?&])auth=[^&]*[&\ ]?(.*)\ (.*) \1\ /\2\3\ \4 if safe_has_auth_param | |
reqrep ^([^\ :]*)\ \/(.*)[?&]\ (.*) \1\ /\2\ \3 if safe_has_auth_param | |
default_backend streamer-msdk-5051-out | |
# 2. http endpoint for tcpkali load testing. | |
frontend front-stream-unsafe-80 | |
bind 0.0.0.0:80 | |
maxconn 200000 | |
stick-table type ip size 200k expire 30s store conn_rate(10s) | |
tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst } | |
tcp-request connection reject if { src_conn_rate ge 100 } | |
tcp-request connection track-sc1 src | |
# convert auth query param to Authorization header if header does not exist | |
acl unsafe_has_auth_header hdr(Authorization) -m found | |
acl unsafe_has_auth_param url_reg [?&]auth= | |
http-request set-header Authorization %[urlp(auth)] if unsafe_has_auth_param !unsafe_has_auth_header | |
http-request set-log-level silent if unsafe_has_auth_param | |
#remove auth query param and clean up trailing question marks and ampersands from the query string | |
reqrep ^([^\ :]*)\ \/(.*[?&])auth=[^&]*[&\ ]?(.*)\ (.*) \1\ /\2\3\ \4 if unsafe_has_auth_param | |
reqrep ^([^\ :]*)\ \/(.*)[?&]\ (.*) \1\ /\2\ \3 if unsafe_has_auth_param | |
default_backend streamer-msdk-5051-out | |
backend streamer-msdk-5051-out | |
mode http | |
balance leastconn | |
option httpchk GET /private HTTP/1.0\r\nUser-agent:\ HAProxy/HealthCheck | |
server streamer-msdk-eee8bd-10.10.1.102 10.10.1.102:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.1.96 10.10.1.96:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.1.240 10.10.1.240:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.1.73 10.10.1.73:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.1.216 10.10.1.216:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.1.238 10.10.1.238:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.3.216 10.10.3.216:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.3.178 10.10.3.178:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.3.74 10.10.3.74:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.3.88 10.10.3.88:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.3.251 10.10.3.251:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.3.148 10.10.3.148:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.5.244 10.10.5.244:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.5.167 10.10.5.167:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.5.232 10.10.5.232:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.5.11 10.10.5.11:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.5.198 10.10.5.198:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.5.52 10.10.5.52:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.4.248 10.10.4.248:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.4.224 10.10.4.224:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.4.216 10.10.4.216:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.4.5 10.10.4.5:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.4.196 10.10.4.196:5051 check inter 500 | |
server streamer-msdk-eee8bd-10.10.4.114 10.10.4.114:5051 check inter 500 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment