pkaeding/gist:0a20024f2b1059de7cade1fdf89651cf Secret

## gistfile1.txt
global
  daemon
  pidfile /var/run/haproxy.pid
  log /dev/log local1
  log-send-hostname
  maxconn 200000
  stats socket /var/run/haproxy.stat.sock mode 0666 level user
  stats socket /var/run/haproxy.adm.sock mode 0600 level admin
  user nobody
  group nogroup
  tune.maxrewrite 1024
  tune.ssl.default-dh-param 2048
  # see https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.7.3&openssl=1.0.1e&hsts=yes&profile=intermediate
  ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-bind-options no-sslv3 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-server-options no-sslv3 no-tls-tickets

defaults
  log global
  mode http
  option httplog
  option dontlognull
  #option dontlog-normal
  option log-separate-errors
  #option logasap
  option log-health-checks
  timeout connect 500
  timeout server 5m

  # Set the inactivity timeout on the client side for half-closed connections:
  timeout client-fin 5m
  timeout client 5m

  timeout check 3000
  timeout http-keep-alive 1s
  timeout http-request 3s
  retries 3
  option redispatch 1
  option abortonclose
  option httpchk GET /api/ HTTP/1.0\r\nUser-agent:\ HAProxy/HealthCheck\r\nHost:\ healthcheck.example.com
  default-server maxconn 50000 on-marked-down shutdown-sessions

listen stats
  bind 0.0.0.0:9090
  balance
  mode http
  no log
  stats enable
  stats uri /
  stats refresh 5s

# External-facing haproxy:
# Create 2 frontends:
# 1. https
frontend front-streamer-msdk-443
  bind 0.0.0.0:443 ssl crt /etc/haproxy/conf.d/ssl/stream-prod.example.com.pem
  reqadd X-Forwarded-Proto:\ https
  # HSTS (15768000 seconds = 6 months)
  http-response set-header Strict-Transport-Security max-age=15768000
  maxconn 200000
  stick-table type ip size 200k expire 30s store conn_rate(10s)
  tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
  tcp-request connection reject if { src_conn_rate ge 100 }
  tcp-request connection track-sc1 src

  # convert auth query param to Authorization header if header does not exist
  acl safe_has_auth_header hdr(Authorization) -m found
  acl safe_has_auth_param url_reg [?&]auth=
  http-request set-header Authorization %[urlp(auth)] if safe_has_auth_param !safe_has_auth_header
  http-request set-log-level silent if safe_has_auth_param

  # remove auth query param and clean up trailing question marks and amperstands from the query string
  reqrep ^([^\ :]*)\ \/(.*[?&])auth=[^&]*[&\ ]?(.*)\ (.*) \1\ /\2\3\ \4 if safe_has_auth_param
  reqrep ^([^\ :]*)\ \/(.*)[?&]\ (.*) \1\ /\2\ \3 if safe_has_auth_param

  default_backend streamer-msdk-5051-out

# 2. http endpoint for tcpkali load testing.
frontend front-stream-unsafe-80
  bind 0.0.0.0:80
  maxconn 200000
  stick-table type ip size 200k expire 30s store conn_rate(10s)
  tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
  tcp-request connection reject if { src_conn_rate ge 100 }
  tcp-request connection track-sc1 src

  # convert auth query param to Authorization header if header does not exist
  acl unsafe_has_auth_header hdr(Authorization) -m found
  acl unsafe_has_auth_param url_reg [?&]auth=
  http-request set-header Authorization %[urlp(auth)] if unsafe_has_auth_param !unsafe_has_auth_header
  http-request set-log-level silent if unsafe_has_auth_param

  #remove auth query param and clean up trailing question marks and ampersands from the query string
  reqrep ^([^\ :]*)\ \/(.*[?&])auth=[^&]*[&\ ]?(.*)\ (.*) \1\ /\2\3\ \4 if unsafe_has_auth_param
  reqrep ^([^\ :]*)\ \/(.*)[?&]\ (.*) \1\ /\2\ \3 if unsafe_has_auth_param

  default_backend streamer-msdk-5051-out

backend streamer-msdk-5051-out
  mode http
  balance leastconn
  option httpchk GET /private HTTP/1.0\r\nUser-agent:\ HAProxy/HealthCheck
  server streamer-msdk-eee8bd-10.10.1.102 10.10.1.102:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.1.96 10.10.1.96:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.1.240 10.10.1.240:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.1.73 10.10.1.73:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.1.216 10.10.1.216:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.1.238 10.10.1.238:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.3.216 10.10.3.216:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.3.178 10.10.3.178:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.3.74 10.10.3.74:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.3.88 10.10.3.88:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.3.251 10.10.3.251:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.3.148 10.10.3.148:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.5.244 10.10.5.244:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.5.167 10.10.5.167:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.5.232 10.10.5.232:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.5.11 10.10.5.11:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.5.198 10.10.5.198:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.5.52 10.10.5.52:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.4.248 10.10.4.248:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.4.224 10.10.4.224:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.4.216 10.10.4.216:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.4.5 10.10.4.5:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.4.196 10.10.4.196:5051 check inter 500
  server streamer-msdk-eee8bd-10.10.4.114 10.10.4.114:5051 check inter 500
	global
	daemon
	pidfile /var/run/haproxy.pid
	log /dev/log local1
	log-send-hostname
	maxconn 200000
	stats socket /var/run/haproxy.stat.sock mode 0666 level user
	stats socket /var/run/haproxy.adm.sock mode 0600 level admin
	user nobody
	group nogroup
	tune.maxrewrite 1024
	tune.ssl.default-dh-param 2048
	# see https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.7.3&openssl=1.0.1e&hsts=yes&profile=intermediate
	ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	ssl-default-bind-options no-sslv3 no-tls-tickets
	ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	ssl-default-server-options no-sslv3 no-tls-tickets

	defaults
	log global
	mode http
	option httplog
	option dontlognull
	#option dontlog-normal
	option log-separate-errors
	#option logasap
	option log-health-checks
	timeout connect 500
	timeout server 5m

	# Set the inactivity timeout on the client side for half-closed connections:
	timeout client-fin 5m
	timeout client 5m

	timeout check 3000
	timeout http-keep-alive 1s
	timeout http-request 3s
	retries 3
	option redispatch 1
	option abortonclose
	option httpchk GET /api/ HTTP/1.0\r\nUser-agent:\ HAProxy/HealthCheck\r\nHost:\ healthcheck.example.com
	default-server maxconn 50000 on-marked-down shutdown-sessions

	listen stats
	bind 0.0.0.0:9090
	balance
	mode http
	no log
	stats enable
	stats uri /
	stats refresh 5s

	# External-facing haproxy:
	# Create 2 frontends:
	# 1. https
	frontend front-streamer-msdk-443
	bind 0.0.0.0:443 ssl crt /etc/haproxy/conf.d/ssl/stream-prod.example.com.pem
	reqadd X-Forwarded-Proto:\ https
	# HSTS (15768000 seconds = 6 months)
	http-response set-header Strict-Transport-Security max-age=15768000
	maxconn 200000
	stick-table type ip size 200k expire 30s store conn_rate(10s)
	tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
	tcp-request connection reject if { src_conn_rate ge 100 }
	tcp-request connection track-sc1 src

	# convert auth query param to Authorization header if header does not exist
	acl safe_has_auth_header hdr(Authorization) -m found
	acl safe_has_auth_param url_reg [?&]auth=
	http-request set-header Authorization %[urlp(auth)] if safe_has_auth_param !safe_has_auth_header
	http-request set-log-level silent if safe_has_auth_param

	# remove auth query param and clean up trailing question marks and amperstands from the query string
	reqrep ^([^\ :])\ \/(.[?&])auth=[^&][&\ ]?(.)\ (.*) \1\ /\2\3\ \4 if safe_has_auth_param
	reqrep ^([^\ :])\ \/(.)[?&]\ (.*) \1\ /\2\ \3 if safe_has_auth_param

	default_backend streamer-msdk-5051-out

	# 2. http endpoint for tcpkali load testing.
	frontend front-stream-unsafe-80
	bind 0.0.0.0:80
	maxconn 200000
	stick-table type ip size 200k expire 30s store conn_rate(10s)
	tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
	tcp-request connection reject if { src_conn_rate ge 100 }
	tcp-request connection track-sc1 src

	# convert auth query param to Authorization header if header does not exist
	acl unsafe_has_auth_header hdr(Authorization) -m found
	acl unsafe_has_auth_param url_reg [?&]auth=
	http-request set-header Authorization %[urlp(auth)] if unsafe_has_auth_param !unsafe_has_auth_header
	http-request set-log-level silent if unsafe_has_auth_param

	#remove auth query param and clean up trailing question marks and ampersands from the query string
	reqrep ^([^\ :])\ \/(.[?&])auth=[^&][&\ ]?(.)\ (.*) \1\ /\2\3\ \4 if unsafe_has_auth_param
	reqrep ^([^\ :])\ \/(.)[?&]\ (.*) \1\ /\2\ \3 if unsafe_has_auth_param

	default_backend streamer-msdk-5051-out

	backend streamer-msdk-5051-out
	mode http
	balance leastconn
	option httpchk GET /private HTTP/1.0\r\nUser-agent:\ HAProxy/HealthCheck
	server streamer-msdk-eee8bd-10.10.1.102 10.10.1.102:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.1.96 10.10.1.96:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.1.240 10.10.1.240:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.1.73 10.10.1.73:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.1.216 10.10.1.216:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.1.238 10.10.1.238:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.3.216 10.10.3.216:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.3.178 10.10.3.178:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.3.74 10.10.3.74:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.3.88 10.10.3.88:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.3.251 10.10.3.251:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.3.148 10.10.3.148:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.5.244 10.10.5.244:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.5.167 10.10.5.167:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.5.232 10.10.5.232:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.5.11 10.10.5.11:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.5.198 10.10.5.198:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.5.52 10.10.5.52:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.4.248 10.10.4.248:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.4.224 10.10.4.224:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.4.216 10.10.4.216:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.4.5 10.10.4.5:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.4.196 10.10.4.196:5051 check inter 500
	server streamer-msdk-eee8bd-10.10.4.114 10.10.4.114:5051 check inter 500