releu/haproxy Secret

## haproxy
global
    maxconn         4096
    user            haproxy
    group           haproxy
    daemon

defaults
    option          dontlognull
    retries         3
    option          redispatch
    maxconn         2000
    contimeout      50000
    clitimeout      50000
    srvtimeout      50000


frontend all_80 0.0.0.0:80
    mode            http
    default_backend www_backend
    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_websocket hdr_beg(Host) -i ws
    use_backend socket_backend if is_websocket


frontend all_443 0.0.0.0:443
    mode            tcp
    default_backend www_backend_ssl
    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_websocket hdr_beg(Host) -i ws
    use_backend socket_backend_ssl if is_websocket

frontend all_8080 0.0.0.0:8080
    mode            http
    default_backend socket_backend

frontend all_8443 0.0.0.0:8443
    mode            tcp
    default_backend socket_backend_ssl

backend www_backend
    mode            http
    stats           enable
    stats           auth xxx:xxx
    balance         roundrobin
    option          httpchk HEAD / HTTP/1.0
    option          forwardfor
    cookie          LSW_WEB insert
    option          httpclose
    timeout         server 30000
    timeout         connect 4000

    server          web1 xxx:80 cookie "LSW_WEB1" check

    server          web2 xxx:80 cookie "LSW_WEB2" check


backend socket_backend
    mode            http
    stats           enable
    stats           auth cloud66:LVSnjobcaR
    balance         roundrobin
    option          forwardfor # This sets X-Forwarded-For
    timeout         queue 5000
    timeout client  86400000
    timeout         server 86400000
    timeout         connect 86400000

    server          web1 xxx:8080

    server          web2 xxx:8080


backend www_backend_ssl
    mode            tcp
    balance         roundrobin

    server          web1 xxx:443

    server          web2 xxx:443


backend socket_backend_ssl
    mode            tcp
    balance         roundrobin
    timeout         queue 5000
    timeout client  86400000
    timeout         server 86400000
    timeout         connect 86400000

    server          web1 xxx:8443

    server          web2 xxx:8443

## nginx
user                            nginx;
worker_processes                2;
error_log                       /var/deploy/xxx/web_head/shared/log/nginx_error.log;

events
{
    worker_connections          1024;

    accept_mutex                off;

}

http
{
  gzip                        on;
  gzip_min_length             100;
  gzip_proxied                expired no-cache no-store private auth;
  gzip_types                  text/plain application/xml text/css application/x-javascript text/javascript;
  gzip_disable                "MSIE [1-6]\.";

  add_header                  X-Powered-By      cloud66;


  set_real_ip_from xxx;
  real_ip_header X-Forwarded-For;


  tcp_nopush                  on;
  tcp_nodelay                 off;

  ssl_session_cache           shared:SSL:10m;
  ssl_session_timeout         10m;


  underscores_in_headers      on;

  types_hash_max_size         2048;

  include                     mime.types;
  default_type                application/octet-stream;

  client_max_body_size        50m;

  sendfile                    on;
  server_tokens               off;
  keepalive_timeout           65;


  upstream socket_server
  {
    server unix:/tmp/web_server.sock fail_timeout=0;

  }


    server
    {
        listen                  80 default_server;


        server_name             _;


        keepalive_timeout       5;

        root                    /var/deploy/xxx/web_head/current/public;

        # ban known tor ip address ranges
        include /etc/cloud66/nginx_tor*.conf;

        client_max_body_size    50m;
        # redirect to 503 if maintenance page present
        if (-f $document_root/cloud66_maintenance.html)
        {
            return 503;
        }

        # redirect on errors
        error_page              500 502 504  /50x.html;
        error_page              503 @maintenance;

        # handle error redirect
        location = /50x.html
        {
            root html;
        }

        location @maintenance
        {
            error_page 405 = /cloud66_maintenance.html;
            if (-f $document_root/cloud66_maintenance.html)
            {
                rewrite ^(.*)$ /cloud66_maintenance.html break;
            }
            rewrite ^(.*)$ /503.html break;
        }


        location /
        {
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_redirect          off;

            if (!-f $request_filename)
            {
                proxy_pass  http://socket_server;
                break;
            }
        }

        location ~ \.php$
        {
            deny  all;
        }
    }


    server
    {
        listen                  443;
        ssl                     on;
        ssl_certificate_key     /etc/ssl/localcerts/xxx.key;
        ssl_certificate         /etc/ssl/localcerts/xxx.crt;


        server_name             gistroll.com;


        client_max_body_size    50m;

        root                    /var/deploy/xxx/web_head/current/public;

        # ban known tor ip address ranges
        include /etc/cloud66/nginx_tor*.conf;

        # redirect to 503 if maintenance page present
        if (-f $document_root/cloud66_maintenance.html)
        {
            return 503;
        }

        # redirect on errors
        error_page              500 502 504  /50x.html;
        error_page              503 @maintenance;

        # handle error redirect
        location = /50x.html
        {
            root html;
        }

        location @maintenance
        {
            error_page 405 = /cloud66_maintenance.html;
            if (-f $document_root/cloud66_maintenance.html)
            {
                rewrite ^(.*)$ /cloud66_maintenance.html break;
            }
            rewrite ^(.*)$ /503.html break;
        }


        location /
        {
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect          off;

            if (!-f $request_filename)
            {
                proxy_pass  http://socket_server;
                break;
            }
        }

        location ~ \.php$
        {
            deny  all;
        }
    }

}

## unicorn
worker_processes 4

working_directory "#{ENV['STACK_PATH']}"

listen "/tmp/web_server.sock", :backlog => 1024

timeout 30

pid '/tmp/web_server.pid'

stderr_path "#{ENV['STACK_PATH']}/log/unicorn.stderr.log"
stdout_path "#{ENV['STACK_PATH']}/log/unicorn.stdout.log"

preload_app true
GC.respond_to?(:copy_on_write_friendly=) and GC.copy_on_write_friendly = true

check_client_connection false

before_fork do |server, worker|
  old_pid = '/tmp/web_server.pid.oldbin'
  if File.exists?(old_pid) && server.pid != old_pid
    begin
      Process.kill("QUIT", File.read(old_pid).to_i)
    rescue Errno::ENOENT, Errno::ESRCH
      # someone else did our job for us
    end
  end

  defined?(ActiveRecord::Base) and ActiveRecord::Base.connection.disconnect!
end

after_fork do |server, worker|
  defined?(ActiveRecord::Base) and ActiveRecord::Base.establish_connection
end
	global
	maxconn 4096
	user haproxy
	group haproxy
	daemon

	defaults
	option dontlognull
	retries 3
	option redispatch
	maxconn 2000
	contimeout 50000
	clitimeout 50000
	srvtimeout 50000


	frontend all_80 0.0.0.0:80
	mode http
	default_backend www_backend
	acl is_websocket hdr(Upgrade) -i WebSocket
	acl is_websocket hdr_beg(Host) -i ws
	use_backend socket_backend if is_websocket





	frontend all_443 0.0.0.0:443
	mode tcp
	default_backend www_backend_ssl
	acl is_websocket hdr(Upgrade) -i WebSocket
	acl is_websocket hdr_beg(Host) -i ws
	use_backend socket_backend_ssl if is_websocket

	frontend all_8080 0.0.0.0:8080
	mode http
	default_backend socket_backend

	frontend all_8443 0.0.0.0:8443
	mode tcp
	default_backend socket_backend_ssl

	backend www_backend
	mode http
	stats enable
	stats auth xxx:xxx
	balance roundrobin
	option httpchk HEAD / HTTP/1.0
	option forwardfor
	cookie LSW_WEB insert
	option httpclose
	timeout server 30000
	timeout connect 4000

	server web1 xxx:80 cookie "LSW_WEB1" check

	server web2 xxx:80 cookie "LSW_WEB2" check


	backend socket_backend
	mode http
	stats enable
	stats auth cloud66:LVSnjobcaR
	balance roundrobin
	option forwardfor # This sets X-Forwarded-For
	timeout queue 5000
	timeout client 86400000
	timeout server 86400000
	timeout connect 86400000

	server web1 xxx:8080

	server web2 xxx:8080


	backend www_backend_ssl
	mode tcp
	balance roundrobin

	server web1 xxx:443

	server web2 xxx:443


	backend socket_backend_ssl
	mode tcp
	balance roundrobin
	timeout queue 5000
	timeout client 86400000
	timeout server 86400000
	timeout connect 86400000

	server web1 xxx:8443

	server web2 xxx:8443
	user nginx;
	worker_processes 2;
	error_log /var/deploy/xxx/web_head/shared/log/nginx_error.log;

	events
	{
	worker_connections 1024;

	accept_mutex off;

	}

	http
	{
	gzip on;
	gzip_min_length 100;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain application/xml text/css application/x-javascript text/javascript;
	gzip_disable "MSIE [1-6]\.";

	add_header X-Powered-By cloud66;


	set_real_ip_from xxx;
	real_ip_header X-Forwarded-For;



	tcp_nopush on;
	tcp_nodelay off;

	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;



	underscores_in_headers on;

	types_hash_max_size 2048;

	include mime.types;
	default_type application/octet-stream;

	client_max_body_size 50m;

	sendfile on;
	server_tokens off;
	keepalive_timeout 65;


	upstream socket_server
	{
	server unix:/tmp/web_server.sock fail_timeout=0;

	}


	server
	{
	listen 80 default_server;






	server_name _;




	keepalive_timeout 5;

	root /var/deploy/xxx/web_head/current/public;

	# ban known tor ip address ranges
	include /etc/cloud66/nginx_tor*.conf;

	client_max_body_size 50m;
	# redirect to 503 if maintenance page present
	if (-f $document_root/cloud66_maintenance.html)
	{
	return 503;
	}

	# redirect on errors
	error_page 500 502 504 /50x.html;
	error_page 503 @maintenance;

	# handle error redirect
	location = /50x.html
	{
	root html;
	}

	location @maintenance
	{
	error_page 405 = /cloud66_maintenance.html;
	if (-f $document_root/cloud66_maintenance.html)
	{
	rewrite ^(.*)$ /cloud66_maintenance.html break;
	}
	rewrite ^(.*)$ /503.html break;
	}



	location /
	{
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_redirect off;

	if (!-f $request_filename)
	{
	proxy_pass http://socket_server;
	break;
	}
	}

	location ~ \.php$
	{
	deny all;
	}
	}


	server
	{
	listen 443;
	ssl on;
	ssl_certificate_key /etc/ssl/localcerts/xxx.key;
	ssl_certificate /etc/ssl/localcerts/xxx.crt;




	server_name gistroll.com;




	client_max_body_size 50m;

	root /var/deploy/xxx/web_head/current/public;

	# ban known tor ip address ranges
	include /etc/cloud66/nginx_tor*.conf;

	# redirect to 503 if maintenance page present
	if (-f $document_root/cloud66_maintenance.html)
	{
	return 503;
	}

	# redirect on errors
	error_page 500 502 504 /50x.html;
	error_page 503 @maintenance;

	# handle error redirect
	location = /50x.html
	{
	root html;
	}

	location @maintenance
	{
	error_page 405 = /cloud66_maintenance.html;
	if (-f $document_root/cloud66_maintenance.html)
	{
	rewrite ^(.*)$ /cloud66_maintenance.html break;
	}
	rewrite ^(.*)$ /503.html break;
	}



	location /
	{
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;

	if (!-f $request_filename)
	{
	proxy_pass http://socket_server;
	break;
	}
	}

	location ~ \.php$
	{
	deny all;
	}
	}

	}
	worker_processes 4

	working_directory "#{ENV['STACK_PATH']}"

	listen "/tmp/web_server.sock", :backlog => 1024

	timeout 30

	pid '/tmp/web_server.pid'

	stderr_path "#{ENV['STACK_PATH']}/log/unicorn.stderr.log"
	stdout_path "#{ENV['STACK_PATH']}/log/unicorn.stdout.log"

	preload_app true
	GC.respond_to?(:copy_on_write_friendly=) and GC.copy_on_write_friendly = true

	check_client_connection false

	before_fork do \|server, worker\|
	old_pid = '/tmp/web_server.pid.oldbin'
	if File.exists?(old_pid) && server.pid != old_pid
	begin
	Process.kill("QUIT", File.read(old_pid).to_i)
	rescue Errno::ENOENT, Errno::ESRCH
	# someone else did our job for us
	end
	end

	defined?(ActiveRecord::Base) and ActiveRecord::Base.connection.disconnect!
	end

	after_fork do \|server, worker\|
	defined?(ActiveRecord::Base) and ActiveRecord::Base.establish_connection
	end