skinkie/haproxy-transit.cfg

## haproxy-transit.cfg
global
  stats socket /var/run/haproxy.sock mode 600 level admin
  stats timeout 2m
  ssl-default-bind-options no-sslv3 no-tls-tickets
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  maxconn 200000
  tune.maxaccept -1
  user nobody
  group nobody

defaults
  retries 3
  maxconn 200000
  option redispatch
  option dontlognull
  option forwardfor    except 127.0.0.0/8
  timeout client  30s
  timeout connect 15s
  timeout server  60s
  http-reuse always

backend gtfs
  # Track client by base32+src (Host header + URL path + src IP)
  stick-table type binary size 100k expire 24h store gpc0_rate(24h)
  http-response sc-inc-gpc0(0) if { status 200 } { method GET }
  mode http
  server cherokee 127.0.0.1:8000

backend gtfsrt
  stick-table type binary size 100k expire 1m store gpc0_rate(1m)
  http-response sc-inc-gpc0(1) if { status 200 } { method GET }
  mode http
  server cherokee 127.0.0.1:8000

frontend stats
  mode http
  bind 127.0.0.1:8404
  stats enable
  stats uri /stats
  stats refresh 10s

frontend http
  bind :::80
  bind :::443 ssl crt /etc/haproxy/ssl alpn h2,http/1.1
  mode http

  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  http-request set-header host 127.0.0.1 if letsencrypt-acl
  use_backend static if letsencrypt-acl

  # redirect scheme https if hsts !{ ssl_fc }

  # Clients that care, are not counted
  acl smart_people hdr_len(If-Modified-Since) gt 0
  acl smart_people hdr_len(If-None-Match) gt 0

  # Track client by base32+src (Host header + URL path + src IP)
  http-request track-sc0 base32+src table gtfs if !smart_people { path_end -i .zip } { method GET }
  http-request track-sc1 base32+src table gtfsrt if !smart_people { path_end -i .pb } { method GET }

  # Ignore smart_people, don't dowload GTFS more than twice a day
  # don't download protobuf files more than twice every minute.
  http-request deny deny_status 429 if !smart_people { path_end -i .zip } { method GET } { sc0_gpc0_rate gt 2 }
  http-request deny deny_status 429 if !smart_people { path_end -i .pb } { method GET } { sc1_gpc0_rate gt 2 }

  use_backend gtfs if { path_end -i .zip } { method GET }
  use_backend gtfsrt if { path_end -i .pb } { method GET }

  default_backend static

backend static
  mode http
  server cherokee 127.0.0.1:8000
	global
	stats socket /var/run/haproxy.sock mode 600 level admin
	stats timeout 2m
	ssl-default-bind-options no-sslv3 no-tls-tickets
	tune.ssl.default-dh-param 2048
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
	maxconn 200000
	tune.maxaccept -1
	user nobody
	group nobody

	defaults
	retries 3
	maxconn 200000
	option redispatch
	option dontlognull
	option forwardfor except 127.0.0.0/8
	timeout client 30s
	timeout connect 15s
	timeout server 60s
	http-reuse always

	backend gtfs
	# Track client by base32+src (Host header + URL path + src IP)
	stick-table type binary size 100k expire 24h store gpc0_rate(24h)
	http-response sc-inc-gpc0(0) if { status 200 } { method GET }
	mode http
	server cherokee 127.0.0.1:8000

	backend gtfsrt
	stick-table type binary size 100k expire 1m store gpc0_rate(1m)
	http-response sc-inc-gpc0(1) if { status 200 } { method GET }
	mode http
	server cherokee 127.0.0.1:8000

	frontend stats
	mode http
	bind 127.0.0.1:8404
	stats enable
	stats uri /stats
	stats refresh 10s

	frontend http
	bind :::80
	bind :::443 ssl crt /etc/haproxy/ssl alpn h2,http/1.1
	mode http

	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	http-request set-header host 127.0.0.1 if letsencrypt-acl
	use_backend static if letsencrypt-acl

	# redirect scheme https if hsts !{ ssl_fc }

	# Clients that care, are not counted
	acl smart_people hdr_len(If-Modified-Since) gt 0
	acl smart_people hdr_len(If-None-Match) gt 0

	# Track client by base32+src (Host header + URL path + src IP)
	http-request track-sc0 base32+src table gtfs if !smart_people { path_end -i .zip } { method GET }
	http-request track-sc1 base32+src table gtfsrt if !smart_people { path_end -i .pb } { method GET }

	# Ignore smart_people, don't dowload GTFS more than twice a day
	# don't download protobuf files more than twice every minute.
	http-request deny deny_status 429 if !smart_people { path_end -i .zip } { method GET } { sc0_gpc0_rate gt 2 }
	http-request deny deny_status 429 if !smart_people { path_end -i .pb } { method GET } { sc1_gpc0_rate gt 2 }

	use_backend gtfs if { path_end -i .zip } { method GET }
	use_backend gtfsrt if { path_end -i .pb } { method GET }

	default_backend static

	backend static
	mode http
	server cherokee 127.0.0.1:8000