Last active
April 27, 2017 22:47
-
-
Save teknofire/c6969955bfeafa903629b30f4575d93c to your computer and use it in GitHub Desktop.
haproxy_acl usage thoughts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # frozen_string_literal: true | |
| haproxy_install 'package' | |
| directory '/etc/haproxy/errors' do | |
| user 'haproxy' | |
| group 'haproxy' | |
| end | |
| file '/etc/haproxy/errors/403.http' do | |
| content '<h1>Error: 403</h1>' | |
| end | |
| haproxy_config_global 'global' do | |
| daemon false | |
| maxconn 4096 | |
| chroot '/var/lib/haproxy' | |
| stats_socket '/var/lib/haproxy/haproxy.stat mode 600 level admin' | |
| stats_timeout '2m' | |
| end | |
| haproxy_config_defaults 'defaults' do | |
| mode 'http' | |
| timeout connect: '5s', | |
| client: '50s', | |
| server: '50s' | |
| log 'global' | |
| retries 3 | |
| end | |
| haproxy_frontend 'http' do | |
| bind '0.0.0.0:80' | |
| default_backend 'rrhost' | |
| maxconn 2000 | |
| use_backend ['gina if gina_host', | |
| 'rrhost if rrhost_host', | |
| 'abuser if source_is_abuser', | |
| 'tiles_public if tile_host'] | |
| option %w(httplog dontlognull forwardfor) | |
| acl ['source_is_abuser src_get_gpc0(http) gt 0'] | |
| extra_options 'stick-table' => 'type ip size 200k expire 10m store gpc0', | |
| 'tcp-request' => 'connection track-sc1 src if !source_is_abuser' | |
| end | |
| ### current setup requires something like | |
| # haproxy_acl 'some_unique_name_that_never_gets_used' do | |
| # section 'frontend' | |
| # section_name 'http' | |
| # value 'kml_request path_reg -i /kml/' | |
| # end | |
| # possibly better syntax | |
| haproxy_acl 'kml_request path_reg -i /kml/' do | |
| section 'frontend' | |
| section_name 'http' | |
| end | |
| haproxy_acl 'bbox_request path_reg -i /bbox/' do | |
| section 'frontend' | |
| section_name 'http' | |
| end | |
| haproxy_acl 'gina_host hdr(host) -i foo.bar.com' do | |
| section 'frontend' | |
| section_name 'http' | |
| end | |
| haproxy_use_backend 'gina if gina_host' do | |
| section 'frontend' | |
| section_name 'http' | |
| end | |
| haproxy_acl 'rrhost_host hdr(host) -i dave.foo.bar.com foo.foo.com' do | |
| section 'frontend' | |
| section_name 'http' | |
| end | |
| haproxy_acl 'tile_host hdr(host) -i dough.foo.bar.com' do | |
| section 'frontend' | |
| section_name 'http' | |
| end | |
| haproxy_backend 'tiles_public' do | |
| server ['tile0 10.0.0.10:80 check weight 1 maxconn 100', | |
| 'tile1 10.0.0.10:80 check weight 1 maxconn 100'] | |
| tcp_request ['content track-sc2 src', | |
| 'content reject if conn_rate_abuse mark_as_abuser'] | |
| acl ['conn_rate_abuse sc2_conn_rate gt 3000', | |
| 'data_rate_abuse sc2_bytes_out_rate gt 20000000', | |
| 'mark_as_abuser sc1_inc_gpc0 gt 0', | |
| ] | |
| extra_options( | |
| 'stick-table' => 'type ip size 200k expire 2m store conn_rate(60s),bytes_out_rate(60s)', | |
| 'http-request' => 'set-header X-Public-User yes' | |
| ) | |
| end | |
| haproxy_backend 'abuser' do | |
| extra_options 'errorfile' => '403 /etc/haproxy/errors/403.http' | |
| end | |
| haproxy_backend 'rrhost' do | |
| server ['tile0 10.0.0.10:80 check weight 1 maxconn 100', | |
| 'tile1 10.0.0.10:80 check weight 1 maxconn 100'] | |
| end | |
| haproxy_backend 'gina' do | |
| server ['tile0 10.0.0.10:80 check weight 1 maxconn 100', | |
| 'tile1 10.0.0.10:80 check weight 1 maxconn 100'] | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # frozen_string_literal: true | |
| haproxy_install 'package' | |
| directory '/etc/haproxy/errors' do | |
| user 'haproxy' | |
| group 'haproxy' | |
| end | |
| file '/etc/haproxy/errors/403.http' do | |
| content '<h1>Error: 403</h1>' | |
| end | |
| haproxy_config_global 'global' do | |
| daemon false | |
| maxconn 4096 | |
| chroot '/var/lib/haproxy' | |
| stats_socket '/var/lib/haproxy/haproxy.stat mode 600 level admin' | |
| stats_timeout '2m' | |
| end | |
| haproxy_config_defaults 'defaults' do | |
| mode 'http' | |
| timeout connect: '5s', | |
| client: '50s', | |
| server: '50s' | |
| log 'global' | |
| retries 3 | |
| end | |
| haproxy_frontend 'http' do | |
| bind '0.0.0.0:80' | |
| default_backend 'rrhost' | |
| maxconn 2000 | |
| option %w(httplog dontlognull forwardfor) | |
| # leave these here cause they depend on the stuff in `extra_options`, although could be declared separately | |
| use_backend ['abuser if source_is_abuser'] | |
| acl ['source_is_abuser src_get_gpc0(http) gt 0'] | |
| extra_options 'stick-table' => 'type ip size 200k expire 10m store gpc0', | |
| 'tcp-request' => 'connection track-sc1 src if !source_is_abuser' | |
| end | |
| ### current setup requires something like | |
| # haproxy_acl 'some_unique_name_that_never_gets_used' do | |
| # section 'frontend' | |
| # section_name 'http' | |
| # value 'kml_request path_reg -i /kml/' | |
| # end | |
| # not sure if this is really an improvement | |
| [ | |
| 'kml_request path_reg -i /kml/', | |
| 'bbox_request path_reg -i /bbox/', | |
| 'gina_host hdr(host) -i foo.bar.com', | |
| 'rrhost_host hdr(host) -i dave.foo.bar.com foo.foo.com', | |
| 'tile_host hdr(host) -i dough.foo.bar.com', | |
| ].each do |acl_rule| | |
| haproxy_acl acl_rule do | |
| section 'frontend' | |
| section_name 'http' | |
| end | |
| end | |
| [ | |
| 'gina if gina_host', | |
| 'rrhost if rrhost_host', | |
| 'abuser if source_is_abuser', | |
| 'tiles_public if tile_host' | |
| ].each do |backend_rule| | |
| haproxy_use_backend backend_rule do | |
| section 'frontend' | |
| section_name 'http' | |
| end | |
| end | |
| haproxy_backend 'tiles_public' do | |
| server ['tile0 10.0.0.10:80 check weight 1 maxconn 100', | |
| 'tile1 10.0.0.10:80 check weight 1 maxconn 100'] | |
| tcp_request ['content track-sc2 src', | |
| 'content reject if conn_rate_abuse mark_as_abuser'] | |
| acl ['conn_rate_abuse sc2_conn_rate gt 3000', | |
| 'data_rate_abuse sc2_bytes_out_rate gt 20000000', | |
| 'mark_as_abuser sc1_inc_gpc0 gt 0', | |
| ] | |
| extra_options( | |
| 'stick-table' => 'type ip size 200k expire 2m store conn_rate(60s),bytes_out_rate(60s)', | |
| 'http-request' => 'set-header X-Public-User yes' | |
| ) | |
| end | |
| haproxy_backend 'abuser' do | |
| extra_options 'errorfile' => '403 /etc/haproxy/errors/403.http' | |
| end | |
| haproxy_backend 'rrhost' do | |
| server ['tile0 10.0.0.10:80 check weight 1 maxconn 100', | |
| 'tile1 10.0.0.10:80 check weight 1 maxconn 100'] | |
| end | |
| haproxy_backend 'gina' do | |
| server ['tile0 10.0.0.10:80 check weight 1 maxconn 100', | |
| 'tile1 10.0.0.10:80 check weight 1 maxconn 100'] | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment