Skip to content

Instantly share code, notes, and snippets.

@virtuman

virtuman/guide.md

Forked from vothanhkiet/guide.md
Created January 30, 2017 20:08
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save virtuman/6506e7036f3ae2b71aaad8ff7d26d70c to your computer and use it in GitHub Desktop.
Save virtuman/6506e7036f3ae2b71aaad8ff7d26d70c to your computer and use it in GitHub Desktop.
Download ZIP
HA-Proxy for Portainer
Raw
guide.md

HA-Proxy configuration for Portainer

Here is a working configuration for HA-Proxy version 1.6.6 2016/06/26 to serve Portainer at portainer.127.0.0.1.xip.io :

global
    maxconn                     10000
    daemon
    ssl-server-verify           none
    tune.ssl.default-dh-param   2048

defaults
    mode    http
    log     global
    option  httplog
    option  dontlognull
    option  http-server-close 
    option  forwardfor          except 127.0.0.0/8
    option  redispatch
    retries 30
    timeout http-request        300s
    timeout queue               1m
    timeout connect             10s
    timeout client              1m
    timeout server              1m
    timeout http-keep-alive     10s
    timeout check               10s
    maxconn 10000

userlist users
    group all
    group demo
    group haproxy

listen stats
    bind            *:2100
    mode            http
    stats           enable
    maxconn         10
    timeout client  10s
    timeout server  10s
    timeout connect 10s
    timeout         queue   10s
    stats           hide-version
    stats           refresh 30s
    stats           show-node
    stats           realm Haproxy\ Statistics
    stats           uri  /
    stats           admin if TRUE

frontend www-http
    bind    *:80
    stats   enable
    mode	http
    option  http-keep-alive

    acl portainer   hdr_end(host)   -i portainer.127.0.0.1.xip.io

    use_backend     portainer       if portainer

backend portainer
    stats   enable
    option  forwardfor
    option  http-keep-alive
    server  portainer   127.0.0.1:9000 check

NOTE: http-keep-alive must be set for both frontend and backend

Setup Basic HTTP Authentication

Simple setup with cleartext password
global
    maxconn                     10000
    daemon
    ssl-server-verify           none
    tune.ssl.default-dh-param   2048

defaults
    mode    http
    log     global
    option  httplog
    option  dontlognull
    option  http-server-close 
    option  forwardfor          except 127.0.0.0/8
    option  redispatch
    retries 30
    timeout http-request        300s
    timeout queue               1m
    timeout connect             10s
    timeout client              1m
    timeout server              1m
    timeout http-keep-alive     10s
    timeout check               10s
    maxconn 10000

userlist users
    group all
    group dev
    group haproxy

    user    demo   insecure-password   Abc@123456   groups all,dev

listen stats
    bind            *:2100
    mode            http
    stats           enable
    maxconn         10
    timeout client  10s
    timeout server  10s
    timeout connect 10s
    timeout         queue   10s
    stats           hide-version
    stats           refresh 30s
    stats           show-node
    stats           realm Haproxy\ Statistics
    stats           uri  /
    stats           admin if TRUE

frontend www-http
    bind    *:80
    stats   enable
    mode	http
    option  http-keep-alive

    acl portainer   hdr_end(host)   -i portainer.127.0.0.1.xip.io

    use_backend     portainer       if portainer

backend portainer
    acl auth_ok     http_auth_group(users) dev
    http-request    auth if !auth_ok
    stats   enable
    option  forwardfor
    option  http-keep-alive
    server  portainer   127.0.0.1:9000 check
Advance setup with secure password

Create SHA512 passwords

# make sure to use a leading space so that the command is not stored in your bash history!!
 mkpasswd -m sha-512 password1
# generates -> $6$yMgsow58.g/Z$mBjHfdVzqcF/LN.iwV23Eyqg.yGPTsp9pOwaStsJ6c4I4zL7BhucVVAkv5guf7OVRr8Pw0mHF4NrWBRCG5ci7/
 mkpasswd -m sha-512 password2
# generates -> $6$RZ86vRkQ$aRKN1HOsk6bDHBbMhS7jSo/p1NGFl4PvwY3KpU.72i./LvITi41nL84EkxOFXl.6Bmhynj/L7pYbfF0rUHtOB0

userlist users
    group all
    group dev
    group haproxy
    
    user userone password $6$yMgsow58.g/Z$mBjHfdVzqcF/LN.iwV23Eyqg.yGPTsp9pOwaStsJ6c4I4zL7BhucVVAkv5guf7OVRr8Pw0mHF4NrWBRCG5ci7/    groups all,dev
    user usertwo password $6$RZ86vRkQ$aRKN1HOsk6bDHBbMhS7jSo/p1NGFl4PvwY3KpU.72i./LvITi41nL84EkxOFXl.6Bmhynj/L7pYbfF0rUHtOB0        groups all,dev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment