Skip to content

Instantly share code, notes, and snippets.

@vniche
Last active April 20, 2021 01:04
Show Gist options
  • Save vniche/12aeb41dd7e7f93cceca12afb6575761 to your computer and use it in GitHub Desktop.
Save vniche/12aeb41dd7e7f93cceca12afb6575761 to your computer and use it in GitHub Desktop.
HAProxy configuration for Raspiberry Pi container cluster SubStack series
version: "3.9"
services:
haproxy:
image: haproxy:lts
container_name: haproxy
user: 1000:1000
ports:
- 80:8080
- 443:8443
restart: unless-stopped
volumes:
- /opt/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
- /opt/haproxy/certs:/usr/local/etc/haproxy/certs
global
stats timeout 30s
maxconn 100
log stdout format raw local0
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 2000
timeout client 60000
timeout server 60000
frontend http
bind *:8080
bind *:8443 ssl crt /usr/local/etc/haproxy/certs/sample-app.raspi.vniche.me.pem
option http-server-close
option forwardfor
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
http-request redirect scheme https unless { ssl_fc }
# uncomment to enable CORS
# http-response add-header Access-Control-Allow-Origin "*"
# http-response add-header Access-Control-Allow-Headers "*"
# table used to store behaviour of source IPs (type is ip)
stick-table type ip size 2048k expire 1m store gpc0,conn_rate(10s),http_req_rate(10s)
# IPs that have gpc0 > 0 are blocked until the go away for at least 30 seconds
acl source_is_abuser src_get_gpc0 gt 0
# Instead of redirecting to slowing down backend, we may also reject any request
#tcp-request connection reject if source_is_abuser
# connection rate abuses get blocked (3 requests in 10s, then blocked for
# 30s)
acl conn_rate_abuse sc1_conn_rate gt 20
acl http_req_rate_abuse sc1_http_req_rate gt 30
acl mark_as_abuser sc1_inc_gpc0 ge 0
tcp-request connection track-sc1 src
# Same as above, we are nice, we do not reject all request,
# but these count also as access, so counter is not reset
#tcp-request connection reject if conn_rate_abuse mark_as_abuser
use_backend too-many-requests if http_req_rate_abuse mark_as_abuser source_is_abuser
use_backend too-many-requests if conn_rate_abuse mark_as_abuser source_is_abuser
acl sample-app-raspi hdr_dom(host) -i sample-app.raspi.vniche.me
use_backend sample-app-raspi if sample-app-raspi
default_backend sample-app-raspi
backend too-many-requests
timeout tarpit 2s
http-request tarpit
backend sample-app-raspi
balance leastconn
# uncomment to add an http check to /health path
# option httpchk HEAD /health
timeout check 1000
timeout server 5000
default-server check maxconn 30
server raspi-0 172.17.0.1:3000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment