Created
August 21, 2014 18:35
-
-
Save GABeech/eb88933bf49cd82ceab0 to your computer and use it in GitHub Desktop.
Stack Exchange HAProxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is an example of the Stack Exchange Tier 1 HAProxy config | |
# The only things that have been changed from what we are running are: | |
# 1. User names have been removed | |
# 2. All Passwords have been remove | |
# 3. IPs have been changed to use the example/documentation ranges | |
# 4. Rate limit numbers have been changed to randome numbers, don't read into them | |
userlist stats-auth | |
group admin users $admin_user | |
user $admin_user insecure-password $some_password | |
group readonly users $some_user | |
user $some_user insecure-password $some_other_password | |
global | |
daemon | |
stats socket /var/run/haproxy-t1.stat level admin | |
maxconn 100000 | |
pidfile /var/run/haproxy-t1.pid | |
log 127.0.0.1 local0 | |
log 192.0.2.17 local0 | |
tune.bufsize 16384 | |
tune.maxrewrite 1024 | |
spread-checks 4 | |
log-send-hostname ny-lb05 | |
defaults | |
errorfile 503 /etc/haproxy-shared/errors/503.http | |
errorfile 502 /etc/haproxy-shared/errors/502.http | |
mode http | |
timeout connect 15s | |
timeout client 60s | |
timeout server 150s | |
timeout queue 60s | |
timeout http-request 15s | |
timeout http-keep-alive 15s | |
option httplog | |
option redispatch | |
option dontlognull | |
balance source | |
backend be_api_1.1 | |
mode http | |
balance roundrobin | |
reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2 | |
reqirep ^([^\ ]*)\ /1.1/(.*) \1\ /\2 | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackoverflow.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_api | |
mode http | |
balance roundrobin | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackexchange.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_area51_stackexchange_com | |
mode http | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:area51.stackexchange.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_careers | |
mode http | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:careers.stackoverflow.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_internal_api | |
mode http | |
balance roundrobin | |
option http-server-close | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_meta_so | |
mode http | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:meta.stackoverflow.com | |
server ny-web10 203.0.113.110:80 check | |
server ny-web11 203.0.113.111:80 check | |
backend be_mobile | |
mode http | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:mobile.stackexchange.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_openid | |
mode http | |
balance roundrobin | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:openid.stackexchange.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_others | |
mode http | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:serverfault.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_so | |
mode http | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_so_crawler | |
mode http | |
balance roundrobin | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_sstatic | |
mode http | |
balance roundrobin | |
acl HTTP_OK status 200:399 | |
rspidel ^Cache-Control:.* unless HTTP_OK | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:sstatic.net | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
backend be_stackauth | |
mode http | |
balance roundrobin | |
reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2 | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
tcp-request content track-sc2 src | |
acl conn_rate_abuse sc2_conn_rate gt 10 | |
acl mark_as_abuser sc1_inc_gpc0 gt 3 | |
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser | |
stats enable | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN | |
stats uri /ilovestats | |
stats refresh 30s | |
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackauth.com | |
server ny-web01 203.0.113.101:80 check | |
server ny-web02 203.0.113.102:80 check | |
server ny-web03 203.0.113.103:80 check | |
server ny-web04 203.0.113.104:80 check | |
server ny-web05 203.0.113.105:80 check | |
server ny-web06 203.0.113.106:80 check | |
server ny-web07 203.0.113.107:80 check | |
server ny-web08 203.0.113.108:80 check | |
server ny-web09 203.0.113.109:80 check | |
frontend fe_stackauth | |
bind 198.51.100.21:80 name stackauth | |
bind 198.51.100.145:80 name stackauth | |
log global | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
capture request header Referer len 64 | |
capture request header User-Agent len 128 | |
capture request header Host len 64 | |
capture request header X-Forwarded-For len 64 | |
capture request header Accept-Encoding len 64 | |
capture response header Content-Encoding len 64 | |
capture response header X-Page-View len 1 | |
capture response header X-Route-Name len 64 | |
capture response header X-Account-Id len 7 | |
capture response header X-Sql-Count len 4 | |
capture response header X-Sql-Duration-Ms len 7 | |
capture response header X-AspNet-Duration-Ms len 7 | |
capture response header X-Application-Id len 5 | |
capture response header X-Request-Guid len 36 | |
capture response header X-Redis-Count len 4 | |
capture response header X-Redis-Duration-Ms len 7 | |
capture response header X-Http-Count len 4 | |
capture response header X-Http-Duration-Ms len 7 | |
capture response header X-TE-Count len 4 | |
capture response header X-TE-Duration-Ms len 7 | |
rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms): | |
maxconn 40000 | |
option http-server-close | |
option forwardfor | |
option httplog | |
acl source_is_serious_abuse src_conn_rate(fe_stackauth) gt 20 | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
acl api_only_ips src -f /etc/haproxy-shared/api-only-ips | |
acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist | |
acl is_crawler src -f /etc/haproxy-shared/crawlers | |
acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua | |
acl source_is_abuser src_get_gpc0(fe_stackauth) gt 0 | |
tcp-request connection track-sc1 src if !source_is_abuser | |
default_backend be_stackauth | |
frontend http-in | |
bind 198.51.100.16:80 name stackexchange | |
bind 198.51.100.17:80 name careers | |
bind 198.51.100.30:80 name careers.sstatic.net | |
bind 198.51.100.18:80 name openid | |
bind 198.51.100.24:80 name misc | |
bind 198.51.100.140:80 name stackexchange | |
bind 198.51.100.141:80 name careers | |
bind 198.51.100.154:80 name careers.sstatic.net | |
bind 198.51.100.142:80 name openid | |
bind 198.51.100.148:80 name misc | |
log global | |
stick-table type ip size 999k expire 1m store conn_rate(30s) | |
capture request header Referer len 64 | |
capture request header User-Agent len 128 | |
capture request header Host len 64 | |
capture request header X-Forwarded-For len 64 | |
capture request header Accept-Encoding len 64 | |
capture response header Content-Encoding len 64 | |
capture response header X-Page-View len 1 | |
capture response header X-Route-Name len 64 | |
capture response header X-Account-Id len 7 | |
capture response header X-Sql-Count len 4 | |
capture response header X-Sql-Duration-Ms len 7 | |
capture response header X-AspNet-Duration-Ms len 7 | |
capture response header X-Application-Id len 5 | |
capture response header X-Request-Guid len 36 | |
capture response header X-Redis-Count len 4 | |
capture response header X-Redis-Duration-Ms len 7 | |
capture response header X-Http-Count len 4 | |
capture response header X-Http-Duration-Ms len 7 | |
capture response header X-TE-Count len 4 | |
capture response header X-TE-Duration-Ms len 7 | |
rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms): | |
maxconn 40000 | |
option http-server-close | |
option forwardfor | |
option httplog | |
acl source_is_serious_abuse src_conn_rate(http-in) gt 1000 | |
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips | |
acl api_only_ips src -f /etc/haproxy-shared/api-only-ips | |
acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist | |
acl is_crawler src -f /etc/haproxy-shared/crawlers | |
acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua | |
acl source_is_abuser src_get_gpc0(http-in) gt 2 | |
acl is_feeds path_beg /feeds/ | |
acl is_internal_api path_beg /api/ | |
acl is_careers hdr_beg(host) -i careers. jobs. | |
acl is_so hdr_end(host) -i stackoverflow.com | |
acl is_sstatic hdr_end(host) -i sstatic.net | |
acl is_stackauth hdr_end(host) -i stackauth.com | |
acl is_se hdr_end(host) -i stackexchange.com | |
acl is_area51 hdr(host) -i area51.stackexchange.com | |
acl is_mobile hdr(host) -i mobile.stackexchange.com | |
acl is_stackexchange_com hdr(host) -i stackexchange.com | |
acl is_meta_so hdr_end(host) -i meta.stackoverflow.com | |
acl is_dev_meta_webapps hdr_end(host) -i meta.dev.webapps.stackexchange.com | |
acl is_dev_fb hdr_end(host) -i fb.dev.stackoverflow.com | |
acl is_api_2 hdr(host) -i api.stackexchange.com | |
acl is_api hdr_sub(host) -i api | |
acl is_api_1.0 path_beg /1.0/ | |
acl is_api_1.1 path_beg /1.1/ | |
acl is_api_root path / | |
acl is_api_static path_beg -i /admin /content /crossdomain.xml /clientaccesspolicy.xml /robots.txt | |
acl is_dev hdr_beg(host) -i dev. | |
acl is_dev_discuss hdr_end(host) -i discuss.dev.area51.stackexchange.com | |
acl is_openid hdr_beg(host) -i openid.stackexchange.com | |
acl is_80 dst_port 80 | |
acl is_ssl hdr_beg(X-SSL) -i yes | |
acl is_chat_yodeya hdr(host) -i chat.yodeya.com chat.miyodeya.com | |
acl is_bam_yodeya hdr(host) -i bam.yodeya.com bam.miyodeya.com | |
acl is_launchparty_yodeya hdr(host) -i launchparty.yodeya.com launchparty.miyodeya.com | |
acl is_me_yodeya hdr(host) -i me.yodeya.com me.miyodeya.com | |
acl is_kindle hdr_sub(user-agent) Silk-Accelerated | |
acl is_akamai hdr(host) -i sstatic-a.akamaihd.net | |
redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_chat_yodeya | |
redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_bam_yodeya | |
redirect prefix http://meta.judaism.stackexchange.com/questions/1134 code 301 if is_launchparty_yodeya | |
redirect prefix http://judaism.stackexchange.com code 301 if is_me_yodeya | |
redirect prefix https://openid.stackexchange.com code 301 if is_80 is_openid !is_ssl | |
tcp-request connection track-sc1 src if !source_is_abuser | |
use_backend be_internal_api if is_internal_api !is_careers | |
use_backend be_api_1.1 if is_api is_api_1.0 | |
use_backend be_api_1.1 if is_api is_api_1.1 | |
use_backend be_api if is_api_2 | |
use_backend be_api_1.1 if is_api is_api_static | |
use_backend be_api_1.1 if is_api is_api_root | |
use_backend be_bad_api if is_api | |
use_backend be_sstatic if is_sstatic | |
use_backend be_sstatic if is_akamai | |
use_backend be_mobile if is_mobile | |
use_backend be_area51_stackexchange_com if is_area51 | |
use_backend be_area51_stackexchange_com if is_stackexchange_com | |
use_backend be_meta_so if is_meta_so | |
use_backend be_careers if is_careers | |
use_backend be_so_crawler if is_so is_crawler | |
use_backend be_so_crawler if is_so is_crawler_ua | |
use_backend be_so if is_so | |
use_backend be_stackauth if is_stackauth | |
use_backend be_openid if is_openid | |
default_backend be_others | |
backend be_api_only | |
mode http | |
errorfile 503 /etc/haproxy-shared/errors/503apionly.http | |
backend be_bad_api | |
mode http | |
errorfile 403 /etc/haproxy-shared/errors/403.http | |
backend be_go-away | |
mode http | |
errorfile 503 /etc/haproxy-shared/errors/503rate.http | |
backend be_no_ssl | |
mode http | |
errorfile 503 /etc/haproxy-shared/errors/503nossl.http | |
listen t1_internal_stats | |
bind 203.0.113.15:7001 | |
mode http | |
balance roundrobin | |
stats enable | |
stats uri /ilovestats | |
acl AUTH http_auth(stats-auth) | |
acl AUTH_ADMIN http_auth_group(stats-auth) admin | |
stats http-request auth unless AUTH | |
stats admin if AUTH_ADMIN |
awesome
backend be_go-away
backend be_no_ssl
Seem to be unused; did you previously do something interesting with be_no_ssl?
I feel curious about the fact you are not using nbproc, which kind of CPU is running this haproxy?
Thanks for sharing this configuration, it's highly illustrative.
Are you no longer using the source port exhaustion workaround discussed here[1]?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanks!