atta · September 7, 2022 09:37
diff --git a/haproxy.cfg b/haproxy.cfg
 global
  log /dev/log    local0
  log /dev/log    local1 notice
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  stats timeout 30s
  user haproxy
  group haproxy
  daemon
  lua-load /etc/haproxy/cors.lua
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private
  ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20:!aNULL:!MD5:!DSS
  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
  tune.ssl.default-dh-param 2048

 defaults
  log       global
  mode      http
  option    httplog
  option    dontlognull
  timeout   connect 5000
  timeout   client  50000
  timeout   server  50000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

 frontend http
  mode http
  bind :80
  acl acme path_beg /.well-known/acme-challenge/
  http-request redirect scheme https unless { ssl_fc } || acme
  http-request return status 200 content-type "text/plain" lf-string "%[url,regsub(^/.well-known/acme-challenge/,,)].<TOKEN>" if acme
  default_backend abuse
  
 frontend https
  bind *:443 ssl crt /etc/haproxy/ssl/
  mode http
  http-request set-header X-Forwarded-For %[src]
  http-request set-header X-Forwarded-Proto https
  option http-server-close

  capture request header User-Agent len 256
  capture request header Host len 128
  http-request capture req.hdr(Origin) len 20

  acl stats path_beg /haproxy
  acl ceph-mgr path_beg /ceph-mgr
  acl rfc1918 src,map_ip(/etc/haproxy/map/rfc1918.map) -m found
  acl pages hdr_end(host) -i .pages.my.cloud
  
  unique-id-format %{+X}o\ %ci_%cp%fi%fp%Ts%rt
  unique-id-header X-Req-ID
  log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %ID %hr %hs %{+Q}r"
  
  tcp-request content track-sc0 src
  tcp-request content reject if { sc_conn_cur(0) gt 500 }

  http-request set-nice 500 if { sc_conn_cur(0) gt 50 } { sc_conn_cur(0) lt 100 }
  http-request set-nice 1000 if { sc_conn_cur(0) gt 100 }
  http-request deny deny_status 429 if { sc_conn_cur(0) gt 200 }
  
  http-request set-var(req.bucketname) hdr(host),regsub(.pages.my.cloud,),regsub(_,:) if pages
  http-request set-var(req.bucketname) hdr(host),map(/etc/haproxy/map/buckets.map)
  http-request set-uri /%[var(req.bucketname)]%[path,regsub(/$,/index.html)] if { var(req.bucketname) -m found }
  http-request set-header X-Debug-Bucket %[var(req.bucketname)] if { var(req.bucketname) -m found }
  http-request set-header Host object.my.cloud if { var(req.bucketname) -m found }
  http-request del-header Authorization if { var(req.bucketname) -m found }
  http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
  http-response del-header x-amz-id-2 if { var(req.bucketname) -m found }
  http-response del-header x-amz-request-id if { var(req.bucketname) -m found }

  http-request lua.cors "GET,PUT,POST,HEAD,DELETE" ".my.cloud" "*"
  http-response lua.cors

  use_backend stats if stats rfc1918
  use_backend ceph-mgr if ceph-mgr rfc1918
  default_backend ceph-rgw

 backend stats
  stats enable
  stats hide-version
  stats refresh 30s
  stats show-node
  stats auth admin:admin
  stats uri /
  
 backend abuse
  mode http
  timeout tarpit 10s
  http-request tarpit

 peers lbs
  peer lb01 192.168.56.101:1024
  peer lb02 192.168.56.102:1024
  peer lb03 192.168.56.103:1024

 backend ceph-mgr
  mode http
  balance source
  option forwardfor
  option httplog
  http-request set-uri %[url,regsub(^/ceph-mgr,/,)]

  server ceph-mgr01 192.168.56.101:8081 check port 8081 inter 12000 rise 2 fall 2
  server ceph-mgr02 192.168.56.102:8081 check port 8081 inter 12000 rise 2 fall 2
  server ceph-mgr03 192.168.56.103:8081 check port 8081 inter 12000 rise 2 fall 2

 backend ceph-rgw
  mode http
  balance source
  option forwardfor
  option httplog
	global
	log /dev/log local0
	log /dev/log local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon
	lua-load /etc/haproxy/cors.lua
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private
	ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
	tune.ssl.default-dh-param 2048

	defaults
	log global
	mode http
	option httplog
	option dontlognull
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	frontend http
	mode http
	bind :80
	acl acme path_beg /.well-known/acme-challenge/
	http-request redirect scheme https unless { ssl_fc } \|\| acme
	http-request return status 200 content-type "text/plain" lf-string "%[url,regsub(^/.well-known/acme-challenge/,,)].<TOKEN>" if acme
	default_backend abuse

	frontend https
	bind *:443 ssl crt /etc/haproxy/ssl/
	mode http
	http-request set-header X-Forwarded-For %[src]
	http-request set-header X-Forwarded-Proto https
	option http-server-close

	capture request header User-Agent len 256
	capture request header Host len 128
	http-request capture req.hdr(Origin) len 20

	acl stats path_beg /haproxy
	acl ceph-mgr path_beg /ceph-mgr
	acl rfc1918 src,map_ip(/etc/haproxy/map/rfc1918.map) -m found
	acl pages hdr_end(host) -i .pages.my.cloud

	unique-id-format %{+X}o\ %ci_%cp%fi%fp%Ts%rt
	unique-id-header X-Req-ID
	log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %ID %hr %hs %{+Q}r"

	tcp-request content track-sc0 src
	tcp-request content reject if { sc_conn_cur(0) gt 500 }

	http-request set-nice 500 if { sc_conn_cur(0) gt 50 } { sc_conn_cur(0) lt 100 }
	http-request set-nice 1000 if { sc_conn_cur(0) gt 100 }
	http-request deny deny_status 429 if { sc_conn_cur(0) gt 200 }

	http-request set-var(req.bucketname) hdr(host),regsub(.pages.my.cloud,),regsub(_,:) if pages
	http-request set-var(req.bucketname) hdr(host),map(/etc/haproxy/map/buckets.map)
	http-request set-uri /%[var(req.bucketname)]%[path,regsub(/$,/index.html)] if { var(req.bucketname) -m found }
	http-request set-header X-Debug-Bucket %[var(req.bucketname)] if { var(req.bucketname) -m found }
	http-request set-header Host object.my.cloud if { var(req.bucketname) -m found }
	http-request del-header Authorization if { var(req.bucketname) -m found }
	http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
	http-response del-header x-amz-id-2 if { var(req.bucketname) -m found }
	http-response del-header x-amz-request-id if { var(req.bucketname) -m found }

	http-request lua.cors "GET,PUT,POST,HEAD,DELETE" ".my.cloud" "*"
	http-response lua.cors

	use_backend stats if stats rfc1918
	use_backend ceph-mgr if ceph-mgr rfc1918
	default_backend ceph-rgw

	backend stats
	stats enable
	stats hide-version
	stats refresh 30s
	stats show-node
	stats auth admin:admin
	stats uri /

	backend abuse
	mode http
	timeout tarpit 10s
	http-request tarpit

	peers lbs
	peer lb01 192.168.56.101:1024
	peer lb02 192.168.56.102:1024
	peer lb03 192.168.56.103:1024

	backend ceph-mgr
	mode http
	balance source
	option forwardfor
	option httplog
	http-request set-uri %[url,regsub(^/ceph-mgr,/,)]

	server ceph-mgr01 192.168.56.101:8081 check port 8081 inter 12000 rise 2 fall 2
	server ceph-mgr02 192.168.56.102:8081 check port 8081 inter 12000 rise 2 fall 2
	server ceph-mgr03 192.168.56.103:8081 check port 8081 inter 12000 rise 2 fall 2

	backend ceph-rgw
	mode http
	balance source
	option forwardfor
	option httplog