haproxy (splitted files, named defaults and more)

haproxy.confs

00-global.cfg:
global
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        unix-bind user haproxy group haproxy
        daemon
        nbthread 4

01-ssl.cfg:
global
        ssl-dh-param-file /etc/haproxy/ssl/dhparam.key
        issuers-chain-path /etc/haproxy/ssl/CA/

        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

        ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

05-logging.cfg:
global
        log ring@logsink len 2048 local0
        setenv LOG_OPEN '{"X":"0"'
        setenv LOG_CLOSE '"X":"1"}'

        setenv LOG_HUMAN '"human": "%ST ; %HM %HU ; %ft/%b:%s ; %ci ; %ts ; %B ; %Ta ;"'

        setenv LOG_BASIC '"reqtime":"%t","src_ip":"%ci","src_port":"%cp","hostname":"%H","status":"%ST","term_state":"%ts","timers.http":"%tr","term_state_cookie":"%tsc","uuid":"%ID"'

        setenv LOG_ROUTE '"httpmeth":"%HM","uripath":"%HPO","reqargs":"%HQ","httphost":"%[var(txn.host)]","snihost":"%[ssl_fc_sni]","fe":"%f","fetls":"%ft","be":"%b","besrv":"%s"'

        setenv LOG_CAPTURE '"cap_req_cookie":"%CC","cap_rsp_cookie":"%CS","cap_req_hdrs":"%hr","cap_rsp_hdrs":"%hs"'

        setenv LOG_STATS '"be_src_port":"%bp","fe_port":"%fp","srv_port":"%sp","httpver":"%HV","bytes_read":"%B","bytes_uploaded":"%U","actconn":"%ac","be_conn":"%bc","be_queue":"%bq","fe_conn":"%fc","fe_log_cnt":"%lc","retries":"%rc","req_cnt":"%rt","srv_conn":"%sc","srv_queue":"%sq","ssl_ciphers":"%sslc","ssl_version":"%sslv"'

        setenv LOG_TIMERS '"timer.active":"%Ta","timer.tcp":"%Tc","timer.data":"%Td","timer.hsk":"%Th","timer.idle":"%Ti","timer.queue":"%Tq","timer.reqsent":"%TR","timer.response":"%Tr","timer.total":"%Tt","timer.user":"%Tu","timer.qwait":"%Tw"'

        setenv LOG_ERR '"reqtime":"%t","error":"1","sslerrid":"%[ssl_fc_err,hex]","sslerrtext":"%[ssl_fc_err_str]","ssl_ciphers":"%sslc","ssl_version":"%sslv","fe_err":"%[fc_err_str]","be_err":"%[bc_err_str]"'


ring logsink
        description "remote log sink for aggregation"
        format rfc5424
        maxlen 2048
        size 16384
        timeout connect 5s
        timeout server 10s
        server ssfnmtm121 10.45.30.123:514 log-proto octet-count
        
06-cache.cfg:
cache mtmcache
        total-max-size 1024 # MBytes
        max-age 131556927 # seconds
        max-object-size 1000000
        #process-vary on

10-defaults.cfg:
defaults all_defs
        mode http
        timeout connect 5s
        timeout client 60s
        timeout server 58s
        # XXX # http-request set-timeout server 90s if { path -m beg /slow/ }

        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

defaults fe_defaults from all_defs
        monitor-uri /rpx/ok.txt

        http-request set-var(txn.host) hdr(host)
        http-request set-var(txn.path) path
        log global
        option dontlognull
        option log-separate-errors
        log-format "${LOG_OPEN},${LOG_HUMAN},${LOG_BASIC},${LOG_ROUTE},${LOG_CAPTURE},${LOG_STATS},${LOG_TIMERS},${LOG_CLOSE}"
        error-log-format "${LOG_OPEN},${LOG_HUMAN},${LOG_BASIC},${LOG_ROUTE},${LOG_ERR},${LOG_TIMERS},${LOG_CLOSE}"

defaults be_defaults from all_defs
        option httpchk
        http-check send meth GET uri / hdr Host chat.rootnexus.net ver HTTP/1.1
        http-check expect string Mattermost

defaults fe_stats from all_defs

defaults listen_defaults
        log global
        timeout connect 5s
        timeout client 60s
        timeout server 58s
        
20-fe-tables.cfg:
#
# all binds are just dummy (syntax checker) and not in actual use
# all tbl_*_r are "rates"; expire should match the rate(x).
#
frontend tbl_traffic_r from all_defs
        bind 127.0.0.1:60001
        stick-table type string len 128 size 2k expire 1h store bytes_out_rate(1h)

frontend tbl_traffic_tls_r from all_defs
        bind 127.0.0.1:60001
        stick-table type string len 32 size 200 expire 7d store http_req_rate(7d)

frontend tbl_http_req_r from all_defs
        bind 127.0.0.1:60001
        stick-table type ip size 1m expire 10m store http_req_rate(10m)

frontend tbl_conn_cur from all_defs
        bind 127.0.0.1:60001
        stick-table type ip size 1m expire 10m store conn_cur

frontend tbl_http_err_r from all_defs
        bind 127.0.0.1:60001
        stick-table type string len 128 size 2k expire 1h store http_err_rate(1h)
        
20-stats.cfg:
frontend stats from fe_stats
        bind :8404
        stats enable
        stats uri /
        stats refresh 10s
        stats show-modules
        http-request use-service prometheus-exporter if { path /metrics }

25-frontends.cfg:
frontend fe_test from fe_defaults
        bind *:60240
        acl site_dead nbsrv(be_mtmplay) eq 0
        monitor fail if site_dead

        http-request track-sc1 src table tbl_http_err_r
        #http-request track-sc0 path table tbl_traffic_r

        http-request deny deny_status 429 if { sc_http_req_rate(0,tbl_http_err_r) gt 2 }

        http-request use-service prometheus-exporter if { path /metrics }

        acl ssfn_ip_admin src -f /etc/haproxy/config/admin_ips.lst
        acl ssfn_path_metrics path /metrics
        http-request deny if ssfn_path_metrics !ssfn_ip_admin

        default_backend be_test

frontend fe_mtm_ssl from fe_defaults
        bind *:60603 tfo ssl strict-sni alpn h2,http/1.1 crt /etc/haproxy/ssl/certs/

        http-request track-sc0 ssl_fc_protocol table tbl_traffic_tls_r

        acl ssfn_ip_admin src -f /etc/haproxy/config/admin_ips.lst
        acl ssfn_ip_select src -f /etc/haproxy/config/admin_ips.lst
        acl ssfn_ip_select src -f /etc/haproxy/config/select_ips.lst
        acl ssfn_path_admcons path_beg /admin_console
        acl ssfn_path_select path_beg /select_team

        http-request deny deny_status 429 if ssfn_path_admcons !ssfn_ip_admin
        http-request deny deny_status 410 if ssfn_path_select !ssfn_ip_select

        default_backend be_mtmplay

        http-response set-header X-Cache-Status HIT if !{ srv_id -m found }
        http-after-response del-header x-version-id

30-backends.cfg:
backend be_test from be_defaults
        #server localtestbox 10.45.30.123:10080 # local dummy nginx
        server mtmplay 10.45.30.123:9065

backend be_mtmplay from be_defaults
        http-request set-var(txn.path) path
        acl statics_path var(txn.path) -m beg /static/
        http-request cache-use mtmcache if statics_path
        http-response cache-store mtmcache if statics_path
        http-response set-header X-cache-name %[res.cache_name]
        server ssfnmtm121 10.45.30.123:9065 check