Last active
October 13, 2022 11:13
-
-
Save gavsmi/53baa8ead642e682a0fb to your computer and use it in GitHub Desktop.
Example HAProxy configuration for Orchestra
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| daemon | |
| nbproc 1 | |
| user haproxy | |
| group haproxy | |
| log 127.0.0.1:514 local0 | |
| pidfile /var/run/haproxy.pid | |
| stats socket /var/run/haproxy.stat mode 777 | |
| spread-checks 5 | |
| ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12 | |
| ssl-default-bind-ciphers AES128+EECDH:AES128+EDH | |
| tune.ssl.default-dh-param 1024 # sets the maximum size of the Diffie-Hellman parameters in DHE key exchange. | |
| #debug # uncomment to enable verbose logging | |
| defaults | |
| log global | |
| mode http | |
| maxconn 40000 | |
| option httplog | |
| option dontlognull | |
| option http-server-close | |
| option http-pretend-keepalive | |
| option redispatch | |
| option abortonclose | |
| option tcp-smart-accept | |
| option tcp-smart-connect | |
| timeout client 30s | |
| timeout server 30s | |
| timeout connect 5s | |
| timeout queue 5s | |
| timeout client-fin 30s | |
| timeout tunnel 1h | |
| timeout http-keep-alive 1s | |
| timeout http-request 5s # keep short for DoS protection | |
| timeout check 3s | |
| retries 3 | |
| compression algo gzip | |
| compression type text/html text/html;charset=utf-8 text/html;charset=ISO-8859-1 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint | |
| #errorfile 400 /opt/qmatic/haproxy/errors/400.http | |
| #errorfile 403 /opt/qmatic/haproxy/errors/403.http | |
| errorfile 408 /dev/null # workaround Chrome pre-connect bug | |
| #errorfile 500 /opt/qmatic/haproxy/errors/500.http | |
| #errorfile 502 /opt/qmatic/haproxy/errors/502.http | |
| #errorfile 503 /opt/qmatic/haproxy/errors/503.http | |
| #errorfile 504 /opt/qmatic/haproxy/errors/504.http | |
| # HTTP front end | |
| frontend http-in | |
| bind *:80 | |
| # specific ciphers support Opera browser in TP / Intro = ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM | |
| bind *:443 ssl crt /etc/haproxy/mycert.pem ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3 | |
| ### ACL rules ### | |
| acl is_central path_beg /qsystem | |
| acl is_calendar path_beg /calendar-admin /calendar-client /calendar-backend | |
| acl is_bi path_beg /businessintelligence /qmatic-style /pentaho-style | |
| acl is_comet path_beg /cometd/ | |
| acl is_central_ws path_beg /wsCentral hdr(Upgrade) -i websocket | |
| acl is_agent_ws path_beg /wsdc hdr(Upgrade) -i websocket | |
| ### Header manipulation ### | |
| http-request set-header X-Forwarded-For %[src] | |
| reqadd X-Forwarded-Proto:\ https if { ssl_fc } | |
| redirect scheme https if !{ ssl_fc } !is_central_ws | |
| option forwardfor header Proxy-ip | |
| rspirep ^(set-cookie:.*) \1;\ Secure if { ssl_fc } | |
| rspadd Strict-Transport-Security:\ max-age=31536000 if { ssl_fc } | |
| rspidel ^Server:.* | |
| rspidel ^X-Powered-By:.* | |
| ### backend routing ### | |
| use_backend central if is_central | |
| use_backend calendar if is_calendar | |
| use_backend bi if is_bi | |
| use_backend comet if is_comet | |
| use_backend central_ws if is_central_ws | |
| use_backend agent_ws if is_agent_ws | |
| ### send all non-matched traffic to agent backend by default ### | |
| default_backend agent | |
| # agent backend | |
| backend agent | |
| balance leastconn | |
| option httpchk GET /ping.html HTTP/1.1\r\nHost:\ www | |
| stick on src ipmask(24) | |
| stick-table type string len 32 size 1m expire 12h | |
| acl is_static capture.req.uri -m end .css .png .jpg .gif .js .favicon.ico | |
| rspadd Cache-Control:\ public if is_static | |
| server oas1 10.0.1.127:8080 check inter 5000 | |
| server oas2 10.0.1.128:8080 check inter 5000 | |
| # agent websocket backend | |
| backend agent_ws | |
| balance leastconn | |
| stick on src ipmask(24) table agent | |
| server oas1 10.0.1.127:8888 check inter 5000 | |
| server oas2 10.0.1.128:8888 check inter 5000 | |
| # central backend | |
| backend central | |
| balance leastconn | |
| #option httpchk GET /qsystem/mobile/ HTTP/1.1\r\nHost:\ www | |
| stick on src ipmask(24) table agent | |
| server oas1 10.0.1.127:8080 check inter 5000 | |
| server oas2 10.0.1.128:8080 check inter 5000 | |
| # central websocket backend | |
| backend central_ws | |
| balance leastconn | |
| stick on src ipmask(24) table agent | |
| server oas1 10.0.1.127:8787 check inter 5000 | |
| server oas2 10.0.1.128:8787 check inter 5000 | |
| # calendar backend | |
| backend calendar | |
| balance leastconn | |
| option httpchk GET /calendar-admin/js/main.js HTTP/1.1\r\nHost:\ www | |
| server oas1 10.0.1.127:8080 check inter 5000 | |
| server oas2 10.0.1.128:8080 check inter 5000 | |
| # bi backend | |
| backend bi | |
| balance leastconn | |
| option httpchk GET /businessintelligence/Login HTTP/1.1\r\nHost:\ www | |
| stick on src ipmask(24) table agent | |
| server oas1 10.0.1.127:8080 check inter 5000 | |
| server oas2 10.0.1.128:8080 check inter 5000 | |
| # comet connections | |
| backend comet | |
| balance leastconn | |
| timeout server 120s | |
| option httpchk GET /ping.html HTTP/1.1\r\nHost:\ www | |
| stick on src ipmask(24) table agent | |
| server oas1 10.0.1.127:8080 check inter 5000 | |
| server oas2 10.0.1.128:8080 check inter 5000 | |
| # stats interface for monitoring | |
| listen stats :9090 | |
| mode http | |
| no log | |
| stats enable | |
| stats refresh 15s | |
| stats uri /stats |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment