Created
October 4, 2016 04:13
-
-
Save gnilchee/77a4078ce863e839ddc1cc92dcf7a581 to your computer and use it in GitHub Desktop.
simple configuration with strict https, rate limiting and redispatch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log 127.0.0.1 local0 | |
| log 127.0.0.1 local1 notice | |
| tune.ssl.default-dh-param 2048 | |
| user haproxy | |
| group haproxy | |
| pidfile /var/run/haproxy.pid | |
| stats socket /tmp/haproxy.stats level admin | |
| defaults | |
| mode http | |
| maxconn 500 | |
| balance roundrobin | |
| timeout connect 5s | |
| timeout server 60s | |
| timeout client 15s | |
| timeout http-request 5s | |
| option http-server-close | |
| option forwardfor | |
| option redispatch | |
| option dontlognull | |
| stats enable | |
| stats refresh 30s | |
| stats auth haproxy:password | |
| stats uri /haproxy?stats | |
| stats hide-version | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 429 /etc/haproxy/errors/429.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| frontend ft_www | |
| bind *:443 ssl crt /path/to/file.pem no-sslv3 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | |
| bind *:80 | |
| mode http | |
| reqadd X-Forwarded-Proto:\ https | |
| redirect scheme https if !{ ssl_fc } | |
| acl secure dst_port eq 443 | |
| rspadd Strict-Transport-Security:\ max-age=604800 if secure | |
| stick-table type ip size 1m expire 10s store gpc0,conn_cur | |
| tcp-request connection track-sc1 src | |
| acl abuse src_conn_cur(ft_www) ge 10 | |
| use_backend rate_limiter if abuse | |
| default_backend bk_www | |
| backend bk_www | |
| balance roundrobin | |
| option tcp-check | |
| default-server inter 10s fall 3 rise 2 | |
| server server1 server.domain:8443 ssl verify none check port 8443 maxconn 100 | |
| server server2 server.domain:8444 ssl verify none check port 8444 maxconn 100 | |
| server server3 server.domain:8445 ssl verify none check port 8445 maxconn 100 | |
| server server4 server.domain:8446 ssl verify none check port 8446 maxconn 100 | |
| backend rate_limiter | |
| mode http | |
| errorfile 429 /etc/haproxy/errors/429.http |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment