Created
December 2, 2019 23:22
-
-
Save haproxytechblog/a76d3eb833015ca3f38e7ac9de0fcc39 to your computer and use it in GitHub Desktop.
HAProxy 2.1 Sample Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This is the ultimate HAProxy 2.0 "Getting Started" config | |
| # It demonstrates many of the features available which are now available | |
| # While you may not need all of these things, this can serve | |
| # as a reference for your own configurations. | |
| # | |
| # Have questions? Check out our community Slack: | |
| # https://slack.haproxy.org/ | |
| # | |
| global | |
| # master-worker required for `program` section | |
| # enable here or start with -Ws | |
| master-worker | |
| mworker-max-reloads 3 | |
| # enable core dumps | |
| set-dumpable | |
| user haproxy | |
| group haproxy | |
| log stdout local0 | |
| stats socket 127.0.0.1:9999 level admin expose-fd listeners | |
| tune.ssl.default-dh-param 2048 | |
| ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |
| ssl-default-bind-options no-sslv3 no-tls-tickets | |
| ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |
| ssl-default-server-options no-sslv3 no-tls-tickets | |
| # New strict-limits | |
| strict-limits | |
| # New directive to support misconfigured servers | |
| h1-case-adjust cache-control CaChE-CoNtRoL | |
| defaults | |
| mode http | |
| log global | |
| timeout client 5s | |
| timeout server 5s | |
| timeout connect 5s | |
| option redispatch | |
| option httplog | |
| program dataplane-api | |
| command /usr/sbin/haproxy-dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --config-file /etc/haproxy/haproxy.cfg --reload-cmd "systemctl reload haproxy" --reload-delay 5 --userlist api | |
| program spoa-mirror | |
| command /usr/sbin/spoa-mirror -r0 -u"http://192.168.1.7/" | |
| program whoami | |
| # Prints username 'haproxy' to logs | |
| command /usr/bin/whoami | |
| # New user and group directives | |
| user haproxy | |
| group haproxy | |
| peers mypeers | |
| bind :10001 ssl crt /etc/haproxy/certs/www.example.com.pem | |
| default-server ssl verify none | |
| server PC #local peer. name must match local server name | |
| table src_tracking type string size 10m store http_req_rate(10s),http_req_cnt | |
| resolvers dns | |
| parse-resolv-conf | |
| resolve_retries 3 | |
| timeout resolve 1s | |
| timeout retry 1s | |
| hold other 30s | |
| hold refused 30s | |
| hold nx 30s | |
| hold timeout 30s | |
| hold valid 10s | |
| hold obsolete 30s | |
| userlist api | |
| user admin password $5$aVnIFECJ$2QYP64eTTXZ1grSjwwdoQxK/AP8kcOflEO1Q5fc.5aA | |
| frontend stats | |
| bind *:8404 | |
| # Enable Prometheus Exporter | |
| http-request use-service prometheus-exporter if { path /metrics } | |
| stats enable | |
| stats uri /stats | |
| stats refresh 10s | |
| frontend fe_main | |
| bind :80 | |
| bind :443 tfo ssl crt /etc/haproxy/certs/www.example.com.pem alpn h2,http/1.1 | |
| # Enable log sampling | |
| # One out of 10 requests would be logged to this source | |
| log 127.0.0.1:10001 sample 1:10 local0 | |
| # For every 11 requests, log requests 2, 3, and 8-11 | |
| log 127.0.0.1:10002 sample 2-3,8-11:11 local0 | |
| # Log profiling data | |
| log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r cpu_calls:%[cpu_calls] cpu_ns_tot:%[cpu_ns_tot] cpu_ns_avg:%[cpu_ns_avg] lat_ns_tot:%[lat_ns_tot] lat_ns_avg:%[lat_ns_avg]" | |
| # gRPC path matching | |
| acl is_grpc_codename path /CodenameCreator/KeepGettingCodenames | |
| # Dynamic 'do-resolve' trusted hosts | |
| acl dynamic_hosts req.hdr(Host) api.local admin.local haproxy.com | |
| # Activate Traffic Mirror | |
| filter spoe engine traffic-mirror config mirror.cfg | |
| # Redirect if not SSL | |
| http-request redirect scheme https unless { ssl_fc } | |
| # Enable src tracking | |
| http-request track-sc0 src table mypeers/src_tracking | |
| # Enable rate limiting | |
| # Return 429 Too Many Requests if client averages more than | |
| # 10 requests in 10 seconds. | |
| # (duration defined in stick table in peers section) | |
| http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 } | |
| # Enable local resolving of Host if within dynamic_hosts ACL | |
| # Allows connecting to dynamic IP address specified in Host header | |
| # Useful for DNS split view or split horizon | |
| http-request do-resolve(txn.dstip,dns) hdr(Host),lower if dynamic_hosts | |
| http-request capture var(txn.dstip) len 40 if dynamic_hosts | |
| # return 503 when dynamic_hosts matches but the variable | |
| # txn.dstip is not set which mean DNS resolution error | |
| # otherwise route to be_dynamic | |
| use_backend be_503 if dynamic_hosts !{ var(txn.dstip) -m found } | |
| use_backend be_dynamic if dynamic_hosts | |
| # route to gRPC path | |
| use_backend be_grpc if is_grpc_codename | |
| # Route PHP requests to FastCGI app | |
| use_backend phpapp if { path_end .php } | |
| default_backend be_main | |
| backend be_main | |
| default-server ssl verify none alpn h2 check maxconn 50 | |
| # Enable Power of Two Random Choices Algorithm | |
| balance random(2) | |
| # Enable Layer 7 retries | |
| retry-on all-retryable-errors | |
| retries 3 | |
| # retrying POST requests can be dangerous | |
| # make sure you understand the implications before removing | |
| http-request disable-l7-retry if METH_POST | |
| server server1 192.168.1.13:443 tfo | |
| server server2 192.168.1.14:443 tfo | |
| server server3 192.168.1.15:443 tfo | |
| server server4 192.168.1.16:443 tfo | |
| server server5 192.168.1.17:443 tfo | |
| # New fetch methods: | |
| http-response add-header SERVER_NAME "%[srv_name]" | |
| http-response add-header SERVER_QUEUE "%[srv_queue(server1)]" | |
| http-response add-header UUID "%[uuid]" | |
| # New 'sha2' converter: | |
| # set a value to hash, such as a username | |
| http-response set-var(res.username) str("JOE SMITH") | |
| # create hash with combined username and secret and convert to hexadecimal | |
| http-response set-var(res.checksum) var(res.username),concat("secret"),sha2(256),hex | |
| # Save full cookie header value | |
| http-response set-var(res.cookieval) str(),concat("Username=",res.username,"|"),concat("",res.checksum) | |
| # set cookie. Creates header 'set-cookie: Username=JOE SMITH|4DA485B06BB9D30DF34AC4BB1696BA9DA850DB074727E87C4B05448BD07218DF' | |
| http-response set-header Set-Cookie %[var(res.cookieval)] | |
| backend be_grpc | |
| default-server ssl verify none alpn h2 check maxconn 50 | |
| server grpc1 10.1.0.11:3000 | |
| server grpc2 10.1.0.12:3000 | |
| backend be_dynamic | |
| default-server ssl verify none check maxconn 50 | |
| # rule to prevent HAProxy from reconnecting to services | |
| # on the local network (forged DNS name used to scan the network) | |
| http-request deny if { var(txn.dstip) -m ip 127.0.0.0/8 10.0.0.0/8 } | |
| http-request set-dst var(txn.dstip) | |
| server dynamic 0.0.0.0:0 | |
| backend spoe-traffic-mirror | |
| mode tcp | |
| balance roundrobin | |
| timeout connect 5s | |
| timeout server 1m | |
| server spoa1 127.0.0.1:12345 | |
| server spoa2 10.1.0.20:12345 | |
| backend be_503 | |
| # dummy backend used to return 503. | |
| # You can use the 'errorfile' directive to send a nice | |
| # 503 error page to end users. | |
| errorfile 503 /etc/haproxy/errorfiles/503sorry.http | |
| # New section for FastCGI | |
| fcgi-app php-fpm | |
| log-stderr global | |
| option keep-conn | |
| docroot /var/www/html | |
| index index.php | |
| path-info ^(/.+\.php)(/.*)?$ | |
| backend phpapp | |
| # User FastCGI | |
| use-fcgi-app php-fpm | |
| server server1 127.0.0.1:9000 proto fcgi | |
| backend wonky_server | |
| # Enable case-sensitive header option | |
| option h1-case-adjust-bogus-server | |
| server server2 127.0.0.1:8081 check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment