Created
September 6, 2017 12:13
-
-
Save mjudeikis/c33ceb31c1f177baee04be847e1a7b6b to your computer and use it in GitHub Desktop.
haproxy config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sh-4.2$ cat haproxy.config | |
| global | |
| maxconn 20000 | |
| daemon | |
| ca-base /etc/ssl | |
| crt-base /etc/ssl | |
| stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin | |
| stats timeout 2m | |
| # Increase the default request size to be comparable to modern cloud load balancers (ALB: 64kb), affects | |
| # total memory use when large numbers of connections are open. | |
| tune.maxrewrite 8192 | |
| tune.bufsize 32768 | |
| # Prevent vulnerability to POODLE attacks | |
| ssl-default-bind-options no-sslv3 | |
| # The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS, | |
| # or the user can provide one using the ROUTER_CIPHERS environment variable. | |
| # By default when a cipher set is not provided, intermediate is used. | |
| # Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS | |
| tune.ssl.default-dh-param 2048 | |
| ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |
| defaults | |
| maxconn 20000 | |
| # Add x-forwarded-for header. | |
| # To configure custom default errors, you can either uncomment the | |
| # line below (server ... 127.0.0.1:8080) and point it to your custom | |
| # backend service or alternatively, you can send a custom 503 error. | |
| # | |
| # server openshift_backend 127.0.0.1:8080 | |
| errorfile 503 /var/lib/haproxy/conf/error-page-503.http | |
| timeout connect 5s | |
| timeout client 30s | |
| timeout client-fin 1s | |
| timeout server 30s | |
| timeout server-fin 1s | |
| timeout http-request 10s | |
| timeout http-keep-alive 300s | |
| # Long timeout for WebSocket connections. | |
| timeout tunnel 1h | |
| frontend public | |
| bind :80 | |
| mode http | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if HTTP | |
| monitor-uri /_______internal_router_healthz | |
| # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) | |
| http-request del-header Proxy | |
| # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase | |
| # before matching, or any requests containing uppercase characters will never match. | |
| http-request set-header Host %[req.hdr(Host),lower] | |
| # check if we need to redirect/force using https. | |
| acl secure_redirect base,map_reg(/var/lib/haproxy/conf/os_route_http_redirect.map) -m found | |
| redirect scheme https if secure_redirect | |
| # Check if it is an edge or reencrypt route exposed insecurely. | |
| acl route_http_expose base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map) -m found | |
| use_backend %[base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map)] if route_http_expose | |
| # map to http backend | |
| # Search from most specific to general path (host case). | |
| # Note: If no match, haproxy uses the default_backend, no other | |
| # use_backend directives below this will be processed. | |
| use_backend be_http:%[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)] | |
| default_backend openshift_default | |
| # public ssl accepts all connections and isn't checking certificates yet certificates to use will be | |
| # determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend | |
| # that terminates encryption in this router (edge) | |
| frontend public_ssl | |
| bind :443 | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend | |
| # for the SNI case, we also need to compare it in case-insensitive mode (by converting it to lowercase) as RFC 4343 says | |
| acl sni req.ssl_sni -m found | |
| acl sni_passthrough req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found | |
| use_backend be_tcp:%[req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough | |
| # if the route is SNI and NOT passthrough enter the termination flow | |
| use_backend be_sni if sni | |
| # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it | |
| # will not be able to match a cert to an SNI host | |
| default_backend be_no_sni | |
| ########################################################################## | |
| # TLS SNI | |
| # | |
| # When using SNI we can terminate encryption with custom certificates. | |
| # Certs will be stored in a directory and will be matched with the SNI host header | |
| # which must exist in the CN of the certificate. Certificates must be concatenated | |
| # as a single file (handled by the plugin writer) per the haproxy documentation. | |
| # | |
| # Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted | |
| # traffic | |
| ########################################################################## | |
| backend be_sni | |
| server fe_sni 127.0.0.1:10444 weight 1 send-proxy | |
| frontend fe_sni | |
| # terminate ssl on edge | |
| bind 127.0.0.1:10444 ssl no-sslv3 crt /etc/pki/tls/private/tls.crt crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy | |
| mode http | |
| # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) | |
| http-request del-header Proxy | |
| # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase | |
| # before matching, or any requests containing uppercase characters will never match. | |
| http-request set-header Host %[req.hdr(Host),lower] | |
| # check re-encrypt backends first - from most specific to general path. | |
| acl reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found | |
| # Search from most specific to general path (host case). | |
| use_backend be_secure:%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt | |
| # map to http backend | |
| # Search from most specific to general path (host case). | |
| # Note: If no match, haproxy uses the default_backend, no other | |
| # use_backend directives below this will be processed. | |
| use_backend be_edge_http:%[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)] | |
| default_backend openshift_default | |
| ########################################################################## | |
| # END TLS SNI | |
| ########################################################################## | |
| ########################################################################## | |
| # TLS NO SNI | |
| # | |
| # When we don't have SNI the only thing we can try to do is terminate the encryption | |
| # using our wild card certificate. Once that is complete we can either re-encrypt | |
| # the traffic or pass it on to the backends | |
| ########################################################################## | |
| # backend for when sni does not exist, or ssl term needs to happen on the edge | |
| backend be_no_sni | |
| server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy | |
| frontend fe_no_sni | |
| # terminate ssl on edge | |
| bind 127.0.0.1:10443 ssl no-sslv3 crt /etc/pki/tls/private/tls.crt accept-proxy | |
| mode http | |
| # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) | |
| http-request del-header Proxy | |
| # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase | |
| # before matching, or any requests containing uppercase characters will never match. | |
| http-request set-header Host %[req.hdr(Host),lower] | |
| # check re-encrypt backends first - path or host based. | |
| acl reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found | |
| # Search from most specific to general path (host case). | |
| use_backend be_secure:%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt | |
| # map to http backend | |
| # Search from most specific to general path (host case). | |
| # Note: If no match, haproxy uses the default_backend, no other | |
| # use_backend directives below this will be processed. | |
| use_backend be_edge_http:%[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)] | |
| default_backend openshift_default | |
| ########################################################################## | |
| # END TLS NO SNI | |
| ########################################################################## | |
| backend openshift_default | |
| mode http | |
| option forwardfor | |
| #option http-keep-alive | |
| option http-pretend-keepalive | |
| ##-------------- app level backends ---------------- | |
| # Secure backend which requires re-encryption | |
| backend be_secure:default:docker-registry | |
| mode http | |
| option redispatch | |
| option forwardfor | |
| balance leastconn | |
| timeout check 5000ms | |
| http-request set-header X-Forwarded-Host %[req.hdr(host)] | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto http if !{ ssl_fc } | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] | |
| cookie 172555eec50a0d95563a405b15a8a45f insert indirect nocache httponly secure | |
| server pod:docker-registry-2-ts4qr:docker-registry:10.128.0.99:5000 10.128.0.99:5000 cookie e76873b0fa9b2d6ea3a18ff7e9f5896a weight 100 ssl verify required ca-file /var/lib/haproxy/router/cacerts/default:docker-registry.pem check inter 5000ms | |
| # Secure backend, pass through | |
| backend be_tcp:default:docker-registry2 | |
| balance source | |
| hash-type consistent | |
| timeout check 5000ms | |
| server pod:docker-registry-2-ts4qr:docker-registry:10.128.0.99:5000 10.128.0.99:5000 weight 100 check inter 5000ms | |
| # Secure backend, pass through | |
| backend be_tcp:default:registry-console | |
| balance source | |
| hash-type consistent | |
| timeout check 5000ms | |
| server pod:registry-console-1-tcqgq:registry-console:10.130.0.2:9090 10.130.0.2:9090 weight 100 check inter 5000ms | |
| # Secure backend, pass through | |
| backend be_tcp:kube-service-catalog:apiserver | |
| balance source | |
| hash-type consistent | |
| timeout check 5000ms | |
| server pod:apiserver-fxkqv:apiserver:10.128.0.92:6443 10.128.0.92:6443 weight 100 check inter 5000ms | |
| # Plain http backend | |
| backend be_http:openshift-ansible-service-broker:asb-1338 | |
| mode http | |
| option redispatch | |
| option forwardfor | |
| balance leastconn | |
| timeout check 5000ms | |
| http-request set-header X-Forwarded-Host %[req.hdr(host)] | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto http if !{ ssl_fc } | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] | |
| cookie 89a6d633054ded194d4e1360cdc1fbef insert indirect nocache httponly |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment