Skip to content

Instantly share code, notes, and snippets.

@roylines

roylines/haproxy.cfg

Last active July 4, 2022 11:19
Show Gist options
  • Save roylines/8350c0c9b7f134c7295b to your computer and use it in GitHub Desktop.
Save roylines/8350c0c9b7f134c7295b to your computer and use it in GitHub Desktop.
Download ZIP
SImple haproxy configuration for microservices. Optional ssl and prerender.io
Raw
haproxy.cfg
global
pidfile /var/run/haproxy.pid
log 127.0.0.1 local0
maxconn 4000
# set default parameters to the intermediate configuration
# tune.ssl.default-dh-param 2048
# ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
log global
timeout http-request 10s # set to low value for slowloris
timeout connect 10s
timeout client 30s
frontend www-http-foo
mode http
bind :80
# bind :443 ssl no-sslv3 crt /etc/haproxy/foo.com.pem crt /etc/haproxy/bar.com.pem
default_backend http-app-foo
# limit number of connections to 50 per user, and no more than 100 open over 3 seconds
stick-table type ip size 5000k expire 30s store conn_cur,conn_rate(3s)
tcp-request connection reject if { src_conn_cur ge 50 }
tcp-request connection reject if { src_conn_rate ge 100 }
tcp-request connection track-sc1 src
# redirect www to no subdomain
redirect prefix http://foo.com code 301 if { hdr(host) -i www.foo.com }
# redirect http to https
# redirect scheme https code 301 if !{ ssl_fc }
# setup statistics
stats enable
stats hide-version
stats uri /haproxy
stats realm Strictly\ Private
stats auth user:password
option httplog
option forwardfor
timeout client 5000
option http-server-close
acl url-microservice-foo path_beg /api/v1/foo
use_backend microservice-foo if url-microservice-foo
acl url-microservice-bar path_beg /api/v1/bar
use_backend microservice-bar if url-microservice-bar
# prerender.io
# acl user-agent-bot hdr_sub(User-Agent) -i baiduspider twitterbot facebookexternalhit rogerbot linkedinbot embedly showyoubot outbrain pinterest slackbot vkShare W3C_Validator
# acl url-asset path_end js css xml less png jpg jpeg gif pdf doc txt ico rss zip mp3 rar exe wmv doc avi ppt mpg mpeg tif wav mov psd ai xls mp4 m4a swf dat dmg iso flv m4v torrent ttf woff
# acl url-escaped-fragment url_sub _escaped_fragment_
# use_backend prerender if user-agent-bot !url-asset
# use_backend prerender if url-escaped-fragment !url-asset
# backend prerender
# mode http
# timeout server 20s
# server prerender service.prerender.io:443 check ssl verify none
# http-request set-header X-Prerender-Token INSERT-PRERENDER-TOKEN-HERE
# reqrep ^([^\ ]*)\ /(.*)$ \1\ /https://foo.com/\2
backend http-app-foo
mode http
timeout server 5s
balance roundrobin
server http-app-foo-1 54.175.222.246:80 check
backend microservice-foo
mode http
timeout server 5s
balance roundrobin
server microservice-foo-1 54.175.222.246:80 check
backend microservice-bar
mode http
timeout server 5s
balance roundrobin
server microservice-bar-1 54.175.222.246:80 check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment