HAProxy configuration for Raspiberry Pi container cluster SubStack series

docker-compose.yaml

version: "3.9"

services:
  haproxy:
    image: haproxy:lts
    container_name: haproxy
    user: 1000:1000
    ports:
      - 80:8080
      - 443:8443
    restart: unless-stopped
    volumes:
      - /opt/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
      - /opt/haproxy/certs:/usr/local/etc/haproxy/certs

haproxy.cfg

global
        stats timeout 30s
        maxconn 100
        log stdout format raw local0

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 2000
        timeout client  60000
        timeout server  60000

frontend http
        bind *:8080
        bind *:8443 ssl crt /usr/local/etc/haproxy/certs/sample-app.raspi.vniche.me.pem
        
        option http-server-close
        option forwardfor

        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        http-request redirect scheme https unless { ssl_fc }
        
        # uncomment to enable CORS
        # http-response add-header Access-Control-Allow-Origin "*"
        # http-response add-header Access-Control-Allow-Headers "*"

        # table used to store behaviour of source IPs (type is ip)
        stick-table type ip size 2048k expire 1m store  gpc0,conn_rate(10s),http_req_rate(10s)

        # IPs that have gpc0 > 0 are blocked until the go away for at least 30 seconds
        acl source_is_abuser src_get_gpc0 gt 0
        
        # Instead of redirecting to slowing down backend, we may also reject any request
        #tcp-request connection reject if source_is_abuser

        # connection rate abuses get blocked  (3 requests in 10s, then blocked for
        # 30s)
        acl conn_rate_abuse  sc1_conn_rate gt 20
        acl http_req_rate_abuse  sc1_http_req_rate gt 30
        acl mark_as_abuser   sc1_inc_gpc0  ge 0
        tcp-request connection track-sc1 src
        
        # Same as above, we are nice, we do not reject all request,
        # but these count also as access, so counter is not reset
        #tcp-request connection reject if conn_rate_abuse mark_as_abuser
        use_backend too-many-requests if http_req_rate_abuse mark_as_abuser source_is_abuser
        use_backend too-many-requests if conn_rate_abuse mark_as_abuser source_is_abuser

        acl sample-app-raspi hdr_dom(host) -i sample-app.raspi.vniche.me
        use_backend sample-app-raspi if sample-app-raspi
        default_backend sample-app-raspi

backend too-many-requests
       timeout tarpit 2s
       http-request tarpit

backend sample-app-raspi
        balance leastconn
        
        # uncomment to add an http check to /health path
        # option httpchk HEAD /health
        
        timeout check 1000
        timeout server 5000
        default-server check maxconn 30
        server raspi-0 172.17.0.1:3000