Skip to content

Instantly share code, notes, and snippets.

@whitetigle

whitetigle/haproxy.cfg

Created April 19, 2018 15:15
Show Gist options
  • Save whitetigle/f401ab25ca2dfbcab5309b0e67d97008 to your computer and use it in GitHub Desktop.
Save whitetigle/f401ab25ca2dfbcab5309b0e67d97008 to your computer and use it in GitHub Desktop.
Download ZIP
Haproxy working config for pouchdb/couchdb + service workers
Raw
haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2048
tune.ssl.default-dh-param 2048
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
lua-load /etc/haproxy/cors.lua
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
timeout tunnel 3600s
timeout http-keep-alive 1s
timeout http-request 15s
timeout queue 30s
timeout tarpit 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend oldToCouch
bind *:15984
mode http
#redirect scheme https code 301 if !{ ssl_fc }
default_backend oldcouchdbs
backend oldcouchdbs
option httpchk GET /_up
#http-check disable-on-404
server couchdb1 127.0.0.1:5984 check inter 5s
frontend http-in
bind *:443 ssl crt /etc/letsencrypt/full+priv.pem
default_backend couchdbs
reqadd X-Forwarded-Proto:\ https
#acl secure dst_port eq 443
#rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
#rspadd Strict-Transport-Security:\ max-age=31536000 if secure
#redirect scheme https code 301 if !{ ssl_fc }
# Add CORS headers when Origin header is present
#capture request method options len 128
#http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
#rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT if { capture.req.hdr(0) -m found }
#rspadd Access-Control-Allow-Credentials:\ true if { capture.req.hdr(0) -m found }
#rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization if { capture.req.hdr(0) -m found }
# https://www.meshcloud.io/en/2017/09/21/setting-up-cors-using-haproxy-for-openstack-swift/
capture request header origin len 128
#http-request use-service lua.cors-response if METH_OPTIONS { req.hdr(origin) -m found }
http-request use-service lua.cors-response if METH_OPTIONS
http-request set-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
#rspadd Access-Control-Allow-Credentials:\ true if { capture.req.hdr(0) -m found }
rspadd Access-Control-Expose-Headers:\ Location,\ Www-Authenticate,\ ETag,\ Expires,\ Last-Modified,\ Cache-Control,\ Content-Type,\ X-Auth-Token,\ X-Service-Token,\ X-Newest,\ X-Trans-Id-Extra,\ X-Trans-Id,\ X-Account-Meta-Temp-URL-Key,\ X-Account-Meta-Temp-URL-Key-2,\ X-Timestamp,\ X-Openstack-Request-Id,\ X-Account-Bytes-Used,\ X-Account-Container-Count,\ X-Account-Object-Count,\ X-Account-Meta-Quota-Bytes,\ X-Account-Access-Control,\ X-Container-Meta-Temp-URL-Key,\ X-Container-Meta-Temp-URL-Key-2,\ X-Storage-Policy,\ X-Container-Object-Count,\ X-Container-Bytes-Used,\ X-Container-Meta-Quota-Count,\ X-Container-Meta-Quota-Bytes,\ X-Container-Read,\ X-Container-Write,\ X-Container-Sync-Key,\ X-Container-Sync-To,\ X-Versions-Location,\ X-History-Location,\ X-Container-Meta-Access-Control-Allow-Origin,\ X-Container-Meta-Access-Control-Max-Age,\ X-Container-Meta-Access-Control-Expose-Headers,\ X-Remove-Container-Read,\ X-Remove-Versions-Location,\ X-Remove-History-Location,\ X-Object-Manifest,\ X-Delete-At,\ X-Static-Large-Object,\ X-Detect-Content-Type,\ X-Copy-From,\ X-Copy-From-Account,\ X-Delete-After,\ X-Fresh-Metadata,\ X-Copied-From-Last-Modified,\ X-Copied-From,\ X-Copied-From-Account,\ X-Container-Meta-Web-Directory-Type
backend couchdbs
option httpchk GET /_up
# Force HTTPS
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
server couchdb1 127.0.0.1:5984 check inter 5s
@amadeuspagel
Copy link

amadeuspagel commented Oct 4, 2020
edited
Loading

Tried to use this config file, but got a warning and an error:

~# haproxy -c -f /etc/haproxy/haproxy.cfg
[WARNING] 278/002045 (725725) : parsing [/etc/haproxy/haproxy.cfg:62] : The 'reqadd' directive is deprecated in favor of 'http-request add-header' and will be removed in next version.
[ALERT] 278/002045 (725725) : parsing [/etc/haproxy/haproxy.cfg:78] : error detected in frontend 'http-in' while parsing 'http-request use-service' rule : 'lua.cors-response' unknown service name..
[ALERT] 278/002045 (725725) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment