| global |
| # chroot /var/empty/ |
| # uid 451 |
| # gid 451 |
| log 192.168.131.214:8514 local4 debug |
| maxconn 8192 |
| |
| defaults |
| timeout connect 3500 |
| timeout queue 11000 |
| timeout tarpit 12000 |
| timeout client 30000 |
| timeout http-request 40000 |
| timeout http-keep-alive 5000 |
| timeout server 40000 |
| timeout check 7000 |
| |
| option contstats |
| option log-health-checks |
| |
| ################################ |
| userlist customer1 |
| group adm users tiger,xdb |
| group dev users scott,tiger |
| group uat users boss,xdb,tiger |
| user scott insecure-password cat |
| user tiger insecure-password dog |
| user xdb insecure-password hello |
| user boss password $6$k6y3o.eP$JlKBx9za966ud67qe45NSQYf8Nw.XFuk8QVRevoLh1XPCQDCBPjcU2JtGBSS0MOQW2PFxHSwRv6J.C0/D7cV91 |
| |
| userlist customer1alt |
| group adm |
| group dev |
| group uat |
| user scott insecure-password cat groups dev |
| user tiger insecure-password dog groups adm,dev,uat |
| user xdb insecure-password hello groups adm,uat |
| user boss password $6$k6y3o.eP$JlKBx9za966ud67qe45NSQYf8Nw.XFuk8QVRevoLh1XPCQDCBPjcU2JtGBSS0MOQW2PFxHSwRv6J.C0/D7cV91 groups uat |
| |
| # Both customer1 and customer1alt userlist are functionally identical |
| |
| frontend c1 |
| bind 127.101.128.1:8080 |
| log global |
| mode http |
| |
| acl host_stats hdr_beg(host) -i stats.local |
| acl host_dev hdr_beg(host) -i dev.local |
| acl host_uat hdr_beg(host) -i uat.local |
| |
| acl auth_uat http_auth_group(customer1) uat |
| |
| # auth for host_uat checked in frontend, use realm "uat" |
| http-request auth realm uat if host_uat !auth_uat |
| |
| use_backend c1stats if host_stats |
| use_backend c1dev if host_dev |
| use_backend c1uat if host_uat |
| |
| backend c1uat |
| mode http |
| log global |
| |
| server s6 192.168.152.206:80 |
| server s7 192.168.152.207:80 |
| |
| backend c1dev |
| mode http |
| log global |
| |
| # require users from customer1 assigned to group dev |
| acl auth_ok http_auth_group(customer1) dev |
| |
| # auth checked in backend, use default realm (c1dev) |
| http-request auth if !auth_ok |
| |
| server s6 192.168.152.206:80 |
| server s7 192.168.152.207:80 |
| |
| backend c1stats |
| mode http |
| log global |
| |
| # stats auth checked in backend, use default realm (Stats) |
| acl nagios src 192.168.126.31 |
| acl guests src 192.168.162.0/24 |
| acl auth_ok http_auth_group(customer1) adm |
| |
| stats enable |
| stats refresh 60 |
| stats uri / |
| stats scope c1 |
| stats scope c1stats |
| |
| # unconditionally deny guests, without checking auth or asking for a username/password |
| stats http-request deny if guests |
| |
| # allow nagios without password, allow authenticated users |
| stats http-request allow if nagios |
| stats http-request allow if auth_ok |
| |
| # ask for a username/password |
| stats http-request auth realm Stats |
| |
| |
| ################################ |
| userlist customer2 |
| user peter insecure-password peter |
| user monica insecure-password monica |
| |
| frontend c2 |
| bind 127.201.128.1:8080 |
| log global |
| mode http |
| |
| acl auth_ok http_auth(customer2) |
| acl host_b1 hdr(host) -i b1.local |
| |
| http-request auth unless auth_ok |
| |
| use_backend c2b1 if host_b1 |
| default_backend c2b0 |
| |
| backend c2b1 |
| mode http |
| log global |
| |
| server s1 192.168.152.201:80 |
| |
| backend c2b0 |
| mode http |
| log global |
| |
| server s1 192.168.152.201:80 |