examples/basic-config-edge.cfg - haproxy - Gitiles

 # This configuration creates a classical reverse-proxy and load balancer for
 # public services. It presents ports 80 and 443 (with 80 redirecting to 443),
 # enables caching up to one hour, and load-balances the service on a farm of
 # 4 servers on private IP addresses which are checked using HTTP checks and
 # by maintaining stickiness via session cookies. It offloads TLS processing
 # and enables HTTP compression. It uses HAProxy 2.4.

 # The global section deals with process-wide settings (security, resource usage)
 global
 	# all file names are relative to the directory containing this config
 	# file by default
 	default-path config

 	# refuse to start if any warning is emitted at boot (keep configs clean)
 	zero-warning

 	# Security hardening: isolate and drop privileges
 	chroot /var/empty
 	user haproxy
 	group haproxy

 	# daemonize
 	daemon
 	pidfile /var/run/haproxy-svc1.pid

 	# do not keep old processes longer than that after a reload
 	hard-stop-after 5m

 	# The command-line-interface (CLI) used by the admin, by provisionning
 	# tools, and to transfer sockets during reloads
 	stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners
 	stats timeout 1h

 	# send logs to stderr for logging via the service manager
 	log stderr local0 info

 	# intermediate security for SSL, from https://ssl-config.mozilla.org/
 	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 	ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

 # default settings common to all HTTP proxies below
 defaults http
 	mode http
 	option httplog
 	log global
 	timeout client 1m
 	timeout server 1m
 	timeout connect 10s
 	timeout http-keep-alive 2m
 	timeout queue 15s
 	timeout tunnel 4h  # for websocket

 # provide a stats page on port 8181
 frontend stats
 	bind :8181
 	# provide advanced stats (ssl, h2, ...)
 	stats uri /
 	stats show-modules
 	# some users may want to protect the access to their stats and/or to
 	# enable admin mode on the page from local networks
 	#  stats auth admin:mystats
 	#  stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 }

 # First incoming public service. Supports HTTP/1.x and HTTP/2, using HSTS,
 # redirects clear to TLS. Uses a dedicated host name for the stats page.
 frontend pub1
 	bind :80 name clear
 	bind :443 name secure ssl crt pub1.pem alpn h2,http/1.1
 	option socket-stats  # provide per-bind line stats

 	# set HSTS for one year after all responses
 	http-after-response set-header Strict-Transport-Security "max-age=31536000"
 	http-request redirect scheme https code 301 if !{ ssl_fc }

 	# silently ignore connect probes and pre-connect without request
 	option http-ignore-probes

 	# pass client's IP address to the server and prevent against attempts
 	# to inject bad contents
 	http-request del-header x-forwarded-for
 	option forwardfor

 	# enable HTTP compression of text contents
 	compression algo deflate gzip
 	compression type text/ application/javascript application/xhtml+xml image/x-icon

 	# enable HTTP caching of any cacheable content
         http-request  cache-use cache
         http-response cache-store cache

 	default_backend app1

 # The cache instance used by the frontend (200MB, 10MB max object, 1 hour max)
 # May be consulted using "show cache" on the CLI socket
 cache cache
 	total-max-size 200        # RAM cache size in megabytes
 	max-object-size 10485760  # max cacheable object size in bytes
 	max-age 3600              # max cache duration in seconds
 	process-vary on           # handle the Vary header (otherwise don't cache)

 # First application
 backend app1
 	# Algorithm:
 	#  - roundrobin is usually better for short requests,
 	#  - leastconn is better for mixed slow ones, and long transfers,
 	#  - random is generally good when using multiple load balancers
 	balance random

 	# abort if the client clicks on stop.
 	option abortonclose

 	# insert a session cookie for user stickiness
 	cookie app1 insert indirect nocache

 	# check the servers' health using HTTP requests
 	option httpchk
 	http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com

 	# do not overload the servers (100 concurrent conns max each)
 	server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s
 	server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s
 	server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s
 	server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s
	# This configuration creates a classical reverse-proxy and load balancer for
	# public services. It presents ports 80 and 443 (with 80 redirecting to 443),
	# enables caching up to one hour, and load-balances the service on a farm of
	# 4 servers on private IP addresses which are checked using HTTP checks and
	# by maintaining stickiness via session cookies. It offloads TLS processing
	# and enables HTTP compression. It uses HAProxy 2.4.

	# The global section deals with process-wide settings (security, resource usage)
	global
	# all file names are relative to the directory containing this config
	# file by default
	default-path config

	# refuse to start if any warning is emitted at boot (keep configs clean)
	zero-warning

	# Security hardening: isolate and drop privileges
	chroot /var/empty
	user haproxy
	group haproxy

	# daemonize
	daemon
	pidfile /var/run/haproxy-svc1.pid

	# do not keep old processes longer than that after a reload
	hard-stop-after 5m

	# The command-line-interface (CLI) used by the admin, by provisionning
	# tools, and to transfer sockets during reloads
	stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners
	stats timeout 1h

	# send logs to stderr for logging via the service manager
	log stderr local0 info

	# intermediate security for SSL, from https://ssl-config.mozilla.org/
	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

	# default settings common to all HTTP proxies below
	defaults http
	mode http
	option httplog
	log global
	timeout client 1m
	timeout server 1m
	timeout connect 10s
	timeout http-keep-alive 2m
	timeout queue 15s
	timeout tunnel 4h # for websocket

	# provide a stats page on port 8181
	frontend stats
	bind :8181
	# provide advanced stats (ssl, h2, ...)
	stats uri /
	stats show-modules
	# some users may want to protect the access to their stats and/or to
	# enable admin mode on the page from local networks
	# stats auth admin:mystats
	# stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 }

	# First incoming public service. Supports HTTP/1.x and HTTP/2, using HSTS,
	# redirects clear to TLS. Uses a dedicated host name for the stats page.
	frontend pub1
	bind :80 name clear
	bind :443 name secure ssl crt pub1.pem alpn h2,http/1.1
	option socket-stats # provide per-bind line stats

	# set HSTS for one year after all responses
	http-after-response set-header Strict-Transport-Security "max-age=31536000"
	http-request redirect scheme https code 301 if !{ ssl_fc }

	# silently ignore connect probes and pre-connect without request
	option http-ignore-probes

	# pass client's IP address to the server and prevent against attempts
	# to inject bad contents
	http-request del-header x-forwarded-for
	option forwardfor

	# enable HTTP compression of text contents
	compression algo deflate gzip
	compression type text/ application/javascript application/xhtml+xml image/x-icon

	# enable HTTP caching of any cacheable content
	http-request cache-use cache
	http-response cache-store cache

	default_backend app1

	# The cache instance used by the frontend (200MB, 10MB max object, 1 hour max)
	# May be consulted using "show cache" on the CLI socket
	cache cache
	total-max-size 200 # RAM cache size in megabytes
	max-object-size 10485760 # max cacheable object size in bytes
	max-age 3600 # max cache duration in seconds
	process-vary on # handle the Vary header (otherwise don't cache)

	# First application
	backend app1
	# Algorithm:
	# - roundrobin is usually better for short requests,
	# - leastconn is better for mixed slow ones, and long transfers,
	# - random is generally good when using multiple load balancers
	balance random

	# abort if the client clicks on stop.
	option abortonclose

	# insert a session cookie for user stickiness
	cookie app1 insert indirect nocache

	# check the servers' health using HTTP requests
	option httpchk
	http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com

	# do not overload the servers (100 concurrent conns max each)
	server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s
	server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s
	server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s
	server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s