| Willy Tarreau | 71c5f6d | 2021-05-12 17:42:49 +0200 | [diff] [blame] | 1 | # This configuration creates a classical reverse-proxy and load balancer for |
| 2 | # public services. It presents ports 80 and 443 (with 80 redirecting to 443), |
| 3 | # enables caching up to one hour, and load-balances the service on a farm of |
| 4 | # 4 servers on private IP addresses which are checked using HTTP checks and |
| 5 | # by maintaining stickiness via session cookies. It offloads TLS processing |
| 6 | # and enables HTTP compression. It uses HAProxy 2.4. |
| 7 | |
| 8 | # The global section deals with process-wide settings (security, resource usage) |
| 9 | global |
| 10 | # all file names are relative to the directory containing this config |
| 11 | # file by default |
| 12 | default-path config |
| 13 | |
| 14 | # refuse to start if any warning is emitted at boot (keep configs clean) |
| 15 | zero-warning |
| 16 | |
| 17 | # Security hardening: isolate and drop privileges |
| 18 | chroot /var/empty |
| 19 | user haproxy |
| 20 | group haproxy |
| 21 | |
| 22 | # daemonize |
| 23 | daemon |
| 24 | pidfile /var/run/haproxy-svc1.pid |
| 25 | |
| 26 | # do not keep old processes longer than that after a reload |
| 27 | hard-stop-after 5m |
| 28 | |
| 29 | # The command-line-interface (CLI) used by the admin, by provisionning |
| 30 | # tools, and to transfer sockets during reloads |
| 31 | stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners |
| 32 | stats timeout 1h |
| 33 | |
| 34 | # send logs to stderr for logging via the service manager |
| 35 | log stderr local0 info |
| 36 | |
| 37 | # intermediate security for SSL, from https://ssl-config.mozilla.org/ |
| 38 | ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 |
| 39 | ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 |
| 40 | ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets |
| 41 | |
| 42 | # default settings common to all HTTP proxies below |
| 43 | defaults http |
| 44 | mode http |
| 45 | option httplog |
| 46 | log global |
| 47 | timeout client 1m |
| 48 | timeout server 1m |
| 49 | timeout connect 10s |
| 50 | timeout http-keep-alive 2m |
| 51 | timeout queue 15s |
| 52 | timeout tunnel 4h # for websocket |
| 53 | |
| 54 | # provide a stats page on port 8181 |
| 55 | frontend stats |
| 56 | bind :8181 |
| 57 | # provide advanced stats (ssl, h2, ...) |
| 58 | stats uri / |
| 59 | stats show-modules |
| 60 | # some users may want to protect the access to their stats and/or to |
| 61 | # enable admin mode on the page from local networks |
| 62 | # stats auth admin:mystats |
| 63 | # stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 } |
| 64 | |
| 65 | # First incoming public service. Supports HTTP/1.x and HTTP/2, using HSTS, |
| 66 | # redirects clear to TLS. Uses a dedicated host name for the stats page. |
| 67 | frontend pub1 |
| 68 | bind :80 name clear |
| 69 | bind :443 name secure ssl crt pub1.pem alpn h2,http/1.1 |
| 70 | option socket-stats # provide per-bind line stats |
| 71 | |
| 72 | # set HSTS for one year after all responses |
| 73 | http-after-response set-header Strict-Transport-Security "max-age=31536000" |
| 74 | http-request redirect scheme https code 301 if !{ ssl_fc } |
| 75 | |
| 76 | # silently ignore connect probes and pre-connect without request |
| 77 | option http-ignore-probes |
| 78 | |
| 79 | # pass client's IP address to the server and prevent against attempts |
| 80 | # to inject bad contents |
| 81 | http-request del-header x-forwarded-for |
| 82 | option forwardfor |
| 83 | |
| 84 | # enable HTTP compression of text contents |
| 85 | compression algo deflate gzip |
| 86 | compression type text/ application/javascript application/xhtml+xml image/x-icon |
| 87 | |
| 88 | # enable HTTP caching of any cacheable content |
| 89 | http-request cache-use cache |
| 90 | http-response cache-store cache |
| 91 | |
| 92 | default_backend app1 |
| 93 | |
| 94 | # The cache instance used by the frontend (200MB, 10MB max object, 1 hour max) |
| 95 | # May be consulted using "show cache" on the CLI socket |
| 96 | cache cache |
| 97 | total-max-size 200 # RAM cache size in megabytes |
| 98 | max-object-size 10485760 # max cacheable object size in bytes |
| 99 | max-age 3600 # max cache duration in seconds |
| 100 | process-vary on # handle the Vary header (otherwise don't cache) |
| 101 | |
| 102 | # First application |
| 103 | backend app1 |
| 104 | # Algorithm: |
| 105 | # - roundrobin is usually better for short requests, |
| 106 | # - leastconn is better for mixed slow ones, and long transfers, |
| 107 | # - random is generally good when using multiple load balancers |
| 108 | balance random |
| 109 | |
| 110 | # abort if the client clicks on stop. |
| 111 | option abortonclose |
| 112 | |
| 113 | # insert a session cookie for user stickiness |
| 114 | cookie app1 insert indirect nocache |
| 115 | |
| 116 | # check the servers' health using HTTP requests |
| 117 | option httpchk |
| 118 | http-check send meth GET uri / ver HTTP/1.1 hdr host svc1.example.com |
| 119 | |
| 120 | # do not overload the servers (100 concurrent conns max each) |
| 121 | server srv1 192.0.2.1:80 cookie s1 maxconn 100 check inter 1s |
| 122 | server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s |
| 123 | server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s |
| 124 | server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s |