-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.cfg
207 lines (170 loc) · 7.56 KB
/
template.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# This file uses golang text templates (http://golang.org/pkg/text/template/) to
# dynamically configure the haproxy loadbalancer.
global
daemon
stats socket /tmp/haproxy
server-state-file global
server-state-base /var/state/haproxy/
tune.ssl.default-dh-param 2048
{{ if eq .startSyslog "true" }}
# log using a syslog socket
log /var/run/haproxy.log.socket local0 info
log /var/run/haproxy.log.socket local0 notice
{{ else }}
log {{ .syslogServer }} local0
{{ end }}
log-send-hostname
{{ if ne .sslCert "" }}
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
ssl-default-bind-options no-tls-tickets
{{ end }}
defaults
log global
load-server-state-from-file global
# Enable session redistribution in case of connection failure.
option redispatch
# Disable logging of null connections (haproxy connections like checks).
# This avoids excessive logs from haproxy internals.
option dontlognull
# Enable HTTP connection closing on the server side.
option http-server-close
# Enable insertion of the X-Forwarded-For header to requests sent to
# servers and keep client IP address.
option forwardfor
# Enable HTTP keep-alive from client to server.
option http-keep-alive
# Clients should send their full http request in 5s.
timeout http-request 5s
# Maximum time to wait for a connection attempt to a server to succeed.
timeout connect 5s
# Maximum inactivity time on the client side.
# Applies when the client is expected to acknowledge or send data.
timeout client 50s
# Inactivity timeout on the client side for half-closed connections.
# Applies when the client is expected to acknowledge or send data
# while one direction is already shut down.
timeout client-fin 50s
# Maximum inactivity time on the server side.
timeout server 50s
# timeout to use with WebSocket and CONNECT
timeout tunnel 1h
# Maximum allowed time to wait for a new HTTP request to appear.
timeout http-keep-alive 60s
# default traffic mode is http
# mode is overwritten in case of tcp services
mode http
# default default_backend. This allows custom default_backend in frontends
default_backend default-backend
backend default-backend
server localhost 127.0.0.1:8081
# haproxy stats, required hostport and firewall rules for :1936
listen stats
bind *:1936
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
{{ if ne .sslCert "" }}
frontend httpsfrontend
mode http
bind :443 ssl {{ .sslCert }} no-sslv3
# HSTS (15768000 seconds = 6 months)
rspadd Strict-Transport-Security:\ max-age=15768000
{{range $i, $svc := .services.http}}
# {{ $svc.Name }} priority {{ $svc.Priority }}
{{ range $j, $aclSet := $svc.AclSets }}
{{ range $k, $acl := $aclSet.Set }}acl {{ $acl.Name }} {{ $acl.Rule }}
{{ end }}
use_backend {{ $svc.Name }} if {{ range $k, $acl := $aclSet.Set }}{{ if gt $k 0 }} {{ end }}{{ $acl.Name }}{{ end }}
{{ end }}
{{end}}
{{ end }}
frontend httpfrontend
# Frontend bound on all network interfaces on port 80
bind *:80
# inherit default mode, needs changing for tcp
# forward everything meant for /foo to the foo backend
# default_backend foo
# in case of host header routing it will add a new acl and use an or
# condition to determine the backend to be used
# the style of if/else blocks is meant to preserves the format of the output config file
{{range $i, $svc := .services.http}}
# {{ $svc.Name }} priority {{ $svc.Priority }}
{{ range $j, $aclSet := $svc.AclSets }}
{{ range $k, $acl := $aclSet.Set }}acl {{ $acl.Name }} {{ $acl.Rule }}
{{ end }}
use_backend {{ $svc.Name }} if {{ range $k, $acl := $aclSet.Set }}{{ if gt $k 0 }} {{ end }}{{ $acl.Name }}{{ end }}
{{ end }}
{{end}}
{{range $i, $svc := .services.http}}
{{ if $svc.VirtualHost }}
{{ $svcName := $svc.Name }}
backend {{$svc.Name}}
option httplog
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
balance {{$svc.Algorithm}}
# TODO: Make the path used to access a service customizable.
# reqrep ^([^\ :]*)\ /{{$svc.Name}}[/]?(.*) \1\ /\2
{{if and $svc.SessionAffinity (not $svc.CookieStickySession)}}
# create a stickiness table using client IP address as key
# http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#stick-table
stick-table type ip size 100k expire 30m
stick on src
{{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} check port {{$svc.BackendPort}}
{{end}}
{{else if and $svc.SessionAffinity $svc.CookieStickySession}}
# insert a cookie with name SERVERID to stick a client with a backend server
# http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-cookie
cookie SERVERID insert indirect nocache
{{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} cookie s{{$j}} check port {{$svc.BackendPort}}
{{end}}
{{else if and (not $svc.SessionAffinity) (not $svc.CookieStickySession)}}
{{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} check port {{$svc.BackendPort}}
{{end}}
{{end}}
{{end}}
{{end}}
{{range $i, $svc := .services.httpsTerm}}
{{ if $svc.VirtualHost }}
{{ $svcName := $svc.Name }}
backend {{$svc.Name}}
option httplog
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
balance {{$svc.Algorithm}}
{{if ( not $svc.AclMatch )}}
#Rewrite the request back to root from the url that is used for the frontend.
# reqrep ^([^\ :]*)\ /{{$svc.Name}}[/]?(.*) \1\ /\2
{{end}}
{{if and $svc.SessionAffinity (not $svc.CookieStickySession)}}
# create a stickiness table using client IP address as key
# http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#stick-table
stick-table type ip size 100k expire 30m
stick on src
{{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} check port {{$svc.BackendPort}}
{{end}}
{{end}}
{{if and $svc.SessionAffinity $svc.CookieStickySession}}
# insert a cookie with name SERVERID to stick a client with a backend server
# http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-cookie
cookie SERVERID insert indirect nocache
{{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} cookie s{{$j}} check port {{$svc.BackendPort}}
{{end}}
{{end}}
{{if and (not $svc.SessionAffinity) (not $svc.CookieStickySession)}}
{{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} check port {{$svc.BackendPort}}
{{end}}
{{end}}
{{end}}
{{end}}