-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathhaproxy.cfg
155 lines (131 loc) · 6.39 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#
# Serve ACME certificate validation challenges and act as an
# SSL reverse-proxy for an arbitrary backend service.
#
global
log stdout format raw local0 "${PROXY_LOGLEVEL}"
lua-load /etc/haproxy/lua/haproxy-acme-validation-plugin-0.1.1/acme-http01-webroot.lua
tune.ssl.default-dh-param 4096
# TLS 1.2-
ssl-default-bind-ciphers ECDHE+CHACHA20:ECDHE+AES128:ECDHE+AES256:!MD5
# TLS 1.3+
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# Require TLS 1.2 or higher
ssl-default-bind-options ssl-min-ver TLSv1.2 prefer-client-ciphers
# Works around breaking change in docker 23+ - just uses the old docker default value
fd-hard-limit 1048576
defaults
log global
mode http
log-format "%T %ft %ci:%cp %s %TR/%Tw/%Tc/%Tr/%Ta %{+Q}r %ST %ac/%fc/%bc/%sc/%rc %sq/%bq"
timeout connect 30s
timeout client 60s
timeout server 60s
timeout tunnel 720m
# never fail on address resolution
default-server init-addr none
resolvers docker_resolver
nameserver dns 127.0.0.11:53
frontend stats
bind *:8404
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
frontend http
bind *:80
# Serve certificate validation challenges directly with Lua plugin
acl url_acme_http01 path_beg /.well-known/acme-challenge/
http-request use-service lua.acme-http01 if METH_GET url_acme_http01
# Static health endpoint for docker healthcheck (don't log it)
acl url_docker_health path /docker-health
http-request set-log-level silent if url_docker_health
http-request return status 200 if url_docker_health
# Redirect all http requests to https
redirect scheme https code 301 if !url_acme_http01 !url_docker_health
frontend https
bind *:443 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets
# Optional: redirects for root requests with certain host names to service paths
acl is_root path -i /
.if defined(PROXY_HOST_REDIRECT_1_TARGET)
acl is_redirect_1 hdr(host) -i ${PROXY_HOST_REDIRECT_1_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_1_TARGET) if is_root is_redirect_1
.endif
.if defined(PROXY_HOST_REDIRECT_2_TARGET)
acl is_redirect_2 hdr(host) -i ${PROXY_HOST_REDIRECT_2_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_2_TARGET) if is_root is_redirect_2
.endif
.if defined(PROXY_HOST_REDIRECT_3_TARGET)
acl is_redirect_3 hdr(host) -i ${PROXY_HOST_REDIRECT_3_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_3_TARGET) if is_root is_redirect_3
.endif
.if defined(PROXY_HOST_REDIRECT_4_TARGET)
acl is_redirect_4 hdr(host) -i ${PROXY_HOST_REDIRECT_4_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_4_TARGET) if is_root is_redirect_4
.endif
.if defined(PROXY_HOST_REDIRECT_5_TARGET)
acl is_redirect_5 hdr(host) -i ${PROXY_HOST_REDIRECT_5_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_5_TARGET) if is_root is_redirect_5
.endif
.if defined(PROXY_HOST_REDIRECT_6_TARGET)
acl is_redirect_6 hdr(host) -i ${PROXY_HOST_REDIRECT_6_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_6_TARGET) if is_root is_redirect_6
.endif
.if defined(PROXY_HOST_REDIRECT_7_TARGET)
acl is_redirect_7 hdr(host) -i ${PROXY_HOST_REDIRECT_7_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_7_TARGET) if is_root is_redirect_7
.endif
.if defined(PROXY_HOST_REDIRECT_8_TARGET)
acl is_redirect_8 hdr(host) -i ${PROXY_HOST_REDIRECT_8_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_8_TARGET) if is_root is_redirect_8
.endif
.if defined(PROXY_HOST_REDIRECT_9_TARGET)
acl is_redirect_9 hdr(host) -i ${PROXY_HOST_REDIRECT_9_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_9_TARGET) if is_root is_redirect_9
.endif
.if defined(PROXY_HOST_REDIRECT_10_TARGET)
acl is_redirect_10 hdr(host) -i ${PROXY_HOST_REDIRECT_10_NAME}
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_10_TARGET) if is_root is_redirect_10
.endif
# Enable X-Forwarded header(s)
option forwardfor
http-request add-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request add-header X-Forwarded-Port %[dst_port]
# Enforce HSTS
http-response add-header Strict-Transport-Security max-age=15768000
# Block bot indexing
http-response add-header X-Robots-Tag noindex
# Gateway tunnelling config
.if defined(SISH_HOST) && defined(SISH_PORT)
acl gateway_sub_domain hdr_beg(host) gw-
use_backend sish if gateway_sub_domain
.endif
acl auth path_beg /auth
use_backend keycloak_backend if auth
use_backend manager_backend
listen mqtt
bind *:8883 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets
mode tcp
.if defined(MQTT_RATE_LIMIT)
# Rate limiting
acl too_fast fe_sess_rate ge "${MQTT_RATE_LIMIT}"
tcp-request connection reject if too_fast
.endif
#Use this to avoid the connection loss when client subscribed for a topic and its idle for sometime
option clitcpka # For TCP keep-alive
timeout client 3h #By default TCP keep-alive interval is 2hours in OS kernal, 'cat /proc/sys/net/ipv4/tcp_keepalive_time'
timeout server 3h #By default TCP keep-alive interval is 2hours in OS kernal
option logasap
log-format "%T %ft CLIENT=%ci:%cp BACKEND=%bi:%bp %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
balance leastconn
server manager "${MANAGER_HOST}":"${MANAGER_MQTT_PORT}" resolvers docker_resolver
backend manager_backend
server manager "${MANAGER_HOST}":"${MANAGER_WEB_PORT}" resolvers docker_resolver
backend keycloak_backend
server keycloak "${KEYCLOAK_HOST}":"${KEYCLOAK_PORT}" resolvers docker_resolver
# Gateway tunnelling config
.if defined(SISH_HOST) && defined(SISH_PORT)
backend sish
server sish "${SISH_HOST}":"${SISH_PORT}" resolvers docker_resolver
.endif