-
Notifications
You must be signed in to change notification settings - Fork 162
/
haproxy.cfg
176 lines (142 loc) · 5.92 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
global
tune.ssl.default-dh-param 1024
# https://github.com/haproxytech/haproxy-lua-cors
lua-load /usr/local/etc/haproxy/cors.lua
# https://www.haproxy.com/blog/introduction-to-haproxy-logging/
log stdout format raw daemon "${LOGLEVEL}"
log stderr format raw daemon "${LOGLEVEL}"
ssl-default-bind-options ssl-min-ver TLSv1.2
defaults
balance roundrobin
default-server init-addr last,libc,none
default-server inter 3s rise 2 fall 3
log global
mode http
option contstats
option dontlognull
option forwardfor
option httplog
timeout client 63s
timeout connect 5s
timeout http-keep-alive 1s
timeout http-request 63s
timeout server 63s
timeout tunnel 3600s
resolvers docker-bridge-resolver
nameserver docker-resolver 127.0.0.11:53
hold valid 0ms
http-errors balena-http-errors
errorfile 400 /etc/haproxy/errors/400.http
errorfile 401 /etc/haproxy/errors/401.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 404 /etc/haproxy/errors/404.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
userlist balena
user balena insecure-password "${BALENA_DEVICE_UUID}"
listen haproxy-stats
bind :::1936 v4v6 ssl crt "${CERT_CHAIN_PATH}" alpn h2,http/1.1
stats auth "balena:${BALENA_DEVICE_UUID}"
stats enable
stats uri /metrics
frontend http
bind :::80 v4v6
default_backend api-backend
errorfiles balena-http-errors
http-request capture req.hdr(Host) len 15
http-response lua.cors
# https://www.haproxy.com/blog/haproxy-log-customization/
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
acl api_dead nbsrv(api-backend) lt 1
acl registry_dead nbsrv(registry-backend) lt 1
acl vpn_dead nbsrv(vpn-backend) lt 1
monitor-uri /health
monitor fail if api_dead registry_dead vpn_dead
acl host-api-backend hdr_beg(host) -i "api."
# default public device URL(s) always go to the API
acl host-pdu-default hdr(host) -m reg -i "\.?([0-9a-f]{32}|${BALENA_DEVICE_UUID})\.(devices|balena-?(.*)-devices)\."
use_backend api-backend if host-api-backend || host-pdu-default
acl host-registry-backend hdr_beg(host) -i "registry2."
http-request add-header X-Forwarded-Proto http if host-registry-backend
use_backend registry-backend if host-registry-backend
acl host-s3-backend hdr_beg(host) -i "s3."
http-request add-header X-Forwarded-Proto http if host-s3-backend
use_backend s3-backend if host-s3-backend
acl host-minio-backend hdr_beg(host) -i "minio."
http-request add-header X-Forwarded-Proto http if host-minio-backend
use_backend minio-backend if host-minio-backend
# routes between OpenVPN, SSL and HTTPS traffic
frontend tcp-router
mode tcp
option tcplog
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
bind :::443 v4v6
tcp-request inspect-delay 2s
tcp-request content accept if { req.ssl_hello_type 1 }
acl is_ssl req.ssl_ver 2:3.4
acl sni-host-tunnel req_ssl_sni -m beg "tunnel."
use_backend redirect-to-tunnel if sni-host-tunnel
# everything else => HTTPS
use_backend redirect-to-https if is_ssl
# or VPN
use_backend vpn-backend if !is_ssl
backend redirect-to-tunnel
mode tcp
server localhost 127.0.0.1:3129 send-proxy-v2
# https://stackoverflow.com/a/39213442/1559300
listen tunnel-backend
mode tcp
option tcplog
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
bind 127.0.0.1:3129 ssl crt "${CERT_CHAIN_PATH}" alpn h2,http/1.1 accept-proxy
server tunnel vpn:3128 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 3128
backend redirect-to-https
mode tcp
server localhost 127.0.0.1:444 send-proxy-v2
frontend https
bind 127.0.0.1:444 ssl crt "${CERT_CHAIN_PATH}" alpn h2,http/1.1 accept-proxy
default_backend api-backend
errorfiles balena-http-errors
http-request add-header X-Forwarded-Proto https
http-request capture req.hdr(Host) len 15
http-response lua.cors
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
acl host-api-backend hdr_beg(host) -i "api."
use_backend api-backend if host-api-backend
acl host-registry-backend hdr_beg(host) -i "registry2."
use_backend registry-backend if host-registry-backend
acl host-s3-backend hdr_beg(host) -i "s3."
use_backend s3-backend if host-s3-backend
acl host-minio-backend hdr_beg(host) -i "minio."
use_backend minio-backend if host-minio-backend
acl host-ca-backend hdr_beg(host) -i "ca."
# only allow CRL requests unauthenticated, protect everything else
acl balena-ca-crl path -i -m beg /api/v1/cfssl/crl
acl balena-ca-auth http_auth(balena)
http-request auth realm balena-ca if host-ca-backend !balena-ca-auth !balena-ca-crl
use_backend ca-backend if host-ca-backend
acl host-ocsp-backend hdr_beg(host) -i "ocsp."
use_backend ocsp-backend if host-ocsp-backend
backend api-backend
server api api:80 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 80
backend registry-backend
server registry registry:80 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 80
backend s3-backend
server s3 s3:80 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 80
# https://github.com/minio/console
backend minio-backend
server s3-console s3:43697 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 43697
backend db-backend
mode tcp
server db db:5432 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 5432
backend redis-backend
mode tcp
server redis redis:6379 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 6379
backend ca-backend
server cfssl-ca balena-ca:8888 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 8888
backend ocsp-backend
server cfssl-ocsp balena-ca:8889 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 8889
backend vpn-backend
mode tcp
server openvpn vpn:443 resolvers docker-bridge-resolver resolve-prefer ipv4 send-proxy-v2 check-send-proxy check port 443