-
Notifications
You must be signed in to change notification settings - Fork 0
/
haproxy.cfg.ctmpl
95 lines (87 loc) · 5.6 KB
/
haproxy.cfg.ctmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
global
daemon
{{range $index, $element := service (env "CONSUL_SYSLOG_NAME") }}
{{if eq $index 0}}log {{.Address}}:{{.Port}} local0{{ end }}
{{else}}
log {{env "LOCAL_SYSLOG"}} local0
{{ end }}
spread-checks {{env "HAPROXY_SPREAD_CHECKS"}}
max-spread-checks {{env "HAPROXY_MAX_SPREAD_CHECKS"}}
maxconn {{env "HAPROXY_MAXCONN_GLOBAL"}}
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
stats socket /var/run/haproxy/socket
server-state-file global
server-state-base /var/state/haproxy/
lua-load /haproxy/getpids.lua
lua-load /haproxy/getconfig.lua
lua-load /haproxy/getmaps.lua
lua-load /haproxy/signalmlb.lua
defaults
log global
option httplog
log-tag haproxy
retries {{env "HAPROXY_RETRIES"}}
backlog {{env "HAPROXY_BACKLOG"}}
maxconn {{env "HAPROXY_MAXCONN"}}
timeout connect {{env "HAPROXY_TIMEOUT_CONNECT"}}
timeout client {{env "HAPROXY_TIMEOUT_CLIENT"}}
timeout server {{env "HAPROXY_TIMEOUT_SERVER"}}
timeout tunnel 3600s
timeout http-keep-alive {{env "HAPROXY_TIMEOUT_HTTP_KEEP_ALIVE"}}
timeout http-request {{env "HAPROXY_TIMEOUT_HTTP_REQUEST"}}
timeout queue {{env "HAPROXY_TIMEOUT_QUEUE"}}
timeout tarpit 60s
option redispatch
option http-server-close
option dontlognull
option contstats
# allow connection multiplexing, NOTE: It should only be used when it's sure that the client can retry a failed request once in a while and where the benefit of aggressive connection reuse significantly outweights the downsides of rare connection failures.
http-reuse aggressive
# The "slowstart" parameter for a server accepts a value in milliseconds which indicates after how long a server which has just come back up will run at full speed.
default-server slowstart 20s
# When this option is set, a server which returns an HTTP code 404 will be excluded from further load-balancing, but will still receive persistent connections
# http-check disable-on-404
listen stats
bind 0.0.0.0:4444
balance
mode http
stats enable
monitor-uri /_haproxy_health_check
acl getpid path /_haproxy_getpids
http-request use-service lua.getpids if getpid
acl getvhostmap path /_haproxy_getvhostmap
http-request use-service lua.getvhostmap if getvhostmap
acl getappmap path /_haproxy_getappmap
http-request use-service lua.getappmap if getappmap
acl getconfig path /_haproxy_getconfig
http-request use-service lua.getconfig if getconfig
acl signalmlbhup path /_mlb_signal/hup
http-request use-service lua.signalmlbhup if signalmlbhup
acl signalmlbusr1 path /_mlb_signal/usr1
http-request use-service lua.signalmlbusr1 if signalmlbusr1
frontend app_http_in
bind *:8080
mode http
{{ range services }}{{ if .Tags | contains "haproxy_enable" }}acl host_{{ .Name }} hdr_dom(Host) -i {{ .Name }}.{{env "HAPROXY_DOM"}}
use_backend {{ .Name }} if host_{{ .Name }}
{{ end }}{{ end }}
{{ range services }}{{ if .Tags | contains "haproxy_enable" }}backend {{ .Name }}{{ $PROTOCOL := "mode http" }}{{ $BALANCE := "balance roundrobin" }}{{ $MAXCONN := "" }}
{{range .Tags}}{{if . | regexMatch "HAPROXY.PROTOCOL=*" }}{{ $PROTOCOL := print "mode " .|replaceAll "HAPROXY.PROTOCOL=" "" }}{{ end }}{{if . | regexMatch "HAPROXY.BALANCE=*" }}{{ $BALANCE := print "balance " .|replaceAll "HAPROXY.BALANCE=" "" }}{{ end }}{{if . | regexMatch "HAPROXY.MAXCONN=*" }}{{ $MAXCONN := print "maxconn " .|replaceAll "HAPROXY.MAXCONN=" "" }}{{ end }}{{end}}
{{ $PROTOCOL }}
{{ $BALANCE }}
{{ $MAXCONN }}
# option httpchk GET /
# http-check expect status 200
option tcp-check
option forwardfor
# health check each 10 seconds, healthy after 2 successes, unhealthy after 1 fails
default-server inter 10s rise 2 fall 1
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
{{ range service .Name "passing" }}server {{ .Address | replaceAll "." "_" }}_{{ .Port}} {{ .Address }}:{{ .Port }} weight {{ key_or_default (print "app/" .Name "/" .Address "/" .Port) "100" }} check
{{ end }}
{{ end }}{{ end }}