mirror of
https://github.com/KevinMidboe/schleppe-ha-project.git
synced 2026-01-09 18:35:29 +00:00
190 lines
7.0 KiB
Django/Jinja
190 lines
7.0 KiB
Django/Jinja
global
|
|
log /dev/log local0
|
|
log /dev/log local1 notice
|
|
chroot /var/lib/haproxy
|
|
stats socket /run/haproxy/admin.sock mode 660 level admin
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
limited-quic
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
# Front door: main frontend dedicated to end users
|
|
frontend ft_web
|
|
bind :80
|
|
|
|
# Cache routing acl definitions
|
|
acl static_content path_end .jpg .jpeg .gif .png .css .js .htm .html
|
|
acl pseudo_static path_end .php ! path_beg /dynamic/
|
|
acl image_php path_beg /images.php
|
|
acl varnish_available nbsrv(bk_varnish_uri) ge 1
|
|
|
|
# Caches health detection + routing decision
|
|
use_backend bk_varnish_uri if varnish_available static_content
|
|
use_backend bk_varnish_uri if varnish_available pseudo_static
|
|
use_backend bk_varnish_url_param if varnish_available image_php
|
|
|
|
# Read debug query parameter
|
|
http-request set-var(txn.debug) urlp(debug)
|
|
# Define what "debug enabled" means
|
|
acl debug_enabled var(txn.debug) -m str -i 1 true yes on
|
|
# Debug headers
|
|
http-request set-var(txn.http_ver) req.ver
|
|
http-response add-header X-HA-HTTP-Version %[var(txn.http_ver)] if debug_enabled
|
|
http-response add-header X-HA-TLS-Version %[ssl_fc_protocol] if debug_enabled
|
|
http-response add-header X-HA-Frontend %[fe_name] if debug_enabled
|
|
http-response add-header X-HA-Backend %[be_name] if debug_enabled
|
|
http-response add-header X-HA-Server %[srv_name] if debug_enabled
|
|
http-response add-header X-HA-Server %[hostname] if debug_enabled
|
|
http-response add-header X-Debug-Client-IP %[src] if debug_enabled
|
|
http-response add-header Cache-Control no-store if debug_enabled
|
|
|
|
# dynamic content or all caches are unavailable
|
|
default_backend be_traefik_http
|
|
|
|
# Front door: public HTTPS
|
|
frontend fe_https
|
|
mode http
|
|
bind :443 ssl crt {{ haproxy_certs_dir }} alpn h2,http/1.1
|
|
bind quic4@:443 ssl crt {{ haproxy_certs_dir }} alpn h3
|
|
|
|
# Add forwarding headers so Traefik/apps can know original client info
|
|
http-request set-header X-Forwarded-Proto https
|
|
option forwardfor
|
|
|
|
# DISABLED: Advertise HTTP3
|
|
# acl is_h2 ssl_fc_alpn -i h2
|
|
# http-response set-header Alt-Svc "h3=\":443\"; ma=900" if is_h2
|
|
|
|
# Cache routing acl definitions
|
|
acl static_content path_end .jpg .jpeg .gif .png .css .js .htm .html
|
|
acl pseudo_static path_end .php ! path_beg /dynamic/
|
|
acl image_php path_beg /images.php
|
|
acl varnish_available nbsrv(bk_varnish_uri) ge 1
|
|
|
|
# Caches health detection + routing decision
|
|
use_backend bk_varnish_uri if varnish_available static_content
|
|
use_backend bk_varnish_uri if varnish_available pseudo_static
|
|
use_backend bk_varnish_url_param if varnish_available image_php
|
|
|
|
# Read debug query parameter
|
|
http-request set-var(txn.debug) urlp(debug)
|
|
# Define what "debug enabled" means
|
|
acl debug_enabled var(txn.debug) -m str -i 1 true yes on
|
|
# Debug headers
|
|
http-request set-var(txn.http_ver) req.ver
|
|
http-response add-header X-HA-HTTP-Version %[var(txn.http_ver)] if debug_enabled
|
|
http-response add-header X-HA-TLS-Version %[ssl_fc_protocol] if debug_enabled
|
|
http-response add-header X-HA-Frontend %[fe_name] if debug_enabled
|
|
http-response add-header X-HA-Backend %[be_name] if debug_enabled
|
|
http-response add-header X-HA-Server %[srv_name] if debug_enabled
|
|
http-response add-header X-HA-Server %[hostname] if debug_enabled
|
|
http-response add-header X-Debug-Client-IP %[src] if debug_enabled
|
|
http-response add-header Cache-Control no-store if debug_enabled
|
|
|
|
# dynamic content or all caches are unavailable
|
|
default_backend be_traefik_http
|
|
|
|
# Backend: Traefik VM
|
|
backend be_traefik_http
|
|
mode http
|
|
balance roundrobin
|
|
# app servers must say if everything is fine on their side
|
|
# and they can process requests
|
|
option httpchk
|
|
option httpchk GET /appcheck
|
|
http-check expect rstring [oO][kK]
|
|
cookie LB_SERVER insert indirect nocache
|
|
dynamic-cookie-key {{ haproxy_dynamic_cookie_key }}
|
|
|
|
# Health check: Traefik should respond with 404 for unknown host; that's still "alive".
|
|
# We'll just do a TCP check (simpler and reliable).
|
|
option tcp-check
|
|
|
|
{% for ip in haproxy_traefik_ip %}
|
|
server traefik{{ loop.index }} {{ ip }}:{{ haproxy_traefik_port }} check cookie {{ haproxy_cookie_value }}
|
|
{% endfor %}
|
|
|
|
# VARNISH
|
|
# static backend with balance based on the uri, including the query string
|
|
# to avoid caching an object on several caches
|
|
backend bk_varnish_uri
|
|
balance uri # in latest HAProxy version, one can add 'whole' keyword
|
|
|
|
# Varnish must tell it's ready to accept traffic
|
|
option httpchk HEAD /varnishcheck
|
|
http-check expect status 200
|
|
|
|
# client IP information
|
|
option forwardfor
|
|
|
|
# avoid request redistribution when the number of caches changes (crash or start up)
|
|
hash-type consistent
|
|
{% for ip in haproxy_varnish_ip %}
|
|
server varnish{{ loop.index }} {{ ip }}:{{ haproxy_varnish_port }} check
|
|
{% endfor %}
|
|
|
|
# cache backend with balance based on the value of the URL parameter called "id"
|
|
# to avoid caching an object on several caches
|
|
backend bk_varnish_url_param
|
|
balance url_param id
|
|
|
|
# client IP information
|
|
option forwardfor
|
|
|
|
# avoid request redistribution when the number of caches changes (crash or start up)
|
|
hash-type consistent
|
|
{% for ip in haproxy_varnish_ip %}
|
|
server varnish{{ loop.index }} {{ ip }}:{{ haproxy_varnish_port }} track bk_varnish_uri/varnish{{ loop.index }}
|
|
{% endfor %}
|
|
|
|
# Frontend: HAProxy prometheus exporter metrics
|
|
frontend fe_metrics
|
|
bind :8405
|
|
mode http
|
|
|
|
http-request use-service prometheus-exporter if { path /metrics }
|
|
|
|
# ============================
|
|
# HAProxy Stats (metrics UI)
|
|
# ============================
|
|
listen haproxy_stats
|
|
bind :8404
|
|
mode http
|
|
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
|
|
# Optional basic auth
|
|
stats auth {{ haproxy_stats_auth }}
|
|
|
|
# Show extra info (handy for debugging)
|
|
stats show-legends
|