102 lines
2.6 KiB
Django/Jinja
102 lines
2.6 KiB
Django/Jinja
# ----- global configuration ----- #
|
|
global
|
|
log /dev/log local0
|
|
|
|
chroot /var/lib/haproxy
|
|
pidfile /var/run/haproxy.pid
|
|
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
# turn on stats unix socket
|
|
stats socket {{ haproxy_path_socket }} mode 660 level admin
|
|
stats timeout 30s
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
# Default ciphers to use on SSL-enabled listening sockets.
|
|
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
ssl-default-bind-options no-sslv3
|
|
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM
|
|
|
|
ssl-default-server-options no-sslv3
|
|
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
|
|
# ----- default configuration options ----- #
|
|
defaults
|
|
mode http
|
|
balance roundrobin
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
option http-server-close
|
|
option forwardfor except 127.0.0.0/8
|
|
option redispatch
|
|
option httpchk HEAD /haproxy.check HTTP/1.1\r\nHost:localhost
|
|
|
|
maxconn 3000
|
|
retries 3
|
|
|
|
timeout http-request 10s
|
|
timeout queue 1m
|
|
timeout connect 10s
|
|
timeout client 1m
|
|
timeout server 1m
|
|
timeout http-keep-alive 10s
|
|
timeout check 10s
|
|
|
|
# errorfile 400 /etc/haproxy/errors/400.http
|
|
# errorfile 403 /etc/haproxy/errors/403.http
|
|
# errorfile 408 /etc/haproxy/errors/408.http
|
|
# errorfile 500 /etc/haproxy/errors/500.http
|
|
# errorfile 502 /etc/haproxy/errors/502.http
|
|
# errorfile 503 /etc/haproxy/errors/503.http
|
|
# errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
|
|
# ----- statistics frontend ----- #
|
|
listen stats
|
|
bind :::1936 v4v6
|
|
stats enable
|
|
stats uri /
|
|
stats refresh 30s
|
|
#stats hide-version
|
|
stats auth admin:admin
|
|
|
|
|
|
# ----- frontends ----- #
|
|
frontend http
|
|
bind :::80 v4v6
|
|
{% if haproxy_sslcert_src|default(False) %} bind :::443 v4v6 ssl crt /etc/haproxy/ssl.pem
|
|
{% endif %}
|
|
mode http
|
|
|
|
acl url_static path_beg -i /static /images /javascript /stylesheets
|
|
acl url_static path_end -i .jpg .jpeg .gif .png .html .htm .css .js
|
|
|
|
use_backend static if url_static
|
|
default_backend dynamic
|
|
|
|
|
|
# ----- backends ----- #
|
|
backend static
|
|
{% for host in groups['worker'] %}
|
|
server {{ host }} {{ hostvars[host]['ansible_default_ipv4'].address }}:80 # check
|
|
{% endfor %}
|
|
|
|
|
|
backend dynamic
|
|
http-request set-header X-Forwarded-Port %[dst_port]
|
|
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
|
|
|
{% for host in groups['worker'] %}
|
|
server {{ host }} {{ hostvars[host]['ansible_default_ipv4'].address }}:80 check inter 2s fastinter 1s fall 3 rise 2
|
|
{% endfor %}
|
|
|