haproxy.cfg
7.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
#HA Proxy Config
global
ulimit-n 500000
maxconn 99999
maxpipes 99999
tune.maxaccept 500
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout tunnel 1h # timeout to use with WebSocket and CONNECT
default-server init-addr none
#enable resolving throught docker dns and avoid crashing if service is down while proxy is starting
resolvers docker_resolver
nameserver dns 127.0.0.11:53
listen stats
bind *:9999
stats enable
stats hide-version
stats uri /stats
stats auth admin:admin@123
listen mqtt-in
bind *:${MQTT_PORT}
mode tcp
stick-table type ip size 60k expire 60s store conn_cur
acl trustlist src -f /config/trustlist.txt
acl blocklist src -f /config/blocklist.txt
tcp-request connection accept if trustlist
tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
tcp-request connection track-sc1 src
option clitcpka # For TCP keep-alive
timeout client 3h
timeout server 3h
option tcplog
balance leastconn
server tbMqtt1 tb-mqtt-transport1:1883 check inter 5s resolvers docker_resolver resolve-prefer ipv4
server tbMqtt2 tb-mqtt-transport2:1883 check inter 5s resolvers docker_resolver resolve-prefer ipv4
listen edges-rpc-in
bind *:${EDGES_RPC_PORT}
mode tcp
stick-table type ip size 60k expire 60s store conn_cur
acl trustlist src -f /config/trustlist.txt
acl blocklist src -f /config/blocklist.txt
tcp-request connection accept if trustlist
tcp-request connection reject if blocklist or { src_conn_cur ge 5 }
tcp-request connection track-sc1 src
option clitcpka # For TCP keep-alive
timeout client 3h
timeout server 3h
option tcplog
balance leastconn
server tbEdgesRpc1 tb-core1:7070 check inter 5s resolvers docker_resolver resolve-prefer ipv4
server tbEdgesRpc2 tb-core2:7070 check inter 5s resolvers docker_resolver resolve-prefer ipv4
frontend http-in
bind *:${HTTP_PORT} alpn h2,http/1.1
stick-table type ip size 60k expire 60s store conn_cur
acl trustlist src -f /config/trustlist.txt
acl blocklist src -f /config/blocklist.txt
tcp-request connection accept if trustlist
tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
tcp-request connection track-sc1 src
option forwardfor
http-request add-header "X-Forwarded-Proto" "http"
acl transport_http_acl path_beg /api/v1/
acl letsencrypt_http_acl path_beg /.well-known/acme-challenge/
acl tb_images_api_acl path_beg /api/images/
acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /v3/ /static/rulenode/ /oauth2/ /login/oauth2/ /static/widgets/ /.well-known/assetlinks.json /.well-known/apple-app-site-association
redirect scheme https if !letsencrypt_http_acl !transport_http_acl { env(FORCE_HTTPS_REDIRECT) -m str true }
use_backend letsencrypt_http if letsencrypt_http_acl
use_backend tb-http-backend if transport_http_acl
use_backend tb-images-api-backend if tb_images_api_acl
use_backend tb-api-backend if tb_api_acl
default_backend tb-web-backend
frontend https_in
bind *:${HTTPS_PORT} ssl crt /usr/local/etc/haproxy/default.pem crt /usr/local/etc/haproxy/certs.d ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM alpn h2,http/1.1
stick-table type ip size 60k expire 60s store conn_cur
acl trustlist src -f /config/trustlist.txt
acl blocklist src -f /config/blocklist.txt
tcp-request connection accept if trustlist
tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
tcp-request connection track-sc1 src
option forwardfor
http-request add-header "X-Forwarded-Proto" "https"
acl transport_http_acl path_beg /api/v1/
acl tb_images_api_acl path_beg /api/images/
acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /v3/ /static/rulenode/ /oauth2/ /login/oauth2/ /static/widgets/ /.well-known/assetlinks.json /.well-known/apple-app-site-association
use_backend tb-http-backend if transport_http_acl
use_backend tb-images-api-backend if tb_images_api_acl
use_backend tb-api-backend if tb_api_acl
default_backend tb-web-backend
backend letsencrypt_http
server letsencrypt_http_srv 127.0.0.1:8080
backend tb-web-backend
timeout queue 60s
balance leastconn
option tcp-check
option log-health-checks
server tbWeb1 tb-web-ui1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
server tbWeb2 tb-web-ui2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
http-request set-header X-Forwarded-Port %[dst_port]
backend tb-http-backend
timeout queue 60s
balance leastconn
option tcp-check
option log-health-checks
server tbHttp1 tb-http-transport1:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
server tbHttp2 tb-http-transport2:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
# Dummy backends for a stick-table purpose only.
# There is only one stick-table per proxy. At the moment of writing this doc,
# it does not seem useful to have multiple tables per proxy. If this happens
# to be required, simply create a dummy backend with a stick-table in it and
# reference it
# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#stick-table
backend st_src_rate10s
stick-table type ip size 60k expire 10s store http_req_rate(10s)
backend st_src_rate1m
stick-table type ip size 60k expire 1m store http_req_rate(1m)
backend tb-api-backend
timeout queue 60s
balance source
option tcp-check
option log-health-checks
http-request track-sc0 src table st_src_rate10s
http-request track-sc1 src table st_src_rate1m
acl trustlist src -f /config/trustlist.txt
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !trustlist
http-request deny deny_status 429 if { sc_http_req_rate(1) gt 300 } !trustlist
http-request set-header X-Forwarded-Port %[dst_port]
server tbApi1 tb-core1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
server tbApi2 tb-core2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
# Dummy backends for a stick-table purpose only.
# There is only one stick-table per proxy. At the moment of writing this doc,
# it does not seem useful to have multiple tables per proxy. If this happens
# to be required, simply create a dummy backend with a stick-table in it and
# reference it
# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#stick-table
backend st_images_src_rate10s
stick-table type ip size 60k expire 10s store http_req_rate(10s)
backend st_images_src_rate1m
stick-table type ip size 60k expire 1m store http_req_rate(1m)
backend tb-images-api-backend
timeout queue 60s
balance source
option tcp-check
option log-health-checks
http-request track-sc0 src table st_images_src_rate10s
http-request track-sc1 src table st_images_src_rate1m
acl trustlist src -f /config/trustlist.txt
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 1000 } !trustlist
http-request deny deny_status 429 if { sc_http_req_rate(1) gt 3000 } !trustlist
http-request set-header X-Forwarded-Port %[dst_port]
server tbImagesApi1 tb-core1:8080 check inter 10s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
server tbImagesApi2 tb-core2:8080 check inter 10s resolvers docker_resolver resolve-prefer ipv4 maxconn 50