-
Notifications
You must be signed in to change notification settings - Fork 0
/
haproxy.cfg
72 lines (54 loc) · 2.14 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Config ref - https://cbonte.github.io/haproxy-dconv/2.4/configuration.html
# process-wide security and performance tunings
global
log stdout format raw local0
# about 1 GB per 20,000 connections
maxconn 10010
nbthread 2
# apply to all frontend / backend / listen sections that come below
defaults
mode tcp
log global
# default tcp format at https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.2
option tcplog
# long timeout to support connection queueing
timeout client 20s
timeout server 20s
# Radix gossip latency timeout is set to 3 seconds.
# https://discord.com/channels/417762285172555786/818997782966566943/874333617793409124
# The TCP connect has to complete within this time otherwise it's not worth connecting.
timeout connect 3s
# accept requests from clients
frontend gossip_in
bind :30000
maxconn 10000
# 1mil records at ~50 bytes each is ~48MiB
# Track the current connection counts plus the average connection rate over a sliding window
stick-table type ip size 1m expire 60s store conn_cur,conn_rate(60s)
# Allow clean known IPs to bypass the filter while blocking known bad actors
tcp-request connection accept if { src -f /usr/local/etc/haproxy/allowlist.lst }
tcp-request connection silent-drop if { src -f /usr/local/etc/haproxy/denylist.lst }
# Shut the new connection if the client has gone over the allowed connections / rate
tcp-request connection reject if { src_conn_cur ge 30 }
tcp-request connection reject if { src_conn_rate ge 120 } # every half second given the 60s rate measure
tcp-request connection track-sc0 src
default_backend core
# fulfill the requests
backend core
server local "${RADIX_CORE_HOST}:${RADIX_CORE_PORT}" maxconn 2500
# enable stats page
frontend stats
bind ":${STATS_PORT}"
mode http
option httplog
maxconn 10
timeout client 60s
stats enable
stats uri /
stats realm Statistics
stats show-node
stats hide-version
stats refresh 30s
# HAProxy only supports cleartext for the password
# See https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4-stats%20auth
stats auth "${STATS_USERNAME}:${STATS_PASSWORD}"