-
Notifications
You must be signed in to change notification settings - Fork 104
/
haproxy.conf
87 lines (68 loc) · 2.75 KB
/
haproxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
global
tune.ssl.default-dh-param 2048
# NOTE: haproxy can only log to syslog or a unix socket
# needs a syslog daemon !
log localhost local0
defaults
log global
option httplog
mode http
option forwardfor
option http-server-close
timeout connect 5000ms
timeout client 5000ms
timeout server 5000ms
timeout tunnel 120s
stats enable
stats uri /haproxy
stats realm Haproxy\ Statistics
backend static
balance roundrobin
timeout server 15s
server nginx localhost:8080 maxconn 10000 check
backend hub
balance leastconn
cookie SMCSERVERID3 insert nocache
option httpclose
timeout server 20s
option httpchk /alive
server hub localhost:5000 cookie server:localhost:5000 check inter 4000 maxconn 10000
backend proxy
balance leastconn
cookie SMCSERVERID3 insert nocache
option httpclose
timeout server 20s
server proxy localhost:5001 cookie server:localhost:5000 check inter 4000 maxconn 10000
frontend http
bind *:80
# acme request path (for ssl certificates)
acl is_acme path_beg /.well-known/acme-challenge
# permanent redirect to https
redirect scheme https code 301 if !is_acme
# static serve acme request
use_backend static if is_acme
frontend https
bind *:443 ssl crt /run/haproxy.pem no-sslv3
timeout client 120s
# we don't want to show known users the landing page -- hence redirect based on a cookie
acl is_known_user hdr_sub(cookie) has_remember_me=true
acl is_root_url path /
acl is_app capture.req.uri -m beg /app
http-request redirect code 302 location /app if is_root_url is_known_user
# replace "/policies/" with "/static/policies/" at the beginning of any request path.
reqrep ^([^\ :]*)\ /policies/(.*) \1\ /static/policies/\2
# weird detail to know: this only works with the second wildcard match after /app. why?
reqrep ^([^\ :]*)\ /app(.*) \1\ /static/app.html\2
# /app must not be cached
http-response set-header Cache-Control "private, no-cache, max-age=0" if is_app
# replace "/policies/" with "/static/policies/" at the beginning of any request path.
reqrep ^([^\ :]*)\ /policies/(.*) \1\ /static/policies/\2
reqadd X-Forwarded-Proto:\ https
acl is_static path_beg /static
use_backend static if is_static
acl is_hub path_beg /customize /hub /cookies /blobs /api /invoice /upload /alive /auth /stats /registration /projects /help /settings
use_backend hub if is_hub
acl is_proxy path_reg ^/[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}/port
acl is_proxy path_reg ^/[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}/raw
use_backend proxy if is_proxy
default_backend static