global log stdout format raw local0 debug daemon maxconn 256 stats socket /haproxy_control/stats mode 660 #server-state-file /tmp/server_state # whole container is started as non-root #user haproxy #group haproxy # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Mozilla Guideline v5.7 intermediate configuration ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets # end Mozilla config tune.ssl.default-dh-param 2048 spread-checks 20 defaults log global mode http option httplog option dontlognull option redispatch option forwardfor # funny looking values because recommendation is to have these slightly # above mulitples of three seconds to play nice with TCP resend timers timeout check 5s timeout connect 4s timeout client 17s timeout server 17s timeout http-request 5s # never fail on address resolution default-server init-addr libc,none balance roundrobin frontend LB-http # expose stats info over HTTP to exabgp bind 127.0.0.1:9000 http-request set-log-level silent default_backend LB backend LB stats enable #stats hide-version stats uri /haproxy_stats {% block frontend %} frontend http-frontend bind 0.0.0.0:80 bind :::80 use_backend {{site_name}}__letsencrypt frontend {{ site_name }} log stdout format raw local0 debug mode tcp bind 0.0.0.0:443 bind :::443 stats enable use_backend {{ site_name }}__default frontend {{ site_name }}__16443 mode tcp bind 0.0.0.0:16443 bind :::16443 use_backend {{ site_name }}__16443 {% endblock frontend %} {% block backend %} backend {{ site_name }}__16443 mode tcp balance leastconn server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:16443 check inter 1s rise 30 fall 3 server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:16443 check inter 1s rise 30 fall 3 server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:16443 check inter 1s rise 30 fall 3 backend {{ site_name }}__default mode tcp balance leastconn server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:443 check inter 1s rise 30 fall 3 server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:443 check inter 1s rise 30 fall 3 server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:443 check inter 1s rise 30 fall 3 backend {{ site_name }}__letsencrypt mode http balance leastconn server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:80 check inter 1s rise 30 fall 3 server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:80 check inter 1s rise 30 fall 3 server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:80 check inter 1s rise 30 fall 3 {% endblock backend %}