105 lines
3.7 KiB
Django/Jinja
105 lines
3.7 KiB
Django/Jinja
global
|
|
log stdout format raw local0 debug
|
|
|
|
daemon
|
|
maxconn 256
|
|
stats socket /haproxy_control/stats mode 660
|
|
#server-state-file /tmp/server_state
|
|
|
|
# whole container is started as non-root
|
|
#user haproxy
|
|
#group haproxy
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
# Mozilla Guideline v5.7 intermediate configuration
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
|
|
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
|
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
# end Mozilla config
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
spread-checks 20
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
option redispatch
|
|
option forwardfor
|
|
# funny looking values because recommendation is to have these slightly
|
|
# above mulitples of three seconds to play nice with TCP resend timers
|
|
timeout check 5s
|
|
timeout connect 4s
|
|
timeout client 17s
|
|
timeout server 17s
|
|
timeout http-request 5s
|
|
|
|
# never fail on address resolution
|
|
default-server init-addr libc,none
|
|
balance roundrobin
|
|
|
|
frontend LB-http
|
|
# expose stats info over HTTP to exabgp
|
|
bind 127.0.0.1:9000
|
|
http-request set-log-level silent
|
|
default_backend LB
|
|
|
|
backend LB
|
|
stats enable
|
|
#stats hide-version
|
|
stats uri /haproxy_stats
|
|
|
|
{% block frontend %}
|
|
frontend http-frontend
|
|
bind 0.0.0.0:80
|
|
bind :::80
|
|
|
|
use_backend {{site_name}}__letsencrypt
|
|
|
|
frontend {{ site_name }}
|
|
log stdout format raw local0 debug
|
|
mode tcp
|
|
bind 0.0.0.0:443
|
|
bind :::443
|
|
|
|
stats enable
|
|
|
|
use_backend {{ site_name }}__default
|
|
|
|
frontend {{ site_name }}__16443
|
|
mode tcp
|
|
bind 0.0.0.0:16443
|
|
bind :::16443
|
|
|
|
use_backend {{ site_name }}__16443
|
|
{% endblock frontend %}
|
|
|
|
{% block backend %}
|
|
backend {{ site_name }}__16443
|
|
mode tcp
|
|
balance leastconn
|
|
server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:16443 check inter 1s rise 30 fall 3
|
|
server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:16443 check inter 1s rise 30 fall 3
|
|
server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:16443 check inter 1s rise 30 fall 3
|
|
backend {{ site_name }}__default
|
|
mode tcp
|
|
balance leastconn
|
|
server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:443 check inter 1s rise 30 fall 3
|
|
server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:443 check inter 1s rise 30 fall 3
|
|
server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:443 check inter 1s rise 30 fall 3
|
|
backend {{ site_name }}__letsencrypt
|
|
mode http
|
|
balance leastconn
|
|
server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:80 check inter 1s rise 30 fall 3
|
|
server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:80 check inter 1s rise 30 fall 3
|
|
server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:80 check inter 1s rise 30 fall 3
|
|
{% endblock backend %}
|