sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
cdn-ops/global/overlay/etc/puppet/modules/cdn/templates/cache/haproxy.cfg.erb

64 lines
2.6 KiB
Plaintext
Raw Blame History

global
log stdout format raw local0 debug
stats socket /shared/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
frontend customer
bind <%= @cache_secrets['customers'][@customer]['ip4'] %>:80
bind <%= @cache_secrets['customers'][@customer]['ip6'] %>:80
bind <%= @cache_secrets['customers'][@customer]['ip4'] %>:443 ssl crt /certs-private/combined.pem
bind <%= @cache_secrets['customers'][@customer]['ip6'] %>:443 ssl crt /certs-private/combined.pem
default_backend varnish
backend varnish
server varnish /shared/varnish.sock send-proxy-v2 proxy-v2-options ssl
# https://varnish-cache.org/docs/trunk/users-guide/vcl-backends.html#connecting-through-a-proxy
listen haproxy_https
mode tcp
option tcplog
maxconn 1000
bind /shared/haproxy_https accept-proxy mode 640
stick-table type ip size 100
stick on dst
<% @cache_secrets['customers'][@customer]['origins'].each_with_index do |origin, index| -%>
server s<%= index %> <%= origin %>:443 ssl ca-file /etc/ssl/certs/ca-certificates.crt alpn http/1.1 sni fc_pp_authority
<% end -%>
# While varnish could recach out to HTTP backends itself, lets stick to one
# place (haproxy) for dealing with loadbalancing etc.
listen haproxy_http
mode tcp
option tcplog
maxconn 1000
bind /shared/haproxy_http accept-proxy mode 640
stick-table type ip size 100
stick on dst
<% @cache_secrets['customers'][@customer]['origins'].each_with_index do |origin, index| -%>
server s<%= index %> <%= origin %>:80
<% end -%>
Reference in a new issue View git blame Copy permalink