This repository has been archived by the owner on Jul 2, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathhaproxy.tmpl
164 lines (142 loc) · 6.53 KB
/
haproxy.tmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
global
log /dev/log local2 info
maxconn 3072
tune.ssl.default-dh-param 2048
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option log-separate-errors
option dontlognull
# option dontlog-normal
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
frontend services-frontend
# Comment next line to fully close port 88
bind :88
bind :444 ssl crt /etc/ssl/certs/device.pem
# Uncomment next line to enforce https connection
#redirect scheme https if !{ ssl_fc }
# Always keep the next line to prevent falling back to http during redirection (HTTP-302, no trailing slash) when using https
rspirep ^Location:\ http://(.*) Location:\ https://\1 if { ssl_fc }
acl url_mgs path_beg /mgs
acl url_sts path_beg /sts
# ACL for webhook service - LEGACY; should be deleted in favor of the ACL under default_ports frontend after all our datasources move to the new format
acl url_whs path_beg /wh
# ACL for account-management-server service: <domain>.gaiahub.io/acms
acl url_acms path_beg /acms
# Admin UI - client and server
acl url_gau path_beg /gau
acl url_gau path_beg /gab
acl url_ru path_beg /result-upload
use_backend mgs-backend if url_mgs
use_backend sts-backend if url_sts
use_backend whs-backend if url_whs
use_backend acmserver if url_acms
use_backend gau-backend if url_gau
use_backend result-upload-service-backend if url_ru
frontend default_ports
bind :80
bind :443 ssl crt /etc/ssl/certs/device.pem
# ACL for webhook service: webhook.<domain>.gaiahub.io/wh/*
acl url_whs hdr_beg(host) webhook. path_beg /wh
# ACL for account-management-client service: acmc.<domain>.gaiahub.io/acmc
acl url_acmc hdr_beg(host) acmc. path_beg /acmc
# ACL for kibana and all the URLs it uses (called from the client side)
acl url_kibana path_beg /app /bundles /elasticsearch /kibana /plugins /api/console /api/xpack /api/monitoring /api/reporting /api/timelion /api/kibana /ui/favicons
# ACL for the initial call to kibana, which does not have any root context by default before redirecting to /app
acl is_root path /
rspirep ^Location:\ http://(.*) Location:\ https://\1 if { ssl_fc } !url_whs !url_acmc
use_backend whs-backend if url_whs
use_backend ui-backend if url_kibana
use_backend ui-backend if is_root
use_backend acmclient-backend if url_acmc
backend acmclient-backend
{{range gets "/skydns/local/skydns/acmclient/*"}}
{{$data := json .Value}}
server {{$data.host}}:{{$data.port}} {{$data.host}}:{{$data.port}} check
{{end}}
backend acmserver
{{range gets "/skydns/local/skydns/acmserver/*"}}
{{$data := json .Value}}
server {{$data.host}}:{{$data.port}} {{$data.host}}:{{$data.port}} check
{{end}}
backend mgs-backend
{{range gets "/skydns/local/skydns/mgs/*"}}
{{$data := json .Value}}
server {{$data.host}}:{{$data.port}} {{$data.host}}:{{$data.port}} check
{{end}}
backend sts-backend
# save request scheme for further redirect
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto https if !{ ssl_fc }
http-request set-var(txn.scheme) req.hdr(X-Forwarded-Proto)
# save request host for further redirect
http-request set-var(txn.host) req.hdr(Host)
# define acl
http-request set-var(txn.path) path
acl url_callback var(txn.path) -m end /callback
http-response replace-value Location /sts/welcome.jsp %[var(txn.scheme)]://%[var(txn.host)] if url_callback
http-response replace-value Location (.*):88 \1:80 if url_callback
http-response replace-value Location (.*):444 \1:443 if url_callback
{{range gets "/skydns/local/skydns/sts/*"}}
{{$data := json .Value}}
server {{$data.host}}:{{$data.port}} {{$data.host}}:{{$data.port}} check
{{end}}
backend whs-backend
# remove Content-Encoding header when its value is invalid - solves body-parser error due to Stash plugin bug
reqdel ^Content-Encoding:((?!\s*gzip)(?!\s*deflate)(?!\s*compress)(?!\s*identity)).*$
{{range gets "/skydns/local/skydns/whs/*"}}
{{$data := json .Value}}
server {{$data.host}}:{{$data.port}} {{$data.host}}:{{$data.port}} check
{{end}}
backend gau-backend
{{range gets "/skydns/local/skydns/gau/*"}}
{{$data := json .Value}}
server {{$data.host}}:{{$data.port}} {{$data.host}}:{{$data.port}} check
{{end}}
backend result-upload-service-backend
{{range gets "/skydns/local/skydns/result-upload-service/*"}}
{{$data := json .Value}}
server {{$data.host}}:{{$data.port}} {{$data.host}}:{{$data.port}} check
{{end}}
backend ui-backend
acl cookie_set hdr_sub(cookie) gaia.token
#redirect location http://gaia.skydns.local:88/sts/login.jsp code 302 if !cookie_set
http-request set-header X-Forwarded-Proto https if { ssl_fc } !cookie_set
http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !cookie_set
http-request set-header X-Forwarded-Port 444 if { ssl_fc } !cookie_set
http-request set-header X-Forwarded-Port 88 if !{ ssl_fc } !cookie_set
http-request set-header X-Location-Path %[path] if !cookie_set
http-request redirect location %[hdr(X-Forwarded-Proto)]://%[hdr(Host)]:%[hdr(X-Forwarded-Port)]/sts/login.jsp if !cookie_set
{{range gets "/skydns/local/skydns/kibana/*"}}
{{$data := json .Value}}
server {{$data.host}}:{{$data.port}} {{$data.host}}:{{$data.port}} check
{{end}}
listen stats
# Uncomment next line to access stats over https
#bind :1936 ssl crt device.pem
# Comment next line to access stats only over https
bind :1936
stats enable
stats uri /
stats realm Haproxy\ Statistics
stats auth admin:admin