# Example configuration file for HAProxy, refer to the url below for # a full documentation and examples for configuration: # https://docs.haproxy.org/3.2/configuration.html # Global parameters global # Log events to a remote syslog server at given address using the # specified facility and verbosity level. Multiple log options # are allowed. #log 10.0.0.1 daemon info # Logging events to the local syslog server is possible too. #log /dev/log local0 info # Specifiy the maximum number of allowed connections. maxconn 10000 # Raise the ulimit for the maximum allowed number of open socket # descriptors per process. This is usually at least twice the # number of allowed connections (maxconn * 2 + nb_servers + 1) . # By default, it is automatically computed, so it is recommended # not to use this option. #ulimit-n 65535 # Drop privileges (setuid, setgid), default is "root" on OpenWrt. uid 0 gid 0 # Perform chroot into the specified directory. #chroot /var/run/haproxy/ # Daemonize on startup daemon # Enable debugging #debug # Spawn given number of threads and distribute load among them, # used for multi-core environments. # On some platforms supporting CPU affinity, the default # "nbthread" value is automatically set to the number of CPUs # the process is bound to upon startup. The default value is # reported in the output of "haproxy -vv". #nbthread 2 # Default SSL material locations ca-base /etc/ssl/certs # SSL/TLS configuration. You can use the Mozilla SSL Config # Generator. See: https://ssl-config.mozilla.org/#server=haproxy # intermediate configuration ssl-default-bind-curves X25519:prime256v1:secp384r1 ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets ssl-default-server-curves X25519:prime256v1:secp384r1 ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets crt-store acme-certs crt-base /etc/ssl/acme key-base /etc/ssl/acme # load crt "domain1.fullchain.crt" key "domain1.key" alias "domain1" # load crt "domain2.fullchain.crt" key "domain2.key" alias "domain2" # Default parameters defaults # Default timeouts timeout connect 5s timeout client 50s timeout server 50s timeout check 5s # Example HTTP proxy listener listen my_http_proxy # Disable this instance without commenting out the section. disabled # Bind to port 8080 on all interfaces (0.0.0.0) bind :8080 # bind :8443 ssl alpn h2,http/1.1 default-crt @acme-certs/domain1 # We're proxying HTTP here... mode http # Simple HTTP round robin over two servers using the specified # source ip 192.168.1.1 . balance roundrobin server server01 192.168.1.10:80 source 192.168.1.1 server server02 192.168.1.20:80 source 192.168.1.1 # Serve an internal statistics page on /stats: stats enable stats uri /stats # Enable HTTP basic auth for the statistics: stats realm HA_Stats stats auth username:password # Example SMTP proxy listener listen my_smtp_proxy # Disable this instance without commenting out the section. disabled # Bind to port 26 and 588 on localhost bind 127.0.0.1:26,127.0.0.1:588 # This is a TCP proxy mode tcp # Round robin load balancing over two servers on port 123 forcing # the address 192.168.1.1 and port 25 as source. balance roundrobin #use next line for transparent proxy, so the servers can see the #original ip-address and remove source keyword in server definition #source 0.0.0.0 usesrc clientip server server01 192.168.1.10:123 source 192.168.1.1:25 server server02 192.168.1.20:123 source 192.168.1.1:25 # Special health check listener for integration with external load # balancers. listen local_health_check # Listen on port 60000 bind :60000 # This health check requires http-mode mode http # This is a health check http-request return status 200