blob: cdbf247ccce752febb7a4ab945401c1105ed5d28 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
# Example configuration file for HAProxy, refer to the url below for
# a full documentation and examples for configuration:
# https://docs.haproxy.org/3.2/configuration.html
# Global parameters
global
# Log events to a remote syslog server at given address using the
# specified facility and verbosity level. Multiple log options
# are allowed.
#log 10.0.0.1 daemon info
# Logging events to the local syslog server is possible too.
#log /dev/log local0 info
# Specifiy the maximum number of allowed connections.
maxconn 10000
# Raise the ulimit for the maximum allowed number of open socket
# descriptors per process. This is usually at least twice the
# number of allowed connections (maxconn * 2 + nb_servers + 1) .
# By default, it is automatically computed, so it is recommended
# not to use this option.
#ulimit-n 65535
# Drop privileges (setuid, setgid), default is "root" on OpenWrt.
uid 0
gid 0
# Perform chroot into the specified directory.
#chroot /var/run/haproxy/
# Daemonize on startup
daemon
# Enable debugging
#debug
# Spawn given number of threads and distribute load among them,
# used for multi-core environments.
# On some platforms supporting CPU affinity, the default
# "nbthread" value is automatically set to the number of CPUs
# the process is bound to upon startup. The default value is
# reported in the output of "haproxy -vv".
#nbthread 2
# Default SSL material locations
ca-base /etc/ssl/certs
# SSL/TLS configuration. You can use the Mozilla SSL Config
# Generator. See: https://ssl-config.mozilla.org/#server=haproxy
# intermediate configuration
ssl-default-bind-curves X25519:prime256v1:secp384r1
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-server-curves X25519:prime256v1:secp384r1
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
crt-store acme-certs
crt-base /etc/ssl/acme
key-base /etc/ssl/acme
# load crt "domain1.fullchain.crt" key "domain1.key" alias "domain1"
# load crt "domain2.fullchain.crt" key "domain2.key" alias "domain2"
# Default parameters
defaults
# Default timeouts
timeout connect 5s
timeout client 50s
timeout server 50s
timeout check 5s
# Example HTTP proxy listener
listen my_http_proxy
# Disable this instance without commenting out the section.
disabled
# Bind to port 8080 on all interfaces (0.0.0.0)
bind :8080
# bind :8443 ssl alpn h2,http/1.1 default-crt @acme-certs/domain1
# We're proxying HTTP here...
mode http
# Simple HTTP round robin over two servers using the specified
# source ip 192.168.1.1 .
balance roundrobin
server server01 192.168.1.10:80 source 192.168.1.1
server server02 192.168.1.20:80 source 192.168.1.1
# Serve an internal statistics page on /stats:
stats enable
stats uri /stats
# Enable HTTP basic auth for the statistics:
stats realm HA_Stats
stats auth username:password
# Example SMTP proxy listener
listen my_smtp_proxy
# Disable this instance without commenting out the section.
disabled
# Bind to port 26 and 588 on localhost
bind 127.0.0.1:26,127.0.0.1:588
# This is a TCP proxy
mode tcp
# Round robin load balancing over two servers on port 123 forcing
# the address 192.168.1.1 and port 25 as source.
balance roundrobin
#use next line for transparent proxy, so the servers can see the
#original ip-address and remove source keyword in server definition
#source 0.0.0.0 usesrc clientip
server server01 192.168.1.10:123 source 192.168.1.1:25
server server02 192.168.1.20:123 source 192.168.1.1:25
# Special health check listener for integration with external load
# balancers.
listen local_health_check
# Listen on port 60000
bind :60000
# This health check requires http-mode
mode http
# This is a health check
http-request return status 200
|
