-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhaproxy.cfg
More file actions
85 lines (77 loc) · 3.5 KB
/
haproxy.cfg
File metadata and controls
85 lines (77 loc) · 3.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#haproxy config for studymode
#this provides load balancing for a pool of varnish and webservers
global
maxconn 90000
daemon
user nobody
group daemon
pidfile /var/run/haproxy.pid
stats socket /tmp/haproxy.sock user nobody group nobody mode 0600 level admin
spread-checks 3
quiet
#old cipher line
# ssl-default-bind-ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL:!kEDH
#pass ssl scan http://syslint.com/syslint/poodle-vulnerability-and-the-solutions-cve-2014-3566-protect-cpanel-apache-nginx-lighttpd-exim-sendmail-dovecot-etc/
#pass ssl scan https://wiki.mozilla.org/Security/Server_Side_TLS
#http://arstechnica.com/information-technology/2015/05/web-served-how-to-make-your-site-all-https-all-the-time-for-everyone/1/
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#this doesnt work on 1.5.4
#ssl-default-bind-options no-sslv3
userlist STATSUSERS
group admin users admin
user admin insecure-password StudyM0de
user stats insecure-password acc0unting
defaults
mode http
option tcpka
option dontlognull
option tcp-smart-accept
option tcp-smart-connect
option abortonclose
#option forceclose
#option http-keep-alive
option http-server-close
retries 1
timeout connect 5s
timeout client 60s
timeout server 60s
timeout check 3s
timeout queue 3s
timeout http-keep-alive 90s
timeout http-request 10s
maxconn 90000
listen admin_page 127.0.0.1:9090
mode http
stats enable
stats refresh 30s
stats uri /
acl AuthOkay_ReadOnly http_auth(STATSUSERS)
acl AuthOkay_Admin http_auth_group(STATSUSERS) admin
stats http-request auth realm admin_page unless AuthOkay_ReadOnly
stats admin if AuthOkay_Admin
#main frontend where everything should pass through
frontend varnish_frontend
# primary cert is /opt/local/etc/cert/null.host.pem for wildcards
# /etc/cert/certdir/ contains additional certificates for SNI clients
bind :443 ssl crt /etc/cert/null.host.pem no-sslv3
option forwardfor except 127.0.0.1
http-request add-header X-Real-IP %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
acl web_down nbsrv(web_pool) le 0
#tracking pix
acl smhpix hdr_end(host) -i .smhpix.com
#check if its a captcha
acl captcha hdr_beg(host) -i captcha.
monitor-uri /site_check
monitor fail if web_down
use_backend web_pool if smhpix
use_backend web_pool if captcha
#fall back to web pool if varnish is down
default_backend web_pool
backend web_pool
balance leastconn
option redispatch
option allbackups
default-server inter 2s downinter 5s rise 3 fall 2 slowstart 60s maxconn 20000 maxqueue 256 weight 100
server localhost 127.0.0.1:80 check