Haproxy
De BlaxWiki
Révision datée du 23 octobre 2018 à 12:54 par 127.0.0.1 (discussion) (Page créée avec « Voici une configuration avancée pour haproxy : <pre> #--------------------------------------------------------------------- # Example configuration for a possible web ap... »)
Voici une configuration avancée pour haproxy :
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets no-tlsv10
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1"
#---------------------------------------------------------------------
# Stats
#---------------------------------------------------------------------
listen stats
bind 192.168.189.1:1936
stats enable
acl from_agarik src 10.252.0.0/15
stats uri /
stats auth Stats001:QSdShDkz0@!
stats admin if from_agarik
#---------------------------------------------------------------------
# MyElis - Production
#---------------------------------------------------------------------
frontend Front_MyElis-Production
bind 192.168.189.3:80
bind 192.168.189.3:443 ssl crt /etc/haproxy/certs/myelis.elis.com.2017.pem
mode http
option http-keep-alive
option forwardfor
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl is_elis_network src 132.147.0.0/16 172.29.0.0/18 194.250.218.199 194.250.218.195 195.25.150.125 195.25.150.126 2.228.246.254 2.228.246.174 2.228.246.250 2.228.246.170 89.96.61.139
acl is_agarik_network src 10.253.32.0/26 217.174.199.129
acl is_backend_private path_beg /backend/api/private/
acl is_doc path_beg /backend/doc
acl is_health path_beg /backend/health
acl is_simplified_health path_beg /backend/simplified-health
acl bk_slow url_dir /backend/api/private/groupes/import/
acl bk_slow_vt url_dir /backend/api/public/habillement/exportVT
http-request deny if is_backend_private !is_elis_network !is_agarik_network # Deny request to backend url that are not from elis network
http-request deny if is_doc !is_elis_network !is_agarik_network # Deny request to json url that are not from elis network
http-request deny if is_health !is_elis_network !is_agarik_network # Deny request to health url that are not from elis network
http-request deny if is_simplified_health !is_elis_network !is_agarik_network # Deny request to simplified-health url that are not from elis network
compression algo gzip
compression type text/html text/plain text/css text/javascript application/x-javascript application/javascript
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
redirect scheme https if !{ ssl_fc }
use_backend slow-pool-Production if bk_slow
use_backend slow-pool-Production if bk_slow_vt
default_backend Back_MyElis-Production
backend Back_MyElis-Production
mode http
stick-table type ip size 50k expire 1h
stick on src
balance roundrobin
option httpchk GET /backend/simplified-health
server myelis-prd-srv1-8080 192.168.189.49:8080 check inter 1000 maxconn 2000
server myelis-prd-srv1-8081 192.168.189.49:8081 check inter 1000 maxconn 2000
backend slow-pool-Production
mode http
stick-table type ip size 50k expire 1h
stick on src table Back_MyElis-Production
balance roundrobin
timeout server 600s
option httpchk GET /backend/simplified-health
server myelis-prd-srv1-8080 192.168.189.49:8080 check inter 1000 maxconn 2000
server myelis-prd-srv1-8081 192.168.189.49:8081 check inter 1000 maxconn 2000
#---------------------------------------------------------------------
# eVT - Production
#---------------------------------------------------------------------
frontend Front_eVT-Production
bind 192.168.189.5:80
bind 192.168.189.5:443 ssl crt /etc/haproxy/certs/wildcard.elis.com.pem
mode http
option http-keep-alive
option forwardfor
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl is_elis_network src 132.147.0.0/16 172.29.0.0/18 194.250.218.199 194.250.218.195 195.25.150.125 195.25.150.126 2.228.246.254 2.228.246.174 2.228.246.250 2.228.246.170 89.96.61.139
acl is_elis_esb src 172.29.28.70 172.29.46.65 172.29.46.60
acl is_agarik_network src 10.253.32.0/26 217.174.199.129
#acl is_backend_private path_beg /backend/api/private/
#acl is_doc path_beg /backend/doc
#acl is_health path_beg /backend/health
#acl is_simplified_health path_beg /backend/simplified-health
#acl is_robots_txt path_reg ^/robots.txt$
#http-request deny if is_backend_private !is_elis_network !is_agarik_network # Deny request to backend url that are not from elis network
#http-request deny if is_doc !is_elis_network !is_agarik_network # Deny request to json url that are not from elis network
#http-request deny if is_health !is_elis_network !is_agarik_network # Deny request to health url that are not from elis network
#http-request deny if is_simplified_health !is_elis_network !is_agarik_network # Deny request to simplified-health url that are not from elis network
acl is_backend_oauth path_beg /backend/oauth
acl is_backend_services path_beg /backend/services
http-request deny if !is_backend_oauth !is_backend_services !is_elis_network !is_agarik_network
##405478##
acl need_redirect_backend_evt path_beg /backend/services/v1/affectations
acl need_redirect_backend_evt path_beg /backend/services/v1/armoireCasiers
acl need_redirect_backend_evt path_beg /backend/services/v1/indicateurFiabilite
acl need_redirect_backend_evt path_beg /backend/services/v1/passage
acl except_redirect_backend_evt path_beg /backend/services/v1/passageSas
acl need_redirect_backend_evt path_beg /backend/services/v1/pdl
acl need_redirect_backend_evt path_beg /backend/services/v1/pds
acl need_redirect_backend_evt path_beg /backend/services/v1/porteurs
acl need_redirect_backend_evt path_beg /backend/services/v1/puissanceLecteurUhf
acl need_redirect_backend_evt path_beg /backend/interne/v1/passages
acl except_redirect_backend_evt path_beg /backend/interne/v1/passagesSas
acl need_redirect_backend_evt path_beg /backend/interne/v1/fiabilite
acl need_redirect_backend_evt path_beg /backend/interne/v1/puissanceLecteur
reqrep ^([^\ :]*)\ /backend/(.*) \1\ /evt/\2 if need_redirect_backend_evt !except_redirect_backend_evt
compression algo gzip
compression type text/html text/plain text/css text/javascript application/x-javascript application/javascript
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
redirect scheme https if !is_elis_esb !is_agarik_network !{ ssl_fc }
default_backend Back_eVT-Production
#use_backend robots_txt if is_robots_txt
backend Back_eVT-Production
mode http
stick-table type ip size 50k expire 1h
stick on src
balance roundrobin
# option httpchk GET /backend/simplified-health
server myelis-prd-srv1-8080 192.168.189.51:8080 check inter 1000 maxconn 2000
server myelis-prd-srv1-8081 192.168.189.51:8081 check inter 1000 maxconn 2000
#---------------------------------------------------------------------
# eCV - Production
#---------------------------------------------------------------------
frontend Front_Production_ecv
bind 192.168.189.6:80
bind 192.168.189.6:443 ssl crt /etc/haproxy/certs/wildcard.elis.com.pem
mode http
option http-keep-alive
option forwardfor
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl is_elis_network src 132.147.0.0/16 172.29.0.0/18 194.250.218.199 194.250.218.195 195.25.150.125 195.25.150.126 2.228.246.254 2.228.246.174 2.228.246.250 2.228.246.170 89.96.61.139
acl is_agarik_network src 10.253.32.0/26 217.174.199.129
acl is_backend_oauth path_beg /backend/oauth
acl is_backend_services path_beg /backend/services
acl is_robots_txt path_reg ^/robots.txt$
acl url_match_iot-sanitaire.elis.com hdr(host) -i iot-sanitaire.elis.com
acl url_match_connect.elis.com hdr(host) -i connect.elis.com
compression algo gzip
compression type text/html text/plain text/css text/javascript application/x-javascript application/javascript
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
use_backend Back_eCV-Production-8080 if url_match_iot-sanitaire.elis.com
use_backend Back_eCV-Production-8081 if url_match_connect.elis.com
use_backend robots_txt if is_robots_txt
backend Back_eCV-Production-8080
mode http
stick-table type ip size 50k expire 1h
stick on src
balance roundrobin
server ecv-production-srv1-8080 192.168.189.52:8080 check maxconn 2000
backend Back_eCV-Production-8081
mode http
stick-table type ip size 50k expire 1h
stick on src
balance roundrobin
server ecv-production-srv1-8081 192.168.189.52:8081 check maxconn 2000
#---------------------------------------------------------------------
# APS - Production
#---------------------------------------------------------------------
frontend Front_APS-Production
#bind 192.168.189.7:80
bind 192.168.189.7:7080
mode http
option http-keep-alive
option forwardfor
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl is_elis_network src 132.147.0.0/16 172.29.0.0/18 194.250.218.199 194.250.218.195 195.25.150.125 195.25.150.126 2.228.246.254 2.228.246.174 2.228.246.250 2.228.246.170 89.96.61.139
acl is_agarik_network src 10.253.32.0/26 217.174.199.129
http-request deny if !is_elis_network !is_agarik_network
compression algo gzip
compression type text/html text/plain text/css text/javascript application/x-javascript application/javascript
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
default_backend Back_APS-Production
backend Back_APS-Production
mode http
stick-table type ip size 50k expire 1h
stick on src
balance roundrobin
server aps-prd-srv1-8080 192.168.189.53:8080 check inter 1000 maxconn 2000
# server aps-prd-srv1-7080 192.168.189.53:7080 check inter 1000 maxconn 2000
#---------------------------------------------------------------------
# fm - Production
#---------------------------------------------------------------------
frontend Front_production_fm
bind 192.168.189.8:80
bind 192.168.189.8:443 ssl crt /etc/haproxy/certs/wildcard.elis.com.pem
mode http
option http-keep-alive
option forwardfor
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl is_elis_network src 132.147.0.0/16 172.29.0.0/18 194.250.218.199 194.250.218.195 195.25.150.125 195.25.150.126 192.168.189.51 2.228.246.254 2.228.246.174 2.228.246.250 2.228.246.170 89.96.61.139
acl is_agarik_network src 10.253.32.0/26 217.174.199.129
acl is_robots_txt path_reg ^/robots.txt$
acl is_file_store path_beg /file/store
acl is_robots_txt path_reg ^/robots.txt$
http-request deny if is_file_store !is_elis_network !is_agarik_network
compression algo gzip
compression type text/html text/plain text/css text/javascript application/x-javascript application/javascript
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
redirect scheme https if !{ ssl_fc }
default_backend Back_fm-Production
use_backend robots_txt if is_robots_txt
backend Back_fm-Production
mode http
stick-table type ip size 50k expire 1h
stick on src
balance roundrobin
server filemanager-prd-01-8080 192.168.189.54:8080 check maxconn 2000
backend robots_txt
mode http
http-request set-log-level silent
errorfile 503 /etc/haproxy/robots.http
