-
Notifications
You must be signed in to change notification settings - Fork 1
/
edge-trunc-haproxy.config
121 lines (89 loc) · 3.58 KB
/
edge-trunc-haproxy.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
global
maxconn 50000
nbthread 4
daemon
log /var/lib/rsyslog/rsyslog.sock len 1024 local1 info
log-send-hostname
ca-base /etc/ssl
crt-base /etc/ssl
stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin expose-fd listeners
stats timeout 2m
tune.maxrewrite 8192
tune.bufsize 32768
ssl-default-bind-options ssl-min-ver TLSv1.2
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers X:Y:Z
ssl-default-bind-ciphersuites X:Y:Z
defaults
maxconn 50000
option httplog
log global
errorfile 503 /var/lib/haproxy/conf/error-page-503.http
errorfile 404 /var/lib/haproxy/conf/error-page-404.http
timeout connect 5s
timeout client 30s
timeout client-fin 1s
timeout server 30s
timeout server-fin 1s
timeout http-request 10s
timeout http-keep-alive 300s
timeout tunnel 5s
frontend public
bind :80 accept-proxy
mode http
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
monitor-uri /_______internal_router_healthz
http-request del-header Proxy
http-request set-header Host %[req.hdr(Host),lower]
acl secure_redirect base,map_reg_int(/var/lib/haproxy/conf/os_route_http_redirect.map) -m bool
redirect scheme https if secure_redirect
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)]
default_backend openshift_default
frontend public_ssl
option tcplog
bind :443 accept-proxy
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl sni req.ssl_sni -m found
acl sni_passthrough req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found
use_backend %[req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough
use_backend be_sni if sni
default_backend be_no_sni
backend be_sni
server fe_sni unix@/var/lib/haproxy/run/haproxy-sni.sock weight 1 send-proxy
frontend fe_sni
bind unix@/var/lib/haproxy/run/haproxy-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
mode http
http-request del-header Proxy
http-request set-header Host %[req.hdr(Host),lower]
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_reencrypt_be.map)]
default_backend openshift_default
backend be_no_sni
server fe_no_sni unix@/var/lib/haproxy/run/haproxy-no-sni.sock weight 1 send-proxy
frontend fe_no_sni
bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem accept-proxy
mode http
http-request del-header Proxy
http-request set-header Host %[req.hdr(Host),lower]
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_reencrypt_be.map)]
default_backend openshift_default
backend openshift_default
mode http
option forwardfor
option http-pretend-keepalive
backend be_edge_http:tunnel-timeout:hello-openshift
mode http
option redispatch
option forwardfor
balance random
timeout tunnel 15s
timeout check 5000ms
http-request add-header X-Forwarded-Host %[req.hdr(host)]
http-request add-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 }
http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
cookie e820bb4044bb4e95dea397e6f06653e9 insert indirect nocache httponly secure attr SameSite=None
server pod:hello-openshift-66b957b944-nf746:hello-openshift:8080-tcp:10.129.2.10:8080 10.129.2.10:8080 cookie 3a642ac2ec2d6e8c0572f97436292a87 weight 1