# HA config # # Recoit les connections : # - HTTP 80 et en SSL via stunnel # - XMLRPC 10110 en SSL gere par stunnel # - XMLRPC 11111 # global maxconn 5000 log 127.0.0.1 local3 debug user haproxy group haproxy chroot /var/run/haproxy daemon # debug # quiet listen noname-t 0.0.0.0:5001 maxconn 1000 option persist option tcplog option contstats timeout client 620s timeout server 620s timeout connect 20s balance roundrobin server n1 XX.XX.XX.XX check port 5001 inter 60000 rise 1s fall 10s server n2 XX.XX.XX.XX check port 5001 inter 60000 rise 1s fall 10s listen noname 0.0.0.0:7071 maxconn 1000 option persist option tcplog option contstats timeout client 620s timeout server 620s timeout connect 20s balance roundrobin server n1 XX.XX.XX.XX check port 7071 inter 60000 rise 1s fall 10s server n2 XX.XX.XX.XX check port 7071 inter 60000 rise 1s fall 10s listen aps 0.0.0.0:7000 option persist option tcplog option contstats timeout client 900s timeout server 900s timeout connect 60s balance roundrobin server n2 XX.XX.XX.XX:7000 check port 7000 inter 200s rise 1s fall 10s # frontend public bind 0.0.0.0:80 mode http log global option httplog monitor-uri /haproxy_test maxconn 8000 # do not log requests with no data option dontlognull # disable keep-alive option httpclose # use short timeouts for client and server timeout client 20000 #timeout server 20000 # the connect timeout should be large because it will also be used # to define the queue timeout and the tarpit timeout. It generally # is a good idea to set it to the same value as both above, and it # will improve performance when dealing with thousands of connections. timeout tarpit 30000 # and add a new 'X-Forwarded-For: IP' # sauf quand vient de stunnel option forwardfor except XX.XX.XX.XX 127.0.0.1/8 # Request header and URI processing begins here. # rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:' #reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2 #### Now check the URI for requests we want to tarpit ### # Now we do not analyze headers, we just focus on the request reqpass ^[^:\ ]*: # Tarpit those URIs for any method reqtarpit ^[^:\ ]*\ /cgi-bin/.*\.pl\? reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp) default_backend dynamic # on arrive ici uniquement par le stunnel frontend public-ssl bind 0.0.0.0:81 mode http log global option httplog monitor-uri /haproxy_test maxconn 8000 # do not log requests with no data option dontlognull # disable keep-alive option httpclose # use short timeouts for client and server timeout client 20000 #timeout server 20000 # the connect timeout should be large because it will also be used # to define the queue timeout and the tarpit timeout. It generally # is a good idea to set it to the same value as both above, and it # will improve performance when dealing with thousands of connections. timeout tarpit 30000 # and add a new 'X-Forwarded-For: IP' # sauf quand vient de stunnel option forwardfor except XX.XX.XX.XX 127.0.0.1/8 # capture request header X_FORWARDED_PROTO len 10 # Request header and URI processing begins here. # rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:' #reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2 # Add request header X_FORWARDED_PROTO https reqadd X_FORWARDED_PROTO:\ https #### Now check the URI for requests we want to tarpit ### # Now we do not analyze headers, we just focus on the request reqpass ^[^:\ ]*: # Tarpit those URIs for any method reqtarpit ^[^:\ ]*\ /cgi-bin/.*\.pl\? reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp) # The URI will use a specific keyword soon reqisetbe ^[^:\ ]*\ /admin2 admin2 reqisetbe ^[^:\ ]*\ /admin1 admin1 reqisetbe ^[^:\ ]*\ /admin/hastats hastats default_backend dynamic # The static backend backend for 'Host: img', /img and /css. backend static mode http balance roundrobin timeout connect 5000 timeout server 5000 option redispatch retries 1 option httpchk HEAD /favicon.ico option httpclose server statsrvF1 XX.XX.XX.XX:90 check inter 5000 server statsrvF2 XX.XX.XX.XX:90 check inter 5000 backend dynamic mode http balance roundrobin timeout connect 30000 timeout server 30000 option redispatch # retry only once when a valid connection fails because the server # is overloaded. retries 1 option httpchk HEAD / option httpclose cookie DYNSRV insert indirect nocache fullconn 2000 # the servers will be used at full load above this number of connections server dynsrvF1 XX.XX.XX.XX:90 minconn 50 maxconn 500 cookie s1 check inter 8000 server dynsrvF2 XX.XX.XX.XX:90 minconn 50 maxconn 500 cookie s2 check inter 8000 backend admin1 mode http balance roundrobin timeout connect 10s timeout server 10s option httpchk HEAD /admin1/ option httpclose http-check disable-on-404 # check only every 5 minutes server dynsrvF1 XX.XX.XX.XX:90 check inter 5m server dynsrvF2 XX.XX.XX.XX:90 check inter 5m backend deveryloc mode http balance roundrobin timeout connect 10s timeout server 10s option httpchk HEAD /deveryloc/availability.jsp option httpclose http-check disable-on-404 # check only every 5 minutes server dynsrvF1 XX.XX.XX.XX:90 check inter 5s server dynsrvF2 XX.XX.XX.XX:90 check inter 5s backend admin2 disabled mode http balance roundrobin timeout connect 10s timeout server 10s option httpclose option httpchk HEAD /admin2/ # check only every 5 minutes server F7 XX.XX.XX.XX:5000 check inter 5m backend hastats mode http option httpclose balance roundrobin # how to access the status reporting web interface stats uri /admin/hastats stats auth auth:auth #defaults # section vide qui annule tous les paramètes par défaut.