2018-10-03 16:38:18 +03:00
|
|
|
#HA Proxy Config
|
|
|
|
|
global
|
2018-10-18 18:28:19 +03:00
|
|
|
ulimit-n 500000
|
|
|
|
|
maxconn 99999
|
|
|
|
|
maxpipes 99999
|
|
|
|
|
tune.maxaccept 500
|
2018-10-03 16:38:18 +03:00
|
|
|
|
|
|
|
|
log 127.0.0.1 local0
|
|
|
|
|
log 127.0.0.1 local1 notice
|
|
|
|
|
|
|
|
|
|
ca-base /etc/ssl/certs
|
|
|
|
|
crt-base /etc/ssl/private
|
|
|
|
|
|
|
|
|
|
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
|
|
|
|
ssl-default-bind-options no-sslv3
|
|
|
|
|
|
|
|
|
|
defaults
|
|
|
|
|
|
|
|
|
|
log global
|
|
|
|
|
|
|
|
|
|
mode http
|
|
|
|
|
|
|
|
|
|
timeout connect 5000ms
|
|
|
|
|
timeout client 50000ms
|
|
|
|
|
timeout server 50000ms
|
2018-10-26 17:19:57 +03:00
|
|
|
timeout tunnel 1h # timeout to use with WebSocket and CONNECT
|
|
|
|
|
|
|
|
|
|
default-server init-addr none
|
|
|
|
|
|
|
|
|
|
#enable resolving throught docker dns and avoid crashing if service is down while proxy is starting
|
|
|
|
|
resolvers docker_resolver
|
|
|
|
|
nameserver dns 127.0.0.11:53
|
2018-10-03 16:38:18 +03:00
|
|
|
|
|
|
|
|
listen stats
|
|
|
|
|
bind *:9999
|
|
|
|
|
stats enable
|
|
|
|
|
stats hide-version
|
|
|
|
|
stats uri /stats
|
|
|
|
|
stats auth admin:admin@123
|
|
|
|
|
|
2018-10-18 18:28:19 +03:00
|
|
|
listen mqtt-in
|
|
|
|
|
bind *:${MQTT_PORT}
|
|
|
|
|
mode tcp
|
2024-01-02 20:13:35 +01:00
|
|
|
|
|
|
|
|
stick-table type ip size 60k expire 60s store conn_cur
|
|
|
|
|
|
|
|
|
|
acl trustlist src -f /config/trustlist.txt
|
|
|
|
|
acl blocklist src -f /config/blocklist.txt
|
|
|
|
|
tcp-request connection accept if trustlist
|
|
|
|
|
tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
|
|
|
|
|
tcp-request connection track-sc1 src
|
|
|
|
|
|
2018-10-18 18:28:19 +03:00
|
|
|
option clitcpka # For TCP keep-alive
|
|
|
|
|
timeout client 3h
|
|
|
|
|
timeout server 3h
|
|
|
|
|
option tcplog
|
|
|
|
|
balance leastconn
|
2018-10-26 17:19:57 +03:00
|
|
|
server tbMqtt1 tb-mqtt-transport1:1883 check inter 5s resolvers docker_resolver resolve-prefer ipv4
|
|
|
|
|
server tbMqtt2 tb-mqtt-transport2:1883 check inter 5s resolvers docker_resolver resolve-prefer ipv4
|
2018-10-18 18:28:19 +03:00
|
|
|
|
2021-04-12 12:31:16 +03:00
|
|
|
listen edges-rpc-in
|
|
|
|
|
bind *:${EDGES_RPC_PORT}
|
|
|
|
|
mode tcp
|
2024-01-02 20:13:35 +01:00
|
|
|
|
|
|
|
|
stick-table type ip size 60k expire 60s store conn_cur
|
|
|
|
|
|
|
|
|
|
acl trustlist src -f /config/trustlist.txt
|
|
|
|
|
acl blocklist src -f /config/blocklist.txt
|
|
|
|
|
tcp-request connection accept if trustlist
|
|
|
|
|
tcp-request connection reject if blocklist or { src_conn_cur ge 5 }
|
|
|
|
|
tcp-request connection track-sc1 src
|
|
|
|
|
|
2021-04-12 12:31:16 +03:00
|
|
|
option clitcpka # For TCP keep-alive
|
|
|
|
|
timeout client 3h
|
|
|
|
|
timeout server 3h
|
|
|
|
|
option tcplog
|
|
|
|
|
balance leastconn
|
|
|
|
|
server tbEdgesRpc1 tb-core1:7070 check inter 5s resolvers docker_resolver resolve-prefer ipv4
|
|
|
|
|
server tbEdgesRpc2 tb-core2:7070 check inter 5s resolvers docker_resolver resolve-prefer ipv4
|
|
|
|
|
|
2018-10-03 16:38:18 +03:00
|
|
|
frontend http-in
|
2021-04-12 12:37:03 +03:00
|
|
|
bind *:${HTTP_PORT} alpn h2,http/1.1
|
2018-10-03 16:38:18 +03:00
|
|
|
|
2024-01-02 20:13:35 +01:00
|
|
|
stick-table type ip size 60k expire 60s store conn_cur
|
|
|
|
|
|
|
|
|
|
acl trustlist src -f /config/trustlist.txt
|
|
|
|
|
acl blocklist src -f /config/blocklist.txt
|
|
|
|
|
tcp-request connection accept if trustlist
|
|
|
|
|
tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
|
|
|
|
|
tcp-request connection track-sc1 src
|
|
|
|
|
|
2018-10-18 18:28:19 +03:00
|
|
|
option forwardfor
|
|
|
|
|
|
2021-04-05 12:43:53 +03:00
|
|
|
http-request add-header "X-Forwarded-Proto" "http"
|
2018-10-03 16:38:18 +03:00
|
|
|
|
2018-10-08 13:15:00 +03:00
|
|
|
acl transport_http_acl path_beg /api/v1/
|
2018-10-03 16:38:18 +03:00
|
|
|
acl letsencrypt_http_acl path_beg /.well-known/acme-challenge/
|
2024-01-02 20:13:35 +01:00
|
|
|
acl tb_images_api_acl path_beg /api/images/
|
2024-05-20 17:42:53 +03:00
|
|
|
acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /v3/ /static/rulenode/ /oauth2/ /login/oauth2/ /static/widgets/ /.well-known/assetlinks.json /.well-known/apple-app-site-association
|
2018-11-07 19:09:55 +02:00
|
|
|
|
2018-10-25 12:34:02 +03:00
|
|
|
redirect scheme https if !letsencrypt_http_acl !transport_http_acl { env(FORCE_HTTPS_REDIRECT) -m str true }
|
2018-11-07 19:09:55 +02:00
|
|
|
|
2018-10-03 16:38:18 +03:00
|
|
|
use_backend letsencrypt_http if letsencrypt_http_acl
|
2018-10-18 16:21:50 +03:00
|
|
|
use_backend tb-http-backend if transport_http_acl
|
2024-01-02 20:13:35 +01:00
|
|
|
use_backend tb-images-api-backend if tb_images_api_acl
|
2021-10-25 16:03:14 +03:00
|
|
|
use_backend tb-api-backend if tb_api_acl
|
2018-10-03 16:38:18 +03:00
|
|
|
|
2020-02-27 11:05:59 +02:00
|
|
|
default_backend tb-web-backend
|
2018-10-03 16:38:18 +03:00
|
|
|
|
|
|
|
|
frontend https_in
|
2021-04-12 12:37:03 +03:00
|
|
|
bind *:${HTTPS_PORT} ssl crt /usr/local/etc/haproxy/default.pem crt /usr/local/etc/haproxy/certs.d ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM alpn h2,http/1.1
|
2018-10-03 16:38:18 +03:00
|
|
|
|
2024-01-02 20:13:35 +01:00
|
|
|
stick-table type ip size 60k expire 60s store conn_cur
|
|
|
|
|
|
|
|
|
|
acl trustlist src -f /config/trustlist.txt
|
|
|
|
|
acl blocklist src -f /config/blocklist.txt
|
|
|
|
|
tcp-request connection accept if trustlist
|
|
|
|
|
tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
|
|
|
|
|
tcp-request connection track-sc1 src
|
|
|
|
|
|
2018-10-18 18:28:19 +03:00
|
|
|
option forwardfor
|
2018-10-03 16:38:18 +03:00
|
|
|
|
2021-04-05 12:43:53 +03:00
|
|
|
http-request add-header "X-Forwarded-Proto" "https"
|
2018-10-03 16:38:18 +03:00
|
|
|
|
2018-10-18 18:28:19 +03:00
|
|
|
acl transport_http_acl path_beg /api/v1/
|
2024-01-02 20:13:35 +01:00
|
|
|
acl tb_images_api_acl path_beg /api/images/
|
2024-05-20 17:42:53 +03:00
|
|
|
acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /v3/ /static/rulenode/ /oauth2/ /login/oauth2/ /static/widgets/ /.well-known/assetlinks.json /.well-known/apple-app-site-association
|
2018-10-15 18:24:51 +03:00
|
|
|
|
2018-11-07 19:09:55 +02:00
|
|
|
use_backend tb-http-backend if transport_http_acl
|
2024-01-02 20:13:35 +01:00
|
|
|
use_backend tb-images-api-backend if tb_images_api_acl
|
2021-10-25 16:03:14 +03:00
|
|
|
use_backend tb-api-backend if tb_api_acl
|
2018-10-26 12:49:20 +03:00
|
|
|
|
2020-02-27 11:05:59 +02:00
|
|
|
default_backend tb-web-backend
|
2018-10-26 12:49:20 +03:00
|
|
|
|
2018-10-03 16:38:18 +03:00
|
|
|
backend letsencrypt_http
|
|
|
|
|
server letsencrypt_http_srv 127.0.0.1:8080
|
|
|
|
|
|
|
|
|
|
backend tb-web-backend
|
2024-01-02 20:13:35 +01:00
|
|
|
timeout queue 60s
|
2018-10-03 16:38:18 +03:00
|
|
|
balance leastconn
|
|
|
|
|
option tcp-check
|
|
|
|
|
option log-health-checks
|
2024-01-02 20:13:35 +01:00
|
|
|
server tbWeb1 tb-web-ui1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
|
|
|
|
|
server tbWeb2 tb-web-ui2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
|
2018-10-03 16:38:18 +03:00
|
|
|
http-request set-header X-Forwarded-Port %[dst_port]
|
2018-10-15 18:24:51 +03:00
|
|
|
|
2018-10-18 16:21:50 +03:00
|
|
|
backend tb-http-backend
|
2024-01-02 20:13:35 +01:00
|
|
|
timeout queue 60s
|
2018-10-18 16:21:50 +03:00
|
|
|
balance leastconn
|
|
|
|
|
option tcp-check
|
|
|
|
|
option log-health-checks
|
2024-01-02 20:13:35 +01:00
|
|
|
server tbHttp1 tb-http-transport1:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
|
|
|
|
|
server tbHttp2 tb-http-transport2:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
|
|
|
|
|
|
|
|
|
|
# Dummy backends for a stick-table purpose only.
|
|
|
|
|
# There is only one stick-table per proxy. At the moment of writing this doc,
|
|
|
|
|
# it does not seem useful to have multiple tables per proxy. If this happens
|
|
|
|
|
# to be required, simply create a dummy backend with a stick-table in it and
|
|
|
|
|
# reference it
|
|
|
|
|
# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#stick-table
|
|
|
|
|
backend st_src_rate10s
|
|
|
|
|
stick-table type ip size 60k expire 10s store http_req_rate(10s)
|
|
|
|
|
|
|
|
|
|
backend st_src_rate1m
|
|
|
|
|
stick-table type ip size 60k expire 1m store http_req_rate(1m)
|
2018-10-26 12:49:20 +03:00
|
|
|
|
|
|
|
|
backend tb-api-backend
|
2024-01-02 20:13:35 +01:00
|
|
|
timeout queue 60s
|
2020-05-07 14:21:17 +03:00
|
|
|
balance source
|
2018-10-26 12:49:20 +03:00
|
|
|
option tcp-check
|
|
|
|
|
option log-health-checks
|
2024-01-02 20:13:35 +01:00
|
|
|
|
|
|
|
|
http-request track-sc0 src table st_src_rate10s
|
|
|
|
|
http-request track-sc1 src table st_src_rate1m
|
|
|
|
|
|
|
|
|
|
acl trustlist src -f /config/trustlist.txt
|
|
|
|
|
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !trustlist
|
|
|
|
|
http-request deny deny_status 429 if { sc_http_req_rate(1) gt 300 } !trustlist
|
|
|
|
|
|
|
|
|
|
http-request set-header X-Forwarded-Port %[dst_port]
|
|
|
|
|
server tbApi1 tb-core1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
|
|
|
|
|
server tbApi2 tb-core2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
|
|
|
|
|
|
|
|
|
|
# Dummy backends for a stick-table purpose only.
|
|
|
|
|
# There is only one stick-table per proxy. At the moment of writing this doc,
|
|
|
|
|
# it does not seem useful to have multiple tables per proxy. If this happens
|
|
|
|
|
# to be required, simply create a dummy backend with a stick-table in it and
|
|
|
|
|
# reference it
|
|
|
|
|
# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#stick-table
|
|
|
|
|
backend st_images_src_rate10s
|
|
|
|
|
stick-table type ip size 60k expire 10s store http_req_rate(10s)
|
|
|
|
|
|
|
|
|
|
backend st_images_src_rate1m
|
|
|
|
|
stick-table type ip size 60k expire 1m store http_req_rate(1m)
|
|
|
|
|
|
|
|
|
|
backend tb-images-api-backend
|
|
|
|
|
timeout queue 60s
|
|
|
|
|
balance source
|
|
|
|
|
option tcp-check
|
|
|
|
|
option log-health-checks
|
|
|
|
|
|
|
|
|
|
http-request track-sc0 src table st_images_src_rate10s
|
|
|
|
|
http-request track-sc1 src table st_images_src_rate1m
|
|
|
|
|
|
|
|
|
|
acl trustlist src -f /config/trustlist.txt
|
|
|
|
|
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 1000 } !trustlist
|
|
|
|
|
http-request deny deny_status 429 if { sc_http_req_rate(1) gt 3000 } !trustlist
|
|
|
|
|
|
2018-11-07 23:16:37 +02:00
|
|
|
http-request set-header X-Forwarded-Port %[dst_port]
|
2024-01-02 20:13:35 +01:00
|
|
|
server tbImagesApi1 tb-core1:8080 check inter 10s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
|
|
|
|
|
server tbImagesApi2 tb-core2:8080 check inter 10s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
|
