/
haproxy.cfg
153 lines (125 loc) · 4.55 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#---------------------------------------------------------------------
# Configuration of HAProxy to front two openshift instances
#
# http://www.haproxy.org/download/2.5/doc/configuration.txt
#
#---------------------------------------------------------------------
global
maxconn 20000
log 127.0.0.1 local0
user haproxy
chroot /usr/share/haproxy
pidfile /run/haproxy.pid
daemon
defaults
timeout connect 5s
timeout client 1m
timeout server 1m
#---------------------------------------------------------------------
# Proxys to the openshift api backend port 6443
#---------------------------------------------------------------------
frontend api_ssl
bind :6443
mode tcp
option tcplog
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend home_api_ssl if { req_ssl_sni -i api.home.ocplab.com }
use_backend hub_api_ssl if { req_ssl_sni -i api.hub.ocplab.com }
default_backend static
backend home_api_ssl
mode tcp
balance roundrobin
server home_ssl_server 192.168.1.83:6443 check
backend hub_api_ssl
mode tcp
balance roundrobin
server hub_ssl_server 192.168.1.217:6443 check
#---------------------------------------------------------------------
# Proxys to the openshift wildcard backend port 80
#---------------------------------------------------------------------
frontend wildcard_http
bind :80
mode http
use_backend home_http if { hdr(host) -m end .apps.home.ocplab.com }
use_backend hub_http if { hdr(host) -m end .apps.hub.ocplab.com }
default_backend static
backend home_http
mode http
balance roundrobin
server home_http_server 192.168.1.83:80 check
backend hub_http
mode http
balance roundrobin
server hub_http_server 192.168.1.217:80 check
#---------------------------------------------------------------------
# Handles port 443 for OpenShift wildcard, sso and terminating SSL for others
#---------------------------------------------------------------------
frontend wildcard_ssl
bind :443
mode tcp
option tcplog
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend home_ssl if { req_ssl_sni -m end .apps.home.ocplab.com }
use_backend hub_ssl if { req_ssl_sni -m end .apps.hub.ocplab.com }
use_backend sso_ssl if { req_ssl_sni -i sso.ocplab.com }
# Route back to haproxy to handle SSL termination for non-passthrough sites
default_backend bk_tcp_to_https
# Provide SSL Termination for sites that only handle http
frontend SSL_Termination
mode http
bind *:9443 ssl crt-list /etc/haproxy/crt-list.txt
#bind *:9443 ssl crt /etc/ssl/uptime.ocplab.com/uptime.ocplab.com.pem crt /etc/ssl/ocplab.com/ocplab.com.pem
use_backend uptime if { hdr(host) -i uptime.ocplab.com }
default_backend homepage
# Enable haproxy stats page and metrics
frontend stats
mode http
bind *:8404
# option http-use-htx
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
# Home OpenShift cluster
backend home_ssl
mode tcp
balance roundrobin
server home_ssl_server 192.168.1.83:443 check
# Hub OpenShift cluster
backend hub_ssl
mode tcp
balance roundrobin
server hub_ssl_server 192.168.1.217:443 check
# Uptime-kuma
backend uptime
mode http
server uptime 192.168.1.2:3001 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend homepage
mode http
server homepage 192.168.1.2:7080 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Route back to haproxy to handle ssl termination
backend bk_tcp_to_https
mode tcp
server haproxy-https 127.0.0.1:9443 check
# Fallback to static site
backend static
mode http
balance roundrobin
timeout connect 5s
timeout server 5s
server static 127.0.0.1:4331 check
#---------------------------------------------------------------------
# Proxys to the sso server
#---------------------------------------------------------------------
backend sso_ssl
mode tcp
balance roundrobin
server sso_ssl_server 192.168.1.2:8443 check