marathon-lb
Overview
The marathon-lb is a service discovery and load balancing tool for Marathon based on HAProxy. It reads the Marathon task information and dynamically generates HAProxy configuration details.
To gather the task information, marathon-lb needs to know where to find Marathon. The service configuration details are stored in labels.
Every service port in Marathon can be configured independently.
Configuration
Service configuration lives in Marathon via labels. Marathon-lb just needs to know where to find Marathon.
Command Line Usage
usage: marathon_lb.py [-h] [--longhelp] [--marathon MARATHON [MARATHON ...]]
[--haproxy-config HAPROXY_CONFIG] [--group GROUP]
[--command COMMAND]
[--max-reload-retries MAX_RELOAD_RETRIES]
[--reload-interval RELOAD_INTERVAL] [--strict-mode]
[--sse] [--archive-versions ARCHIVE_VERSIONS]
[--health-check]
[--lru-cache-capacity LRU_CACHE_CAPACITY]
[--haproxy-map] [--dont-bind-http-https]
[--group-https-by-vhost] [--ssl-certs SSL_CERTS]
[--skip-validation] [--skip-config-cleanup] [--dry]
[--min-serv-port-ip-per-task MIN_SERV_PORT_IP_PER_TASK]
[--max-serv-port-ip-per-task MAX_SERV_PORT_IP_PER_TASK]
[--max-backoff MAX_BACKOFF]
[--syslog-socket SYSLOG_SOCKET]
[--log-format LOG_FORMAT] [--log-level LOG_LEVEL]
[--marathon-auth-credential-file MARATHON_AUTH_CREDENTIAL_FILE]
[--auth-credentials AUTH_CREDENTIALS]
[--dcos-auth-credentials DCOS_AUTH_CREDENTIALS]
[--marathon-ca-cert MARATHON_CA_CERT]
Marathon HAProxy Load Balancer
optional arguments:
-h, --help show this help message and exit
--longhelp Print out configuration details (default: False)
--marathon MARATHON [MARATHON ...], -m MARATHON [MARATHON ...]
[required] Marathon endpoint, eg. -m
http://marathon1:8080 http://marathon2:8080 (default:
['http://master.mesos:8080'])
--haproxy-config HAPROXY_CONFIG
Location of haproxy configuration (default:
/etc/haproxy/haproxy.cfg)
--group GROUP [required] Only generate config for apps which list
the specified names. Use '*' to match all groups,
including those without a group specified. (default:
[])
--command COMMAND, -c COMMAND
If set, run this command to reload haproxy. (default:
None)
--max-reload-retries MAX_RELOAD_RETRIES
Max reload retries before failure. Reloads happen
every --reload-interval seconds. Set to 0 to disable
or -1 for infinite retries. (default: 10)
--reload-interval RELOAD_INTERVAL
Wait this number of seconds between reload retries.
(default: 10)
--strict-mode If set, backends are only advertised if
HAPROXY_{n}_ENABLED=true. Strict mode will be enabled
by default in a future release. (default: False)
--sse, -s Use Server Sent Events (default: False)
--archive-versions ARCHIVE_VERSIONS
Number of config versions to archive (default: 5)
--health-check, -H If set, respect Marathon's health check statuses
before adding the app instance into the backend pool.
(default: False)
--lru-cache-capacity LRU_CACHE_CAPACITY
LRU cache size (in number of items). This should be at
least as large as the number of tasks exposed via
marathon-lb. (default: 1000)
--haproxy-map Use HAProxy maps for domain name to backendmapping.
(default: False)
--dont-bind-http-https
Don't bind to HTTP and HTTPS frontends. (default:
False)
--group-https-by-vhost
Group https frontends by vhost. (default: False)
--ssl-certs SSL_CERTS
List of SSL certificates separated by commafor
frontend marathon_https_inEx:
/etc/ssl/site1.co.pem,/etc/ssl/site2.co.pem (default:
/etc/ssl/cert.pem)
--skip-validation Skip haproxy config file validation (default: False)
--skip-config-cleanup
If one app fails, don't try to make configuration
valid by removing apps one by one (default: False)
--dry, -d Only print configuration to console (default: False)
--min-serv-port-ip-per-task MIN_SERV_PORT_IP_PER_TASK
Minimum port number to use when auto-assigning service
ports for IP-per-task applications (default: 10050)
--max-serv-port-ip-per-task MAX_SERV_PORT_IP_PER_TASK
Maximum port number to use when auto-assigning service
ports for IP-per-task applications (default: 10100)
--max-backoff MAX_BACKOFF
Maximum backoff to limit backoff size (default: 300)
--syslog-socket SYSLOG_SOCKET
Socket to write syslog messages to. Use '/dev/null' to
disable logging to syslog (default: /dev/log)
--log-format LOG_FORMAT
Set log message format (default: %(asctime)-15s
%(name)s: %(message)s)
--log-level LOG_LEVEL
Set log level (default: DEBUG)
--marathon-auth-credential-file MARATHON_AUTH_CREDENTIAL_FILE
Path to file containing a user/pass for the Marathon
HTTP API in the format of 'user:pass'. (default: None)
--auth-credentials AUTH_CREDENTIALS
user/pass for the Marathon HTTP API in the format of
'user:pass'. (default: None)
--dcos-auth-credentials DCOS_AUTH_CREDENTIALS
DC/OS service account credentials (default: None)
--marathon-ca-cert MARATHON_CA_CERT
CA certificate for Marathon HTTPS connections
(default: None)
Templates
The following is a list of the available HAProxy templates.
Some templates are global-only (such as HAPROXY_HEAD), but most may
be overridden on a per service port basis using the
HAPROXY_{n}_... syntax.
HAPROXY_BACKEND_HEAD
Overridable per app
Specified as HAPROXY_BACKEND_HEAD template or with label HAPROXY_{n}_BACKEND_HEAD.
Defines the type of load balancing, roundrobin by default, and connection mode, TCP or HTTP.
Default template for HAPROXY_BACKEND_HEAD:
backend {backend}
balance {balance}
mode {mode}
Example Marathon label to override HAPROXY_BACKEND_HEAD for port 0 of an app:
"HAPROXY_0_BACKEND_HEAD": "\nbackend {backend}\n balance {balance}\n mode {mode}\n"
HAPROXY_BACKEND_HSTS_OPTIONS
Overridable per app
Specified as HAPROXY_BACKEND_HSTS_OPTIONS template or with label HAPROXY_{n}_BACKEND_HSTS_OPTIONS.
This template is used for the backend where the
HAPROXY_{n}_USE_HSTS label is set to true.
Default template for HAPROXY_BACKEND_HSTS_OPTIONS:
rspadd Strict-Transport-Security:\ max-age=15768000
Example Marathon label to override HAPROXY_BACKEND_HSTS_OPTIONS for port 0 of an app:
"HAPROXY_0_BACKEND_HSTS_OPTIONS": " rspadd Strict-Transport-Security:\\ max-age=15768000\n"
HAPROXY_BACKEND_HTTP_HEALTHCHECK_OPTIONS
Overridable per app
Specified as HAPROXY_BACKEND_HTTP_HEALTHCHECK_OPTIONS template or with label HAPROXY_{n}_BACKEND_HTTP_HEALTHCHECK_OPTIONS.
Sets HTTP health check options, for example timeout check and httpchk GET. Parameters of the first health check for this service are exposed as:
- healthCheckPortIndex
- healthCheckPort
- healthCheckProtocol
- healthCheckPath
- healthCheckTimeoutSeconds
- healthCheckIntervalSeconds
- healthCheckGracePeriodSeconds
- healthCheckMaxConsecutiveFailures
- healthCheckFalls is set to healthCheckMaxConsecutiveFailures + 1
- healthCheckPortOptions is set to
port {healthCheckPort}
Defaults to empty string.
Example:
option httpchk GET {healthCheckPath}
timeout check {healthCheckTimeoutSeconds}s
Default template for HAPROXY_BACKEND_HTTP_HEALTHCHECK_OPTIONS:
option httpchk GET {healthCheckPath}
timeout check {healthCheckTimeoutSeconds}s
Example Marathon label to override HAPROXY_BACKEND_HTTP_HEALTHCHECK_OPTIONS for port 0 of an app:
"HAPROXY_0_BACKEND_HTTP_HEALTHCHECK_OPTIONS": " option httpchk GET {healthCheckPath}\n timeout check {healthCheckTimeoutSeconds}s\n"
HAPROXY_BACKEND_HTTP_OPTIONS
Overridable per app
Specified as HAPROXY_BACKEND_HTTP_OPTIONS template or with label HAPROXY_{n}_BACKEND_HTTP_OPTIONS.
Sets HTTP headers, for example X-Forwarded-For and X-Forwarded-Proto.
Default template for HAPROXY_BACKEND_HTTP_OPTIONS:
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
Example Marathon label to override HAPROXY_BACKEND_HTTP_OPTIONS for port 0 of an app:
"HAPROXY_0_BACKEND_HTTP_OPTIONS": " option forwardfor\n http-request set-header X-Forwarded-Port %[dst_port]\n http-request add-header X-Forwarded-Proto https if { ssl_fc }\n"
HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS
Overridable per app
Specified as HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS template or with label HAPROXY_{n}_BACKEND_REDIRECT_HTTP_TO_HTTPS.
This template is used with backends where the
HAPROXY_{n}_REDIRECT_TO_HTTPS label is set to true
Default template for HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS:
redirect scheme https code 301 if !{{ ssl_fc }} host_{cleanedUpHostname}
Example Marathon label to override HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS for port 0 of an app:
"HAPROXY_0_BACKEND_REDIRECT_HTTP_TO_HTTPS": " redirect scheme https code 301 if !{{ ssl_fc }} host_{cleanedUpHostname}\n"
HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS_WITH_PATH
Overridable per app
Specified as HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS_WITH_PATH template or with label HAPROXY_{n}_BACKEND_REDIRECT_HTTP_TO_HTTPS_WITH_PATH.
Same as HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS,
but includes a path.
Default template for HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS_WITH_PATH:
redirect scheme https code 301 if !{{ ssl_fc }} host_{cleanedUpHostname} path_{backend}
Example Marathon label to override HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS_WITH_PATH for port 0 of an app:
"HAPROXY_0_BACKEND_REDIRECT_HTTP_TO_HTTPS_WITH_PATH": " redirect scheme https code 301 if !{{ ssl_fc }} host_{cleanedUpHostname} path_{backend}\n"
HAPROXY_BACKEND_SERVER_HTTP_HEALTHCHECK_OPTIONS
Overridable per app
Specified as HAPROXY_BACKEND_SERVER_HTTP_HEALTHCHECK_OPTIONS template or with label HAPROXY_{n}_BACKEND_SERVER_HTTP_HEALTHCHECK_OPTIONS.
Sets HTTP health check options for a single server, e.g. check inter. Parameters of the first health check for this service are exposed as:
- healthCheckPortIndex
- healthCheckPort
- healthCheckProtocol
- healthCheckPath
- healthCheckTimeoutSeconds
- healthCheckIntervalSeconds
- healthCheckGracePeriodSeconds
- healthCheckMaxConsecutiveFailures
- healthCheckFalls is set to healthCheckMaxConsecutiveFailures + 1
- healthCheckPortOptions is set to
port {healthCheckPort}
Defaults to empty string.
Example:
check inter {healthCheckIntervalSeconds}s fall {healthCheckFalls}
Default template for HAPROXY_BACKEND_SERVER_HTTP_HEALTHCHECK_OPTIONS:
check inter {healthCheckIntervalSeconds}s fall {healthCheckFalls}{healthCheckPortOptions}
Example Marathon label to override HAPROXY_BACKEND_SERVER_HTTP_HEALTHCHECK_OPTIONS for port 0 of an app:
"HAPROXY_0_BACKEND_SERVER_HTTP_HEALTHCHECK_OPTIONS": " check inter {healthCheckIntervalSeconds}s fall {healthCheckFalls}{healthCheckPortOptions}\n"
HAPROXY_BACKEND_SERVER_OPTIONS
Overridable per app
Specified as HAPROXY_BACKEND_SERVER_OPTIONS template or with label HAPROXY_{n}_BACKEND_SERVER_OPTIONS.
The options for each server added to a backend.
Default template for HAPROXY_BACKEND_SERVER_OPTIONS:
server {serverName} {host_ipv4}:{port} id {serverId}{cookieOptions}{healthCheckOptions}{otherOptions}
Example Marathon label to override HAPROXY_BACKEND_SERVER_OPTIONS for port 0 of an app:
"HAPROXY_0_BACKEND_SERVER_OPTIONS": " server {serverName} {host_ipv4}:{port} id {serverId}{cookieOptions}{healthCheckOptions}{otherOptions}\n"
HAPROXY_BACKEND_SERVER_TCP_HEALTHCHECK_OPTIONS
Overridable per app
Specified as HAPROXY_BACKEND_SERVER_TCP_HEALTHCHECK_OPTIONS template or with label HAPROXY_{n}_BACKEND_SERVER_TCP_HEALTHCHECK_OPTIONS.
Sets TCP health check options for a single server, e.g. check inter. Parameters of the first health check for this service are exposed as:
- healthCheckPortIndex
- healthCheckPort
- healthCheckProtocol
- healthCheckTimeoutSeconds
- healthCheckIntervalSeconds
- healthCheckGracePeriodSeconds
- healthCheckMaxConsecutiveFailures
- healthCheckFalls is set to healthCheckMaxConsecutiveFailures + 1
- healthCheckPortOptions is set to
port {healthCheckPort}
Defaults to empty string.
Example:
check inter {healthCheckIntervalSeconds}s fall {healthCheckFalls}
Default template for HAPROXY_BACKEND_SERVER_TCP_HEALTHCHECK_OPTIONS:
check inter {healthCheckIntervalSeconds}s fall {healthCheckFalls}{healthCheckPortOptions}
Example Marathon label to override HAPROXY_BACKEND_SERVER_TCP_HEALTHCHECK_OPTIONS for port 0 of an app:
"HAPROXY_0_BACKEND_SERVER_TCP_HEALTHCHECK_OPTIONS": " check inter {healthCheckIntervalSeconds}s fall {healthCheckFalls}{healthCheckPortOptions}\n"
HAPROXY_BACKEND_STICKY_OPTIONS
Overridable per app
Specified as HAPROXY_BACKEND_STICKY_OPTIONS template or with label HAPROXY_{n}_BACKEND_STICKY_OPTIONS.
Sets a cookie for services where HAPROXY_{n}_STICKY is true.
Default template for HAPROXY_BACKEND_STICKY_OPTIONS:
cookie mesosphere_server_id insert indirect nocache
Example Marathon label to override HAPROXY_BACKEND_STICKY_OPTIONS for port 0 of an app:
"HAPROXY_0_BACKEND_STICKY_OPTIONS": " cookie mesosphere_server_id insert indirect nocache\n"
HAPROXY_BACKEND_TCP_HEALTHCHECK_OPTIONS
Overridable per app
Specified as HAPROXY_BACKEND_TCP_HEALTHCHECK_OPTIONS template or with label HAPROXY_{n}_BACKEND_TCP_HEALTHCHECK_OPTIONS.
Sets TCP health check options, for example timeout check. Parameters of the first health check for this service are exposed as:
- healthCheckPortIndex
- healthCheckPort
- healthCheckProtocol
- healthCheckTimeoutSeconds
- healthCheckIntervalSeconds
- healthCheckGracePeriodSeconds
- healthCheckMaxConsecutiveFailures
- healthCheckFalls is set to healthCheckMaxConsecutiveFailures + 1
- healthCheckPortOptions is set to
port {healthCheckPort}
Defaults to empty string.
Example:
timeout check {healthCheckTimeoutSeconds}s
Default template for HAPROXY_BACKEND_TCP_HEALTHCHECK_OPTIONS:
Example Marathon label to override HAPROXY_BACKEND_TCP_HEALTHCHECK_OPTIONS for port 0 of an app:
"HAPROXY_0_BACKEND_TCP_HEALTHCHECK_OPTIONS": ""
HAPROXY_FRONTEND_BACKEND_GLUE
Overridable per app
Specified as HAPROXY_FRONTEND_BACKEND_GLUE template or with label HAPROXY_{n}_FRONTEND_BACKEND_GLUE.
This option glues the backend to the frontend.
Default template for HAPROXY_FRONTEND_BACKEND_GLUE:
use_backend {backend}
Example Marathon label to override HAPROXY_FRONTEND_BACKEND_GLUE for port 0 of an app:
"HAPROXY_0_FRONTEND_BACKEND_GLUE": " use_backend {backend}\n"
HAPROXY_FRONTEND_HEAD
Overridable per app
Specified as HAPROXY_FRONTEND_HEAD template or with label HAPROXY_{n}_FRONTEND_HEAD.
Defines the address and port to bind to for this frontend.
Default template for HAPROXY_FRONTEND_HEAD:
frontend {backend}
bind {bindAddr}:{servicePort}{sslCert}{bindOptions}
mode {mode}
Example Marathon label to override HAPROXY_FRONTEND_HEAD for port 0 of an app:
"HAPROXY_0_FRONTEND_HEAD": "\nfrontend {backend}\n bind {bindAddr}:{servicePort}{sslCert}{bindOptions}\n mode {mode}\n"
HAPROXY_HEAD
Global
Specified as HAPROXY_HEAD template.
The head of the HAProxy config. This contains global settings and defaults.
Default template for HAPROXY_HEAD:
global
log /dev/log local0
log /dev/log local1 notice
spread-checks 5
max-spread-checks 15000
maxconn 50000
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
stats socket /var/run/haproxy/socket expose-fd listeners
server-state-file global
server-state-base /var/state/haproxy/
lua-load /marathon-lb/getpids.lua
lua-load /marathon-lb/getconfig.lua
lua-load /marathon-lb/getmaps.lua
lua-load /marathon-lb/signalmlb.lua
defaults
load-server-state-from-file global
log global
retries 3
backlog 10000
maxconn 10000
timeout connect 3s
timeout client 30s
timeout server 30s
timeout tunnel 3600s
timeout http-keep-alive 1s
timeout http-request 15s
timeout queue 30s
timeout tarpit 60s
option dontlognull
option http-server-close
option redispatch
listen stats
bind 0.0.0.0:9090
balance
mode http
stats enable
http-request use-service prometheus-exporter if { path /metrics }
monitor-uri /_haproxy_health_check
acl getpid path /_haproxy_getpids
http-request use-service lua.getpids if getpid
acl getvhostmap path /_haproxy_getvhostmap
http-request use-service lua.getvhostmap if getvhostmap
acl getappmap path /_haproxy_getappmap
http-request use-service lua.getappmap if getappmap
acl getconfig path /_haproxy_getconfig
http-request use-service lua.getconfig if getconfig
acl signalmlbhup path /_mlb_signal/hup
http-request use-service lua.signalmlbhup if signalmlbhup
acl signalmlbusr1 path /_mlb_signal/usr1
http-request use-service lua.signalmlbusr1 if signalmlbusr1
HAPROXY_HTTPS_FRONTEND_ACL
Overridable per app
Specified as HAPROXY_HTTPS_FRONTEND_ACL template or with label HAPROXY_{n}_HTTPS_FRONTEND_ACL.
The ACL that performs the SNI based hostname matching
for the HAPROXY_HTTPS_FRONTEND_HEAD template.
Default template for HAPROXY_HTTPS_FRONTEND_ACL:
use_backend {backend} if {{ ssl_fc_sni {hostname} }}
Example Marathon label to override HAPROXY_HTTPS_FRONTEND_ACL for port 0 of an app:
"HAPROXY_0_HTTPS_FRONTEND_ACL": " use_backend {backend} if {{ ssl_fc_sni {hostname} }}\n"
HAPROXY_HTTPS_FRONTEND_ACL_ONLY_WITH_PATH
Overridable per app
Specified as HAPROXY_HTTPS_FRONTEND_ACL_ONLY_WITH_PATH template or with label HAPROXY_{n}_HTTPS_FRONTEND_ACL_ONLY_WITH_PATH.
Same as HTTP_FRONTEND_ACL_ONLY_WITH_PATH, but for HTTPS.
Default template for HAPROXY_HTTPS_FRONTEND_ACL_ONLY_WITH_PATH:
acl path_{backend} path_beg {path}
Example Marathon label to override HAPROXY_HTTPS_FRONTEND_ACL_ONLY_WITH_PATH for port 0 of an app:
"HAPROXY_0_HTTPS_FRONTEND_ACL_ONLY_WITH_PATH": " acl path_{backend} path_beg {path}\n"
HAPROXY_HTTPS_FRONTEND_ACL_WITH_AUTH
Overridable per app
Specified as HAPROXY_HTTPS_FRONTEND_ACL_WITH_AUTH template or with label HAPROXY_{n}_HTTPS_FRONTEND_ACL_WITH_AUTH.
The ACL that glues a backend to the corresponding virtual host
of the HAPROXY_HTTPS_FRONTEND_HEAD thru HTTP basic auth.
Default template for HAPROXY_HTTPS_FRONTEND_ACL_WITH_AUTH:
acl auth_{cleanedUpHostname} http_auth(user_{backend})
http-request auth realm "{realm}" if {{ ssl_fc_sni {hostname} }} !auth_{cleanedUpHostname}
use_backend {backend} if {{ ssl_fc_sni {hostname} }}
Example Marathon label to override HAPROXY_HTTPS_FRONTEND_ACL_WITH_AUTH for port 0 of an app:
"HAPROXY_0_HTTPS_FRONTEND_ACL_WITH_AUTH": " acl auth_{cleanedUpHostname} http_auth(user_{backend})\n http-request auth realm \"{realm} \" if {{ ssl_fc_sni {hostname} }} !auth_{cleanedUpHostname}\n use_backend {backend} if {{ ssl_fc_sni {hostname} }}\n"
HAPROXY_HTTPS_FRONTEND_ACL_WITH_AUTH_AND_PATH
Overridable per app
Specified as HAPROXY_HTTPS_FRONTEND_ACL_WITH_AUTH_AND_PATH template or with label HAPROXY_{n}_HTTPS_FRONTEND_ACL_WITH_AUTH_AND_PATH.
The ACL that glues a backend to the corresponding virtual host with path
of the HAPROXY_HTTPS_FRONTEND_HEAD thru HTTP basic auth.
Default template for HAPROXY_HTTPS_FRONTEND_ACL_WITH_AUTH_AND_PATH:
acl auth_{cleanedUpHostname} http_auth(user_{backend})
http-request auth realm "{realm}" if {{ ssl_fc_sni {hostname} }} path_{backend} !auth_{cleanedUpHostname}
use_backend {backend} if {{ ssl_fc_sni {hostname} }} path_{backend}
Example Marathon label to override HAPROXY_HTTPS_FRONTEND_ACL_WITH_AUTH_AND_PATH for port 0 of an app:
"HAPROXY_0_HTTPS_FRONTEND_ACL_WITH_AUTH_AND_PATH": " acl auth_{cleanedUpHostname} http_auth(user_{backend})\n http-request auth realm \"{realm} \" if {{ ssl_fc_sni {hostname} }} path_{backend} !auth_{cleanedUpHostname}\n use_backend {backend} if {{ ssl_fc_sni {hostname} }} path_{backend}\n"
HAPROXY_HTTPS_FRONTEND_ACL_WITH_PATH
Overridable per app
Specified as HAPROXY_HTTPS_FRONTEND_ACL_WITH_PATH template or with label HAPROXY_{n}_HTTPS_FRONTEND_ACL_WITH_PATH.
The ACL that performs the SNI based hostname matching with path
for the HAPROXY_HTTPS_FRONTEND_HEAD template.
Default template for HAPROXY_HTTPS_FRONTEND_ACL_WITH_PATH:
use_backend {backend} if {{ ssl_fc_sni {hostname} }} path_{backend}
Example Marathon label to override HAPROXY_HTTPS_FRONTEND_ACL_WITH_PATH for port 0 of an app:
"HAPROXY_0_HTTPS_FRONTEND_ACL_WITH_PATH": " use_backend {backend} if {{ ssl_fc_sni {hostname} }} path_{backend}\n"
HAPROXY_HTTPS_FRONTEND_AUTH_ACL_ONLY
Overridable per app
Specified as HAPROXY_HTTPS_FRONTEND_AUTH_ACL_ONLY template or with label HAPROXY_{n}_HTTPS_FRONTEND_AUTH_ACL_ONLY.
The http auth ACL to the corresponding virtual host.
Default template for HAPROXY_HTTPS_FRONTEND_AUTH_ACL_ONLY:
acl auth_{cleanedUpHostname} http_auth(user_{backend})
Example Marathon label to override HAPROXY_HTTPS_FRONTEND_AUTH_ACL_ONLY for port 0 of an app:
"HAPROXY_0_HTTPS_FRONTEND_AUTH_ACL_ONLY": " acl auth_{cleanedUpHostname} http_auth(user_{backend})\n"
HAPROXY_HTTPS_FRONTEND_AUTH_REQUEST_ONLY
Overridable per app
Specified as HAPROXY_HTTPS_FRONTEND_AUTH_REQUEST_ONLY template or with label HAPROXY_{n}_HTTPS_FRONTEND_AUTH_REQUEST_ONLY.
The http auth request to the corresponding virtual host.
Default template for HAPROXY_HTTPS_FRONTEND_AUTH_REQUEST_ONLY:
http-request auth realm "{realm}" if {{ ssl_fc_sni {hostname} }} !auth_{cleanedUpHostname}
Example Marathon label to override HAPROXY_HTTPS_FRONTEND_AUTH_REQUEST_ONLY for port 0 of an app:
"HAPROXY_0_HTTPS_FRONTEND_AUTH_REQUEST_ONLY": " http-request auth realm \"{realm} \" if {{ ssl_fc_sni {hostname} }} !auth_{cleanedUpHostname}\n"
HAPROXY_HTTPS_FRONTEND_HEAD
Global
Specified as HAPROXY_HTTPS_FRONTEND_HEAD template.
An HTTPS frontend for encrypted connections that binds to port *:443 by
default and gathers all virtual hosts as defined by the
HAPROXY_{n}_VHOST label. You must modify this file to
include your certificate.
Default template for HAPROXY_HTTPS_FRONTEND_HEAD:
frontend marathon_https_in
bind *:443 ssl {sslCerts}
mode http
HAPROXY_HTTPS_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH
Overridable per app
Specified as HAPROXY_HTTPS_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH template or with label HAPROXY_{n}_HTTPS_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH.
This is the counterpart to HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH which
glues the acl names to the appropriate backend
Default template for HAPROXY_HTTPS_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH:
http-request auth realm "{realm}" if host_{cleanedUpHostname} path_{backend} !auth_{cleanedUpHostname}
use_backend {backend} if host_{cleanedUpHostname} path_{backend}
Example Marathon label to override HAPROXY_HTTPS_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH for port 0 of an app:
"HAPROXY_0_HTTPS_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH": " http-request auth realm \"{realm} \" if host_{cleanedUpHostname} path_{backend} !auth_{cleanedUpHostname}\n use_backend {backend} if host_{cleanedUpHostname} path_{backend}\n"
HAPROXY_HTTPS_GROUPED_FRONTEND_HEAD
Global
Specified as HAPROXY_HTTPS_GROUPED_FRONTEND_HEAD template.
An HTTPS frontend for encrypted connections that binds to port *:443 by
default and gathers all virtual hosts as defined by the
HAPROXY_{n}_VHOST label. Useful for adding client certificated per domain.
Works only with an enabled group-https-by-vhost flag.
Default template for HAPROXY_HTTPS_GROUPED_FRONTEND_HEAD:
frontend marathon_https_in
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
HAPROXY_HTTPS_GROUPED_VHOST_BACKEND_HEAD
Global
Specified as HAPROXY_HTTPS_GROUPED_VHOST_BACKEND_HEAD template.
An HTTPS backend for vhost. Works only with an enabled group-https-by-vhost flag.
Default template for HAPROXY_HTTPS_GROUPED_VHOST_BACKEND_HEAD:
backend {name}
server loopback-for-tls abns@{name} send-proxy-v2
HAPROXY_HTTPS_GROUPED_VHOST_FRONTEND_ACL
Global
Specified as HAPROXY_HTTPS_GROUPED_VHOST_FRONTEND_ACL template.
A route rule https entrypoint. Works only with an enabled group-https-by-vhost flag.
Default template for HAPROXY_HTTPS_GROUPED_VHOST_FRONTEND_ACL:
use_backend {backend} if {{ req_ssl_sni -i {host} }}
HAPROXY_HTTPS_GROUPED_VHOST_FRONTEND_HEAD
Global
Specified as HAPROXY_HTTPS_GROUPED_VHOST_FRONTEND_HEAD template.
An HTTPS frontend for vhost. Works only with an enabled group-https-by-vhost flag.
Default template for HAPROXY_HTTPS_GROUPED_VHOST_FRONTEND_HEAD:
frontend {name}
mode http
bind abns@{name} accept-proxy ssl {sslCerts}{bindOpts}
HAPROXY_HTTP_BACKEND_ACL_ALLOW_DENY
Global
Specified as HAPROXY_HTTP_BACKEND_ACL_ALLOW_DENY template.
This option denies all IPs (or IP ranges) not explicitly allowed to access the HTTP backend.
Use with HAPROXY_HTTP_BACKEND_NETWORK_ALLOWED_ACL.
Default template for HAPROXY_HTTP_BACKEND_ACL_ALLOW_DENY:
http-request allow if network_allowed
http-request deny
HAPROXY_HTTP_BACKEND_NETWORK_ALLOWED_ACL
Overridable per app
Specified as HAPROXY_HTTP_BACKEND_NETWORK_ALLOWED_ACL template or with label HAPROXY_{n}_HTTP_BACKEND_NETWORK_ALLOWED_ACL.
This option set the IPs (or IP ranges) having access to the HTTP backend.
Default template for HAPROXY_HTTP_BACKEND_NETWORK_ALLOWED_ACL:
acl network_allowed src {network_allowed}
Example Marathon label to override HAPROXY_HTTP_BACKEND_NETWORK_ALLOWED_ACL for port 0 of an app:
"HAPROXY_0_HTTP_BACKEND_NETWORK_ALLOWED_ACL": " acl network_allowed src {network_allowed}\n"
HAPROXY_HTTP_BACKEND_PROXYPASS_GLUE
Overridable per app
Specified as HAPROXY_HTTP_BACKEND_PROXYPASS_GLUE template or with label HAPROXY_{n}_HTTP_BACKEND_PROXYPASS_GLUE.
Backend glue for HAPROXY_{n}_HTTP_BACKEND_PROXYPASS_PATH.
Default template for HAPROXY_HTTP_BACKEND_PROXYPASS_GLUE:
http-request set-header Host {hostname}
reqirep "^([^ :]*)\ {proxypath}/?(.*)" "\1\ /\2"
Example Marathon label to override HAPROXY_HTTP_BACKEND_PROXYPASS_GLUE for port 0 of an app:
"HAPROXY_0_HTTP_BACKEND_PROXYPASS_GLUE": " http-request set-header Host {hostname}\n reqirep \"^([^ :]*)\\ {proxypath}/?(.*) \" \"\\1\\ /\\2 \"\n"
HAPROXY_HTTP_BACKEND_REDIR
Overridable per app
Specified as HAPROXY_HTTP_BACKEND_REDIR template or with label HAPROXY_{n}_HTTP_BACKEND_REDIR.
Set the path to redirect the root of the domain to Ex: HAPROXY_0_HTTP_BACKEND_REDIR = '/my/content'
Default template for HAPROXY_HTTP_BACKEND_REDIR:
acl is_root path -i /
acl is_domain hdr(host) -i {hostname}
redirect code 301 location {redirpath} if is_domain is_root
Example Marathon label to override HAPROXY_HTTP_BACKEND_REDIR for port 0 of an app:
"HAPROXY_0_HTTP_BACKEND_REDIR": " acl is_root path -i /\n acl is_domain hdr(host) -i {hostname}\n redirect code 301 location {redirpath} if is_domain is_root\n"
HAPROXY_HTTP_BACKEND_REVPROXY_GLUE
Overridable per app
Specified as HAPROXY_HTTP_BACKEND_REVPROXY_GLUE template or with label HAPROXY_{n}_HTTP_BACKEND_REVPROXY_GLUE.
Backend glue for HAPROXY_{n}_HTTP_BACKEND_REVPROXY_PATH.
Default template for HAPROXY_HTTP_BACKEND_REVPROXY_GLUE:
acl hdr_location res.hdr(Location) -m found
rspirep "^Location: (https?://{hostname}(:[0-9]+)?)?(/.*)" "Location: {rootpath}" if hdr_location
Example Marathon label to override HAPROXY_HTTP_BACKEND_REVPROXY_GLUE for port 0 of an app:
"HAPROXY_0_HTTP_BACKEND_REVPROXY_GLUE": " acl hdr_location res.hdr(Location) -m found\n rspirep \"^Location: (https?://{hostname}(:[0-9]+)?)?(/.*) \" \"Location: {rootpath} \" if hdr_location\n"
HAPROXY_HTTP_FRONTEND_ACL
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ACL template or with label HAPROXY_{n}_HTTP_FRONTEND_ACL.
The ACL that glues a backend to the corresponding virtual host
of the HAPROXY_HTTP_FRONTEND_HEAD
Default template for HAPROXY_HTTP_FRONTEND_ACL:
acl host_{cleanedUpHostname} hdr(host) -i {hostname}
use_backend {backend} if host_{cleanedUpHostname}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ACL for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ACL": " acl host_{cleanedUpHostname} hdr(host) -i {hostname}\n use_backend {backend} if host_{cleanedUpHostname}\n"
HAPROXY_HTTP_FRONTEND_ACL_ONLY
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ACL_ONLY template or with label HAPROXY_{n}_HTTP_FRONTEND_ACL_ONLY.
Define the ACL matching a particular hostname, but unlike
HAPROXY_HTTP_FRONTEND_ACL, only do the ACL portion. Does not glue
the ACL to the backend. This is useful only in the case of multiple
vhosts routing to the same backend.
Default template for HAPROXY_HTTP_FRONTEND_ACL_ONLY:
acl host_{cleanedUpHostname} hdr(host) -i {hostname}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ACL_ONLY for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ACL_ONLY": " acl host_{cleanedUpHostname} hdr(host) -i {hostname}\n"
HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH template or with label HAPROXY_{n}_HTTP_FRONTEND_ACL_ONLY_WITH_PATH.
Define the ACL matching a particular hostname with path, but unlike
HAPROXY_HTTP_FRONTEND_ACL_WITH_PATH, only do the ACL portion. Does not glue
the ACL to the backend. This is useful only in the case of multiple
vhosts routing to the same backend
Default template for HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH:
acl path_{backend} path_beg {path}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ACL_ONLY_WITH_PATH": " acl path_{backend} path_beg {path}\n"
HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH_AND_AUTH
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH_AND_AUTH template or with label HAPROXY_{n}_HTTP_FRONTEND_ACL_ONLY_WITH_PATH_AND_AUTH.
Define the ACL matching a particular hostname with path and auth, but unlike
HAPROXY_HTTP_FRONTEND_ACL_WITH_PATH, only do the ACL portion. Does not glue
the ACL to the backend. This is useful only in the case of multiple
vhosts routing to the same backend
Default template for HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH_AND_AUTH:
acl path_{backend} path_beg {path}
acl auth_{cleanedUpHostname} http_auth(user_{backend})
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH_AND_AUTH for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ACL_ONLY_WITH_PATH_AND_AUTH": " acl path_{backend} path_beg {path}\n acl auth_{cleanedUpHostname} http_auth(user_{backend})\n"
HAPROXY_HTTP_FRONTEND_ACL_WITH_AUTH
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ACL_WITH_AUTH template or with label HAPROXY_{n}_HTTP_FRONTEND_ACL_WITH_AUTH.
The ACL that glues a backend to the corresponding virtual host
of the HAPROXY_HTTP_FRONTEND_HEAD thru HTTP basic auth.
Default template for HAPROXY_HTTP_FRONTEND_ACL_WITH_AUTH:
acl host_{cleanedUpHostname} hdr(host) -i {hostname}
acl auth_{cleanedUpHostname} http_auth(user_{backend})
http-request auth realm "{realm}" if host_{cleanedUpHostname} !auth_{cleanedUpHostname}
use_backend {backend} if host_{cleanedUpHostname}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ACL_WITH_AUTH for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ACL_WITH_AUTH": " acl host_{cleanedUpHostname} hdr(host) -i {hostname}\n acl auth_{cleanedUpHostname} http_auth(user_{backend})\n http-request auth realm \"{realm} \" if host_{cleanedUpHostname} !auth_{cleanedUpHostname}\n use_backend {backend} if host_{cleanedUpHostname}\n"
HAPROXY_HTTP_FRONTEND_ACL_WITH_AUTH_AND_PATH
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ACL_WITH_AUTH_AND_PATH template or with label HAPROXY_{n}_HTTP_FRONTEND_ACL_WITH_AUTH_AND_PATH.
The ACL that glues a backend to the corresponding virtual host with path
of the HAPROXY_HTTP_FRONTEND_HEAD thru HTTP basic auth.
Default template for HAPROXY_HTTP_FRONTEND_ACL_WITH_AUTH_AND_PATH:
acl host_{cleanedUpHostname} hdr(host) -i {hostname}
acl auth_{cleanedUpHostname} http_auth(user_{backend})
acl path_{backend} path_beg {path}
http-request auth realm "{realm}" if host_{cleanedUpHostname} path_{backend} !auth_{cleanedUpHostname}
use_backend {backend} if host_{cleanedUpHostname} path_{backend}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ACL_WITH_AUTH_AND_PATH for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ACL_WITH_AUTH_AND_PATH": " acl host_{cleanedUpHostname} hdr(host) -i {hostname}\n acl auth_{cleanedUpHostname} http_auth(user_{backend})\n acl path_{backend} path_beg {path}\n http-request auth realm \"{realm} \" if host_{cleanedUpHostname} path_{backend} !auth_{cleanedUpHostname}\n use_backend {backend} if host_{cleanedUpHostname} path_{backend}\n"
HAPROXY_HTTP_FRONTEND_ACL_WITH_PATH
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ACL_WITH_PATH template or with label HAPROXY_{n}_HTTP_FRONTEND_ACL_WITH_PATH.
The ACL that glues a backend to the corresponding virtual host with path
of the HAPROXY_HTTP_FRONTEND_HEAD.
Default template for HAPROXY_HTTP_FRONTEND_ACL_WITH_PATH:
acl host_{cleanedUpHostname} hdr(host) -i {hostname}
acl path_{backend} path_beg {path}
use_backend {backend} if host_{cleanedUpHostname} path_{backend}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ACL_WITH_PATH for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ACL_WITH_PATH": " acl host_{cleanedUpHostname} hdr(host) -i {hostname}\n acl path_{backend} path_beg {path}\n use_backend {backend} if host_{cleanedUpHostname} path_{backend}\n"
HAPROXY_HTTP_FRONTEND_APPID_ACL
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_APPID_ACL template or with label HAPROXY_{n}_HTTP_FRONTEND_APPID_ACL.
The ACL that glues a backend to the corresponding app
of the HAPROXY_HTTP_FRONTEND_APPID_HEAD.
Default template for HAPROXY_HTTP_FRONTEND_APPID_ACL:
acl app_{cleanedUpAppId} hdr(x-marathon-app-id) -i {appId}
use_backend {backend} if app_{cleanedUpAppId}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_APPID_ACL for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_APPID_ACL": " acl app_{cleanedUpAppId} hdr(x-marathon-app-id) -i {appId}\n use_backend {backend} if app_{cleanedUpAppId}\n"
HAPROXY_HTTP_FRONTEND_APPID_HEAD
Global
Specified as HAPROXY_HTTP_FRONTEND_APPID_HEAD template.
An HTTP frontend that binds to port *:9091 by default and gathers
all apps in HTTP mode.
To use this frontend to forward to your app, configure the app with
HAPROXY_0_MODE=http then you can access it via a call to the :9091
with the header "X-Marathon-App-Id" set to the Marathon AppId.
Note multiple HTTP ports being exposed by the same marathon app are not
supported. Only the first HTTP port is available via this frontend.
Default template for HAPROXY_HTTP_FRONTEND_APPID_HEAD:
frontend marathon_http_appid_in
bind *:9091
mode http
HAPROXY_HTTP_FRONTEND_HEAD
Global
Specified as HAPROXY_HTTP_FRONTEND_HEAD template.
An HTTP frontend that binds to port *:80 by default and gathers
all virtual hosts as defined by the HAPROXY_{n}_VHOST label.
Default template for HAPROXY_HTTP_FRONTEND_HEAD:
frontend marathon_http_in
bind *:80
mode http
HAPROXY_HTTP_FRONTEND_ROUTING_ONLY
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ROUTING_ONLY template or with label HAPROXY_{n}_HTTP_FRONTEND_ROUTING_ONLY.
This is the counterpart to HAPROXY_HTTP_FRONTEND_ACL_ONLY which
glues the acl name to the appropriate backend.
Default template for HAPROXY_HTTP_FRONTEND_ROUTING_ONLY:
use_backend {backend} if host_{cleanedUpHostname}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ROUTING_ONLY for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ROUTING_ONLY": " use_backend {backend} if host_{cleanedUpHostname}\n"
HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_AUTH
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_AUTH template or with label HAPROXY_{n}_HTTP_FRONTEND_ROUTING_ONLY_WITH_AUTH.
This is the counterpart to HAPROXY_HTTP_FRONTEND_ACL_ONLY which
glues the acl name to the appropriate backend, and add http basic auth.
Default template for HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_AUTH:
acl auth_{cleanedUpHostname} http_auth(user_{backend})
http-request auth realm "{realm}" if host_{cleanedUpHostname} !auth_{cleanedUpHostname}
use_backend {backend} if host_{cleanedUpHostname}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_AUTH for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ROUTING_ONLY_WITH_AUTH": " acl auth_{cleanedUpHostname} http_auth(user_{backend})\n http-request auth realm \"{realm} \" if host_{cleanedUpHostname} !auth_{cleanedUpHostname}\n use_backend {backend} if host_{cleanedUpHostname}\n"
HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH template or with label HAPROXY_{n}_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH.
This is the counterpart to HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH which
glues the acl names to the appropriate backend
Default template for HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH:
use_backend {backend} if host_{cleanedUpHostname} path_{backend}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH": " use_backend {backend} if host_{cleanedUpHostname} path_{backend}\n"
HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH
Overridable per app
Specified as HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH template or with label HAPROXY_{n}_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH.
This is the counterpart to HAPROXY_HTTP_FRONTEND_ACL_ONLY_WITH_PATH which
glues the acl names to the appropriate backend
Default template for HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH:
http-request auth realm "{realm}" if host_{cleanedUpHostname} path_{backend} !auth_{cleanedUpHostname}
use_backend {backend} if host_{cleanedUpHostname} path_{backend}
Example Marathon label to override HAPROXY_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH for port 0 of an app:
"HAPROXY_0_HTTP_FRONTEND_ROUTING_ONLY_WITH_PATH_AND_AUTH": " http-request auth realm \"{realm} \" if host_{cleanedUpHostname} path_{backend} !auth_{cleanedUpHostname}\n use_backend {backend} if host_{cleanedUpHostname} path_{backend}\n"
HAPROXY_MAP_HTTPS_FRONTEND_ACL
Overridable per app
Specified as HAPROXY_MAP_HTTPS_FRONTEND_ACL template or with label HAPROXY_{n}_MAP_HTTPS_FRONTEND_ACL.
The ACL that performs the SNI based hostname matching
for the HAPROXY_HTTPS_FRONTEND_HEAD template using haproxy maps
Default template for HAPROXY_MAP_HTTPS_FRONTEND_ACL:
use_backend %[ssl_fc_sni,lower,map({haproxy_dir}/domain2backend.map)]
Example Marathon label to override HAPROXY_MAP_HTTPS_FRONTEND_ACL for port 0 of an app:
"HAPROXY_0_MAP_HTTPS_FRONTEND_ACL": " use_backend %[ssl_fc_sni,lower,map({haproxy_dir}/domain2backend.map)]\n"
HAPROXY_MAP_HTTP_FRONTEND_ACL
Overridable per app
Specified as HAPROXY_MAP_HTTP_FRONTEND_ACL template or with label HAPROXY_{n}_MAP_HTTP_FRONTEND_ACL.
The ACL that glues a backend to the corresponding virtual host
of the HAPROXY_HTTP_FRONTEND_HEAD using haproxy maps.
Default template for HAPROXY_MAP_HTTP_FRONTEND_ACL:
use_backend %[req.hdr(host),lower,regsub(:.*$,,),map({haproxy_dir}/domain2backend.map)]
Example Marathon label to override HAPROXY_MAP_HTTP_FRONTEND_ACL for port 0 of an app:
"HAPROXY_0_MAP_HTTP_FRONTEND_ACL": " use_backend %[req.hdr(host),lower,regsub(:.*$,,),map({haproxy_dir}/domain2backend.map)]\n"
HAPROXY_MAP_HTTP_FRONTEND_ACL_ONLY
Overridable per app
Specified as HAPROXY_MAP_HTTP_FRONTEND_ACL_ONLY template or with label HAPROXY_{n}_MAP_HTTP_FRONTEND_ACL_ONLY.
Define the ACL matching a particular hostname, This is useful only in the case of multiple vhosts routing to the same backend in haproxy map.
Default template for HAPROXY_MAP_HTTP_FRONTEND_ACL_ONLY:
use_backend %[req.hdr(host),lower,regsub(:.*$,,),map({haproxy_dir}/domain2backend.map)]
Example Marathon label to override HAPROXY_MAP_HTTP_FRONTEND_ACL_ONLY for port 0 of an app:
"HAPROXY_0_MAP_HTTP_FRONTEND_ACL_ONLY": " use_backend %[req.hdr(host),lower,regsub(:.*$,,),map({haproxy_dir}/domain2backend.map)]\n"
HAPROXY_MAP_HTTP_FRONTEND_APPID_ACL
Overridable per app
Specified as HAPROXY_MAP_HTTP_FRONTEND_APPID_ACL template or with label HAPROXY_{n}_MAP_HTTP_FRONTEND_APPID_ACL.
The ACL that glues a backend to the corresponding app
of the HAPROXY_HTTP_FRONTEND_APPID_HEAD using haproxy maps.
Default template for HAPROXY_MAP_HTTP_FRONTEND_APPID_ACL:
use_backend %[req.hdr(x-marathon-app-id),lower,map({haproxy_dir}/app2backend.map)]
Example Marathon label to override HAPROXY_MAP_HTTP_FRONTEND_APPID_ACL for port 0 of an app:
"HAPROXY_0_MAP_HTTP_FRONTEND_APPID_ACL": " use_backend %[req.hdr(x-marathon-app-id),lower,map({haproxy_dir}/app2backend.map)]\n"
HAPROXY_TCP_BACKEND_ACL_ALLOW_DENY
Global
Specified as HAPROXY_TCP_BACKEND_ACL_ALLOW_DENY template.
This option denies all IPs (or IP ranges) not explicitly allowed to access the TCP backend. Use with HAPROXY_TCP_BACKEND_ACL_ALLOW_DENY.
Default template for HAPROXY_TCP_BACKEND_ACL_ALLOW_DENY:
tcp-request content accept if network_allowed
tcp-request content reject
HAPROXY_TCP_BACKEND_NETWORK_ALLOWED_ACL
Overridable per app
Specified as HAPROXY_TCP_BACKEND_NETWORK_ALLOWED_ACL template or with label HAPROXY_{n}_TCP_BACKEND_NETWORK_ALLOWED_ACL.
This option set the IPs (or IP ranges) having access to the TCP backend.
Default template for HAPROXY_TCP_BACKEND_NETWORK_ALLOWED_ACL:
acl network_allowed src {network_allowed}
Example Marathon label to override HAPROXY_TCP_BACKEND_NETWORK_ALLOWED_ACL for port 0 of an app:
"HAPROXY_0_TCP_BACKEND_NETWORK_ALLOWED_ACL": " acl network_allowed src {network_allowed}\n"
HAPROXY_USERLIST_HEAD
Overridable per app
Specified as HAPROXY_USERLIST_HEAD template or with label HAPROXY_{n}_USERLIST_HEAD.
The userlist for basic HTTP auth.
Default template for HAPROXY_USERLIST_HEAD:
userlist user_{backend}
user {user} password {passwd}
Example Marathon label to override HAPROXY_USERLIST_HEAD for port 0 of an app:
"HAPROXY_0_USERLIST_HEAD": "\nuserlist user_{backend}\n user {user} password {passwd}\n"
Other Labels
These labels may be used to configure other app settings.
HAPROXY_{n}_AUTH
per service port
Specified as HAPROXY_{n}_AUTH.
The http basic auth definition. For details on configuring auth, see: https://github.com/mesosphere/marathon-lb/wiki/HTTP-Basic-Auth
Ex: HAPROXY_0_AUTH = realm:username:encryptedpassword
HAPROXY_{n}_BACKEND_HEALTHCHECK_PORT_INDEX
per service port
Specified as HAPROXY_{n}_BACKEND_HEALTHCHECK_PORT_INDEX.
Set the index of the port dedicated for the healthchecks of the backends behind a given service port.
By default, the index will be the same as the one of the service port.
Ex: An app exposes two ports, one for the application, one for its healthchecks:
portMappings": [ { "containerPort": 9000, "hostPort": 0, "servicePort": 0, "protocol": "tcp" }, { "containerPort": 9001, "hostPort": 0, "servicePort": 0, "protocol": "tcp" } ]
HAPROXY_0_BACKEND_HEALTHCHECK_PORT_INDEX=1 will make it so that the port 9001 is used to perform the backend healthchecks.
HAPROXY_{n}_BACKEND_NETWORK_ALLOWED_ACL
per service port
Specified as HAPROXY_{n}_BACKEND_NETWORK_ALLOWED_ACL.
Set the IPs (or IP ranges) having access to the backend. By default every IP is allowed.
Ex: HAPROXY_0_BACKEND_NETWORK_ALLOWED_ACL = '10.1.40.0/24 10.1.55.43'
HAPROXY_{n}_BACKEND_WEIGHT
per service port
Specified as HAPROXY_{n}_BACKEND_WEIGHT.
Some ACLs may be affected by order. For example, if you're using VHost and path ACLs that are shared amongst backends, the ordering of the ACLs will matter. With HAPROXY_{n}_BACKEND_WEIGHT you can change the ordering by specifying a weight. Backends are sorted from largest to smallest weight.
By default, any backends which use HAPROXY_{n}_PATH will have a
weight of 1, if the default weight is used (which is 0).
Ex: HAPROXY_0_BACKEND_WEIGHT = 1
HAPROXY_{n}_BALANCE
per service port
Specified as HAPROXY_{n}_BALANCE.
Set the load balancing algorithm to be used in a backend. The default is roundrobin.
Ex: HAPROXY_0_BALANCE = 'leastconn'
HAPROXY_{n}_BIND_ADDR
per service port
Specified as HAPROXY_{n}_BIND_ADDR.
Bind to the specific address for the service.
Ex: HAPROXY_0_BIND_ADDR = '10.0.0.42'
HAPROXY_{n}_BIND_OPTIONS
per service port
Specified as HAPROXY_{n}_BIND_OPTIONS.
Set additional bind options
Ex: HAPROXY_0_BIND_OPTIONS = 'ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3 no-tlsv10'
HAPROXY_DEPLOYMENT_ALT_PORT
per app
Specified as HAPROXY_DEPLOYMENT_ALT_PORT.
Alternate service port to be used during a blue/green deployment.
HAPROXY_DEPLOYMENT_COLOUR
per app
Specified as HAPROXY_DEPLOYMENT_COLOUR.
Blue/green deployment colour. Used by the bluegreen_deploy.py script to determine the state of a deploy. You generally do not need to modify this unless you implement your own deployment orchestrator.
HAPROXY_DEPLOYMENT_GROUP
per app
Specified as HAPROXY_DEPLOYMENT_GROUP.
Deployment group to which this app belongs.
HAPROXY_DEPLOYMENT_STARTED_AT
per app
Specified as HAPROXY_DEPLOYMENT_STARTED_AT.
The time at which a deployment started. You generally do not need to modify this unless you implement your own deployment orchestrator.
HAPROXY_DEPLOYMENT_TARGET_INSTANCES
per app
Specified as HAPROXY_DEPLOYMENT_TARGET_INSTANCES.
The target number of app instances to seek during deployment. You generally do not need to modify this unless you implement your own deployment orchestrator.
HAPROXY_{n}_ENABLED
per service port
Specified as HAPROXY_{n}_ENABLED.
Enable this backend. By default, all backends are enabled. To disable
backends by default, specify the --strict-mode flag.
Ex: HAPROXY_0_ENABLED = true
HAPROXY_{n}_GROUP
per service port
Specified as HAPROXY_{n}_GROUP or HAPROXY_GROUP.
HAProxy group per service. This helps us have different HAProxy groups
per service port. This overrides HAPROXY_GROUP for the particular service.
If you have both external and internal services running on same set of
instances on different ports, you can use this feature to add them to
different haproxy configs.
Ex: HAPROXY_0_GROUP = 'external'
Ex: HAPROXY_1_GROUP = 'internal'
Now if you run marathon_lb with --group external, it just adds the
service on HAPROXY_0_PORT (or first service port incase HAPROXY_0_HOST
is not configured) to haproxy config and similarly if you run it with
--group internal, it adds service on HAPROXY_1_PORT to haproxy config.
If the configuration is a combination of HAPROXY_GROUP and
HAPROXY_{n}_GROUP, the more specific definition takes precedence.
Ex: HAPROXY_0_GROUP = 'external'
Ex: HAPROXY_GROUP = 'internal'
Considering the above example where the configuration is hybrid,
a service running on HAPROXY_0_PORT is associated with just 'external'
HAProxy group and not 'internal' group. And since there is no HAProxy
group mentioned for second service (HAPROXY_1_GROUP not defined)
it falls back to default HAPROXY_GROUP and gets associated with
'internal' group.
Load balancers with the group '*' will collect all groups.
HAPROXY_{n}_HTTP_BACKEND_PROXYPASS_PATH
per service port
Specified as HAPROXY_{n}_HTTP_BACKEND_PROXYPASS_PATH.
Set the location to use for mapping local server URLs to remote servers + URL.
Ex: HAPROXY_0_HTTP_BACKEND_PROXYPASS_PATH = '/path/to/redirect'
HAPROXY_{n}_HTTP_BACKEND_REVPROXY_PATH
per service port
Specified as HAPROXY_{n}_HTTP_BACKEND_REVPROXY_PATH.
Set the URL in HTTP response headers sent from a reverse proxied server. It only updates Location, Content-Location and URL.
Ex: HAPROXY_0_HTTP_BACKEND_REVPROXY_PATH = '/my/content'
HAPROXY_{n}_MODE
per service port
Specified as HAPROXY_{n}_MODE.
Set the connection mode to either TCP or HTTP. The default is TCP. Following exceptions apply:
- if
HAPROXY_{n}_VHOSTlabel was specified andHAPROXY_{n}_MODEwas not set, then the mode will be set tohttp - if there is a healtcheck configured for the given port, with protocol field set to one of 'HTTP', 'HTTPS', 'MESOS_HTTP',
'MESOS_HTTPS', the mode will be overriden to 'http', irrespective of the value of
HAPROXY_{n}_MODElabel.
Ex: HAPROXY_0_MODE = 'http'
HAPROXY_{n}_PATH
per service port
Specified as HAPROXY_{n}_PATH.
The HTTP path to match, starting at the beginning. To specify multiple paths,
pass a space separated list. The syntax matches that of the path_beg config
option in HAProxy. To use the path routing, you must also define a VHost.
If you have multiple backends which share VHosts or paths, you may need to
manually specify ordering of the backend ACLs with
HAPROXY_{n}_BACKEND_WEIGHT. In HAProxy, the use_backend directive is
evaluated in the order it appears in the configuration.
Ex: HAPROXY_0_PATH = '/v2/api/derp'
Ex: HAPROXY_0_PATH = '-i /multiple /paths'
HAPROXY_{n}_PORT
per service port
Specified as HAPROXY_{n}_PORT.
Bind to the specific port for the service. This overrides the servicePort which has to be unique.
Ex: HAPROXY_0_PORT = 80
HAPROXY_{n}_REDIRECT_TO_HTTPS
per service port
Specified as HAPROXY_{n}_REDIRECT_TO_HTTPS.
Redirect HTTP traffic to HTTPS. Requires at least a VHost be set.
Ex: HAPROXY_0_REDIRECT_TO_HTTPS = true
HAPROXY_{n}_SSL_CERT
per service port
Specified as HAPROXY_{n}_SSL_CERT.
Enable the given SSL certificate for TLS/SSL traffic.
Ex: HAPROXY_0_SSL_CERT = '/etc/ssl/cert.pem'
HAPROXY_{n}_STICKY
per service port
Specified as HAPROXY_{n}_STICKY.
Enable sticky request routing for the service.
Ex: HAPROXY_0_STICKY = true
HAPROXY_{n}_USE_HSTS
per service port
Specified as HAPROXY_{n}_USE_HSTS.
Enable the HSTS response header for HTTP clients which support it.
Ex: HAPROXY_0_USE_HSTS = true
HAPROXY_{n}_VHOST
per service port
Specified as HAPROXY_{n}_VHOST.
The Marathon HTTP Virtual Host proxy hostname(s) to gather.
If you have multiple backends which share VHosts or paths, you may need to
manually specify ordering of the backend ACLs with
HAPROXY_{n}_BACKEND_WEIGHT. In HAProxy, the use_backend directive is
evaluated in the order it appears in the configuration.
Ex: HAPROXY_0_VHOST = 'marathon.mesosphere.com'
Ex: HAPROXY_0_VHOST = 'marathon.mesosphere.com,marathon'