feythin · March 1, 2017 14:33 · Aug 21, 2014
diff --git a/haproxy.cfg b/haproxy.cfg
@@ -0,0 +1,655 @@
+# This is an example of the Stack Exchange Tier 1 HAProxy config
+# The only things that have been changed from what we are running are: 
+# 1. User names have been removed
+# 2. All Passwords have been remove
+# 3. IPs have been changed to use the example/documentation ranges
+# 4. Rate limit numbers have been changed to randome numbers, don't read into them
+
+userlist stats-auth
+        group admin users $admin_user
+        user $admin_user insecure-password $some_password
+        group readonly users $some_user
+        user $some_user insecure-password $some_other_password
+
+global
+        daemon
+        stats socket /var/run/haproxy-t1.stat level admin
+        maxconn 100000 
+        pidfile /var/run/haproxy-t1.pid
+        log 127.0.0.1 local0
+        log  192.0.2.17   local0
+	tune.bufsize 16384
+        tune.maxrewrite 1024
+        spread-checks 4
+	log-send-hostname ny-lb05
+
+
+defaults
+        errorfile 503 /etc/haproxy-shared/errors/503.http
+        errorfile 502 /etc/haproxy-shared/errors/502.http
+        mode    http
+        timeout connect 15s
+        timeout client 60s
+        timeout server 150s
+        timeout queue 60s
+        timeout http-request 15s
+        timeout http-keep-alive 15s
+	option httplog
+        option redispatch
+        option dontlognull
+        balance source
+
+backend be_api_1.1
+	mode http
+	balance roundrobin
+        reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2
+        reqirep ^([^\ ]*)\ /1.1/(.*) \1\ /\2
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackoverflow.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_api
+	mode http
+	balance roundrobin
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackexchange.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_area51_stackexchange_com
+	mode http
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:area51.stackexchange.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_careers
+	mode http
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:careers.stackoverflow.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_internal_api
+	mode http
+	balance roundrobin
+        option http-server-close
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_meta_so
+	mode http
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:meta.stackoverflow.com
+
+	server ny-web10 203.0.113.110:80 check
+        server ny-web11 203.0.113.111:80 check
+
+
+backend be_mobile
+	mode http
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:mobile.stackexchange.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_openid
+	mode http
+	balance roundrobin
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:openid.stackexchange.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_others
+	mode http
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:serverfault.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_so
+	mode http
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_so_crawler
+	mode http
+	balance roundrobin
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_sstatic
+	mode http
+	balance roundrobin
+        acl HTTP_OK status 200:399
+        rspidel ^Cache-Control:.* unless HTTP_OK
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:sstatic.net
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+backend be_stackauth
+	mode http
+	balance roundrobin
+        reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+	tcp-request content  track-sc2 src
+	acl conn_rate_abuse  sc2_conn_rate gt 10
+	acl mark_as_abuser   sc1_inc_gpc0 gt 3
+	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
+
+	stats enable
+	acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN
+	stats uri /ilovestats
+	stats refresh 30s
+	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackauth.com
+
+	server ny-web01 203.0.113.101:80 check
+        server ny-web02 203.0.113.102:80 check
+        server ny-web03 203.0.113.103:80 check
+        server ny-web04 203.0.113.104:80 check
+        server ny-web05 203.0.113.105:80 check
+        server ny-web06 203.0.113.106:80 check
+        server ny-web07 203.0.113.107:80 check
+        server ny-web08 203.0.113.108:80 check
+        server ny-web09 203.0.113.109:80 check
+
+
+frontend fe_stackauth
+	bind 198.51.100.21:80 name stackauth
+	bind 198.51.100.145:80 name stackauth
+
+
+	log global
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+
+        capture request header Referer               len 64
+        capture request header User-Agent            len 128
+        capture request header Host                  len 64
+        capture request header X-Forwarded-For       len 64
+        capture request header Accept-Encoding       len 64
+        capture response header Content-Encoding     len 64
+        capture response header X-Page-View          len 1
+        capture response header X-Route-Name         len 64
+        capture response header X-Account-Id         len 7     
+        capture response header X-Sql-Count          len 4
+        capture response header X-Sql-Duration-Ms    len 7
+        capture response header X-AspNet-Duration-Ms len 7
+        capture response header X-Application-Id     len 5
+        capture response header X-Request-Guid       len 36
+        capture response header X-Redis-Count        len 4
+        capture response header X-Redis-Duration-Ms  len 7
+        capture response header X-Http-Count         len 4
+        capture response header X-Http-Duration-Ms   len 7
+        capture response header X-TE-Count           len 4
+        capture response header X-TE-Duration-Ms     len 7
+
+	rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms):
+
+	maxconn 40000
+
+	option http-server-close
+	option forwardfor
+	option httplog
+
+
+        acl source_is_serious_abuse src_conn_rate(fe_stackauth) gt 20
+
+
+        acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+
+        acl api_only_ips src -f /etc/haproxy-shared/api-only-ips
+        acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist
+
+        acl is_crawler src -f /etc/haproxy-shared/crawlers
+        acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua
+
+        acl source_is_abuser src_get_gpc0(fe_stackauth) gt 0
+
+
+
+
+
+
+
+
+
+
+        tcp-request connection track-sc1 src if !source_is_abuser
+
+
+	default_backend be_stackauth
+frontend http-in
+	bind 198.51.100.16:80 name stackexchange
+	bind 198.51.100.17:80 name careers
+	bind 198.51.100.30:80 name careers.sstatic.net
+	bind 198.51.100.18:80 name openid
+	bind 198.51.100.24:80 name misc
+	bind 198.51.100.140:80 name stackexchange
+	bind 198.51.100.141:80 name careers
+	bind 198.51.100.154:80 name careers.sstatic.net
+	bind 198.51.100.142:80 name openid
+	bind 198.51.100.148:80 name misc
+
+
+	log global
+
+	stick-table type ip size 999k expire 1m store conn_rate(30s)
+
+        capture request header Referer               len 64
+        capture request header User-Agent            len 128
+        capture request header Host                  len 64
+        capture request header X-Forwarded-For       len 64
+        capture request header Accept-Encoding       len 64
+        capture response header Content-Encoding     len 64
+        capture response header X-Page-View          len 1
+        capture response header X-Route-Name         len 64
+        capture response header X-Account-Id         len 7     
+        capture response header X-Sql-Count          len 4
+        capture response header X-Sql-Duration-Ms    len 7
+        capture response header X-AspNet-Duration-Ms len 7
+        capture response header X-Application-Id     len 5
+        capture response header X-Request-Guid       len 36
+        capture response header X-Redis-Count        len 4
+        capture response header X-Redis-Duration-Ms  len 7
+        capture response header X-Http-Count         len 4
+        capture response header X-Http-Duration-Ms   len 7
+        capture response header X-TE-Count           len 4
+        capture response header X-TE-Duration-Ms     len 7
+
+	rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms):
+
+	maxconn 40000
+
+	option http-server-close
+	option forwardfor
+	option httplog
+
+
+        acl source_is_serious_abuse src_conn_rate(http-in) gt 1000
+
+
+        acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
+
+        acl api_only_ips src -f /etc/haproxy-shared/api-only-ips
+        acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist
+
+        acl is_crawler src -f /etc/haproxy-shared/crawlers
+        acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua
+
+        acl source_is_abuser src_get_gpc0(http-in) gt 2
+
+	acl is_feeds path_beg /feeds/
+	acl is_internal_api path_beg /api/
+	acl is_careers hdr_beg(host) -i careers. jobs.
+	acl is_so hdr_end(host) -i stackoverflow.com
+	acl is_sstatic hdr_end(host) -i sstatic.net
+	acl is_stackauth hdr_end(host) -i stackauth.com
+	acl is_se hdr_end(host) -i stackexchange.com
+	acl is_area51 hdr(host) -i area51.stackexchange.com
+	acl is_mobile hdr(host) -i mobile.stackexchange.com
+	acl is_stackexchange_com hdr(host) -i stackexchange.com
+	acl is_meta_so hdr_end(host) -i meta.stackoverflow.com
+	acl is_dev_meta_webapps hdr_end(host) -i meta.dev.webapps.stackexchange.com
+	acl is_dev_fb hdr_end(host) -i fb.dev.stackoverflow.com
+	acl is_api_2 hdr(host) -i api.stackexchange.com
+	acl is_api hdr_sub(host) -i api
+	acl is_api_1.0 path_beg /1.0/
+	acl is_api_1.1 path_beg /1.1/
+	acl is_api_root path /
+	acl is_api_static path_beg -i /admin /content /crossdomain.xml /clientaccesspolicy.xml /robots.txt
+	acl is_dev hdr_beg(host) -i dev.
+	acl is_dev_discuss hdr_end(host) -i discuss.dev.area51.stackexchange.com
+	acl is_openid hdr_beg(host) -i openid.stackexchange.com
+	acl is_80 dst_port 80
+	acl is_ssl hdr_beg(X-SSL) -i yes
+	acl is_chat_yodeya hdr(host) -i chat.yodeya.com chat.miyodeya.com
+	acl is_bam_yodeya hdr(host) -i bam.yodeya.com bam.miyodeya.com
+	acl is_launchparty_yodeya hdr(host) -i launchparty.yodeya.com launchparty.miyodeya.com
+	acl is_me_yodeya hdr(host) -i me.yodeya.com me.miyodeya.com
+	acl is_kindle hdr_sub(user-agent) Silk-Accelerated
+	acl is_akamai hdr(host) -i sstatic-a.akamaihd.net
+
+
+
+
+	redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_chat_yodeya
+	redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_bam_yodeya
+	redirect prefix http://meta.judaism.stackexchange.com/questions/1134 code 301 if is_launchparty_yodeya
+	redirect prefix http://judaism.stackexchange.com code 301 if is_me_yodeya
+	redirect prefix https://openid.stackexchange.com code 301 if is_80 is_openid !is_ssl
+
+
+
+
+        tcp-request connection track-sc1 src if !source_is_abuser
+
+	use_backend be_internal_api if is_internal_api !is_careers
+	use_backend be_api_1.1 if is_api is_api_1.0
+	use_backend be_api_1.1 if is_api is_api_1.1
+	use_backend be_api if is_api_2
+	use_backend be_api_1.1 if is_api is_api_static
+	use_backend be_api_1.1 if is_api is_api_root
+	use_backend be_bad_api if is_api
+	use_backend be_sstatic if is_sstatic
+	use_backend be_sstatic if is_akamai
+	use_backend be_mobile if is_mobile
+	use_backend be_area51_stackexchange_com if is_area51
+	use_backend be_area51_stackexchange_com if is_stackexchange_com
+	use_backend be_meta_so if is_meta_so
+	use_backend be_careers if is_careers
+	use_backend be_so_crawler if is_so is_crawler
+	use_backend be_so_crawler if is_so is_crawler_ua
+	use_backend be_so if is_so
+	use_backend be_stackauth if is_stackauth
+	use_backend be_openid if is_openid
+
+	default_backend be_others
+backend be_api_only
+	mode http
+	errorfile 503 /etc/haproxy-shared/errors/503apionly.http
+
+backend be_bad_api
+	mode http
+	errorfile 403 /etc/haproxy-shared/errors/403.http
+
+backend be_go-away
+	mode http
+	errorfile 503 /etc/haproxy-shared/errors/503rate.http
+
+backend be_no_ssl
+	mode http
+	errorfile 503 /etc/haproxy-shared/errors/503nossl.http
+
+listen t1_internal_stats
+	bind 203.0.113.15:7001
+
+
+
+	mode http
+	balance roundrobin
+
+
+
+
+
+        stats enable
+        stats uri /ilovestats
+        acl AUTH http_auth(stats-auth)
+        acl AUTH_ADMIN http_auth_group(stats-auth) admin
+        stats http-request auth unless AUTH
+        stats admin if AUTH_ADMIN