haproxytechblog · June 13, 2019 20:41 · Jun 13, 2019
diff --git a/haproxy-config-2-0.cfg b/haproxy-config-2-0.cfg
@@ -0,0 +1,166 @@
+#
+# This is the ultimate HAProxy 2.0 "Getting Started" config
+# It demonstrates many of the features available which are now available 
+# While you may not need all of these things, this can serve
+# as a reference for your own configurations.
+#
+# Have questions?  Check out our community Slack:
+# https://slack.haproxy.org/
+#
+
+global
+    # master-worker required for `program` section
+    # enable here or start with -Ws
+    master-worker
+    mworker-max-reloads 3
+    # enable core dumps
+    set-dumpable
+    user haproxy
+    group haproxy
+    log stdout local0
+    stats socket 127.0.0.1:9999 level admin expose-fd listeners
+    tune.ssl.default-dh-param 2048
+    ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+    ssl-default-bind-options no-sslv3 no-tls-tickets
+    ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+    ssl-default-server-options no-sslv3 no-tls-tickets
+
+defaults
+    mode http
+    log global
+    timeout client 5s
+    timeout server 5s
+    timeout connect 5s
+    option redispatch
+    option httplog
+
+program dataplane-api
+    command /usr/sbin/haproxy-dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --config-file /etc/haproxy/haproxy.cfg --reload-cmd "systemctl reload haproxy" --reload-delay 5 --userlist api
+
+program spoa-mirror
+    command /usr/sbin/spoa-mirror -r0 -u"http://192.168.1.7/"
+
+peers mypeers
+    bind :10001 ssl crt /etc/haproxy/certs/www.example.com.pem 
+    default-server ssl verify none
+    server PC #local peer.  name must match local server name
+    table src_tracking type string size 10m store http_req_rate(10s),http_req_cnt 
+
+resolvers dns
+    parse-resolv-conf
+    resolve_retries       3
+    timeout resolve       1s
+    timeout retry         1s
+    hold other           30s
+    hold refused         30s
+    hold nx              30s
+    hold timeout         30s
+    hold valid           10s
+    hold obsolete        30s
+
+userlist api 
+  user admin password $5$aVnIFECJ$2QYP64eTTXZ1grSjwwdoQxK/AP8kcOflEO1Q5fc.5aA
+
+frontend stats
+    bind *:8404
+    # Enable Prometheus Exporter
+    http-request use-service prometheus-exporter if { path /metrics }
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+
+frontend fe_main
+    bind :80 
+    bind :443 tfo ssl crt /etc/haproxy/certs/www.example.com.pem alpn h2,http/1.1
+
+    # Enable log sampling
+    # One out of 10 requests would be logged to this source
+    log 127.0.0.1:10001 sample 1:10 local0
+    # For every 11 requests, log requests 2, 3, and 8-11
+    log 127.0.0.1:10002 sample 2-3,8-11:11 local0
+
+    # Log profiling data
+    log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r cpu_calls:%[cpu_calls] cpu_ns_tot:%[cpu_ns_tot] cpu_ns_avg:%[cpu_ns_avg] lat_ns_tot:%[lat_ns_tot] lat_ns_avg:%[lat_ns_avg]"
+
+    # gRPC path matching
+    acl is_grpc_codename path /CodenameCreator/KeepGettingCodenames 
+    # Dynamic 'do-resolve' trusted hosts
+    acl dynamic_hosts req.hdr(Host) api.local admin.local haproxy.com
+
+    # Activate Traffic Mirror
+    filter spoe engine traffic-mirror config mirror.cfg
+
+    # Redirect if not SSL
+    http-request redirect scheme https unless { ssl_fc }
+
+    # Enable src tracking
+    http-request track-sc0 src table mypeers/src_tracking
+
+    # Enable rate limiting
+    # Return 429 Too Many Requests if client averages more than
+    # 10 requests in 10 seconds.
+    # (duration defined in stick table in peers section)
+    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10  }
+
+    # Enable local resolving of Host if within dynamic_hosts ACL
+    # Allows connecting to dynamic IP address specified in Host header
+    # Useful for DNS split view or split horizon
+    http-request do-resolve(txn.dstip,dns) hdr(Host),lower if dynamic_hosts
+    http-request capture var(txn.dstip) len 40 if dynamic_hosts
+
+    # return 503 when dynamic_hosts matches but the variable 
+    # txn.dstip is not set which mean DNS resolution error
+    # otherwise route to be_dynamic
+    use_backend be_503 if dynamic_hosts !{ var(txn.dstip) -m found }
+    use_backend be_dynamic if dynamic_hosts
+
+    # route to gRPC path
+    use_backend be_grpc if is_grpc_codename 
+
+    default_backend be_main
+
+backend be_main
+    default-server ssl verify none alpn h2 check maxconn 50
+    # Enable Power of Two Random Choices Algorithm
+    balance random(2)
+    # Enable Layer 7 retries
+    retry-on all-retryable-errors
+    retries 3 
+
+    # retrying POST requests can be dangerous
+    # make sure you understand the implications before removing
+    http-request disable-l7-retry if METH_POST
+
+    server server1 192.168.1.13:443 tfo
+    server server2 192.168.1.14:443 tfo
+    server server3 192.168.1.15:443 tfo
+    server server4 192.168.1.16:443 tfo
+    server server5 192.168.1.17:443 tfo
+
+backend be_grpc
+    default-server ssl verify none alpn h2 check maxconn 50
+    server grpc1 10.1.0.11:3000 
+    server grpc2 10.1.0.12:3000 
+
+backend be_dynamic
+    default-server ssl verify none check maxconn 50
+
+    # rule to prevent HAProxy from reconnecting to services
+    # on the local network (forged DNS name used to scan the network)
+    http-request deny if { var(txn.dstip) -m ip 127.0.0.0/8 10.0.0.0/8 }
+    http-request set-dst var(txn.dstip)
+    server dynamic 0.0.0.0:0
+
+backend spoe-traffic-mirror
+    mode tcp
+    balance roundrobin
+    timeout connect 5s
+    timeout server 1m
+    server spoa1 127.0.0.1:12345
+    server spoa2 10.1.0.20:12345
+
+backend be_503
+    # dummy backend used to return 503.
+    # You can use the 'errorfile' directive to send a nice
+    # 503 error page to end users.
+    errorfile 503 /etc/haproxy/errorfiles/503sorry.http