forked from sous-chefs/haproxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy_example_2.cfg
79 lines (76 loc) · 3.13 KB
/
haproxy_example_2.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
global
log /dev/log local0 info
chroot /var/lib/haproxy
maxconn 4096
stats socket /var/run/haproxy/haproxy.stat mode 600 level admin
stats timeout 2m
user haproxy
group haproxy
defaults
timeout client 50s
timeout server 50s
timeout connect 5s
log global
mode http
retries 3
frontend http
mode http
option httplog
option dontlognull
option forwardfor
stick-table type ip size 200k expire 10m store gpc0
maxconn 2000
bind 0.0.0.0:80
default_backend rrhost
acl kml_request path_reg -i /kml/
acl bbox_request path_reg -i /bbox/
acl gina_host hdr(host) -i foo.bar.com
acl rrhost_host hdr(host) -i dave.foo.bar.com foo.foo.com
acl source_is_abuser src_get_gpc0(http) gt 0
acl tile_host hdr(host) -i -f /etc/haproxy/tile_domains.lst
acl authorized_network src -f /etc/haproxy/authorized_networks.lst
acl bad_client src -f /etc/haproxy/banned_ip.lst
acl authorized_token urlp(GOGC) -i -f /etc/haproxy/authorized_tokens.lst
tcp-request connection track-sc1 src if ! source_is_abuser
use_backend gina if gina_host
use_backend rrhost if rrhost_host
use_backend abuser if source_is_abuser
use_backend abuser if bad_client
use_backend tiles if tile_host authorized_token
use_backend tiles if tile_host authorized_network
use_backend tiles_kml if tile_host kml_request
use_backend tiles_kml if tile_host bbox_request
use_backend tiles_public if tile_host
backend abuser
errorfile 403 /etc/haproxy/errors/403.http
backend gina
server gina0 ab.b.c:80 check weight 1 maxconn 100
backend seaice
server seaice0 a.b.c.com:80 check weight 1 maxconn 100
backend rrhost
server rrhost0 a.b.c.com:80 check weight 1 maxconn 100
backend tiles
server tile0 10.0.0.10:80 check weight 1 maxconn 100
server tile1 10.0.0.11:80 check weight 1 maxconn 100
backend tiles_kml
stick-table type ip size 200k expire 2m store conn_rate(60s),bytes_out_rate(60s)
http-request set-header X-Public-User yes
acl authorized_network src -f /etc/haproxy/authorized_networks.lst
acl conn_rate_abuse sc2_conn_rate gt 6000
acl data_rate_abuse sc2_bytes_out_rate gt 20000000
acl mark_as_abuser sc1_inc_gpc0 gt 0
tcp-request content track-sc2 src
tcp-request content reject if conn_rate_abuse !authorized_network mark_as_abuser
server tile0 10.0.0.10:80 check weight 1 maxconn 100
server tile1 10.0.0.11:80 check weight 1 maxconn 100
backend tiles_public
stick-table type ip size 200k expire 2m store conn_rate(60s),bytes_out_rate(60s)
http-request set-header X-Public-User yes
acl authorized_network src -f /etc/haproxy/authorized_networks.lst
acl conn_rate_abuse sc2_conn_rate gt 3000
acl data_rate_abuse sc2_bytes_out_rate gt 20000000
acl mark_as_abuser sc1_inc_gpc0 gt 0
tcp-request content track-sc2 src
tcp-request content reject if conn_rate_abuse !authorized_network mark_as_abuser
server tile0 10.0.0.10:80 check weight 1 maxconn 100
server tile1 10.0.0.11:80 check weight 1 maxconn 100