...
Code Block |
---|
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats mode 660 level admin
user haproxy
group haproxy
daemon
ca-base /etc/pki/tls/certs
crt-base /etc/pki/tls/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
maxconn 2048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
# Do not use "option http-server-close", it causes S3 PUT incompatibility with some clients including FileFly!
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
# This timeout should always be larger than gateway.cfg's [storage_cluster] indexerSocketTimeout
# and large enough to not timeout an S3 CopyObject or an SCSP COPY in a versioned bucket.
timeout server 130000
frontend www-http
bind 0.0.0.0:80
http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/YOUR_DOMAIN.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
default_backend www-backend-scsp
acl iss3 hdr_sub(Authorization) AWS
acl iss3 url_reg [?&](AWSAccessKeyId|X-Amz-Credential)=
use_backend www-backend-s3 if iss3
frontend www-https-svc
bind 0.0.0.0:91 ssl crt /etc/pki/tls/certs/YOUR_DOMAIN.pem
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 91
default_backend www-backend-svc
backend www-backend-scsp
balance leastconn
# On HAPROXY < 2.2
option httpchk HEAD /_admin/manage/version HTTP/1.1\r\nHost:\ haproxy-healthcheck
http-check expect status 200
# On HAPROXY > 2.2
#option httpchk
#http-check connect
#http-check send meth HEAD uri /_admin/manage/version ver HTTP/1.1 hdr Host haproxy-healthcheck
#http-check expect status 200
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 YOUR_GATEWAY1_IP:8080 check inter 10s fall 3 rise 2
server gw2 YOUR_GATEWAY2_IP:8080 check inter 10s fall 3 rise 2
backend www-backend-s3
balance leastconn
# On HAPROXY < 2.2
option httpchk HEAD / HTTP/1.1\r\nHost:\ haproxy-healthcheck
http-check expect status 403
# On HAPROXY > 2.2
#option httpchk
#http-check connect
#http-check send meth HEAD uri / ver HTTP/1.1 hdr Host haproxy-healthcheck
#http-check expect status 403
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 YOUR_GATEWAY1_IP:8090 check inter 10s fall 3 rise 2
server gw2 YOUR_GATEWAY2_IP:8090 check inter 10s fall 3 rise 2
backend www-backend-svc
balance leastconn
# On HAPROXY < 2.2
option httpchk HEAD / HTTP/1.1\r\nHost:\ haproxy-healthcheck
http-check expect status 401
# On HAPROXY > 2.2
#option httpchk
#http-check connect
#http-check send meth HEAD uri / ver HTTP/1.1 hdr Host haproxy-healthcheck
#http-check expect status 401
# This rule rewrites CORS header to add the port number used on frontend
http-request replace-value Access-Control-Allow-Origin (.*) \1:91
#redirect scheme https if !{ ssl_fc } <--- Uncomment this line if you want to force HTTPS
server gw1 YOUR_GATEWAY1_IP:8091 check inter 10s fall 3 rise 2
server gw2 YOUR_GATEWAY2_IP:8091 check inter 10s fall 3 rise 2 |
...