haproxy config
global
maxconn 20000
maxpipes 20000
tune.maxaccept 300
log /dev/log local0
log /dev/log local1 notice
#log 127.0.0.1 local2
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/digicert
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options ssl-min-ver TLSv1.0
defaults
log global
mode http
option httplog
option dontlognull
#timeout http-request 5s
#option http-buffer-request
#option forwardfor
#option resdispatch
#retries 3
timeout connect 5000 #5 sec
timeout client 50000 #50 sec
timeout server 50000 #50 sec
maxconn 4000
listen statistic
bind *:xxx
stats enable
stats hide-version
stats refresh 5s
stats show-node
stats auth xxx:xxx
stats uri /
#frontend prometheus
#bind *:xxx
#mode http
#http-request use-service prometheus-exporter if { path /metrics }
#no log
frontend accesslb
bind *:80
bind *:443 ssl crt /etc/ssl/digicert/ssl-chain.pem ca-file /etc/ssl/xxx/DigiCertCA.pem alpn h2,http/1.1
#bind *:8080 transparent
#handle user-agent bot start baca dari file /etc/haproxy/blacklist-agent.txt
acl is-blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist-agent.txt
http-request deny if is-blockedagent
#user-agent end
#handle rate-limiter start, blok ip-src selama 1m jika ada koneksi masuk 10 dalam 1s
stick-table type ip size 200k expire 1m store http_req_rate(1s)
tcp-request connection track-sc1 src
tcp-request connection reject if { src_get_gpc0(accesslb) gt 10 }
#rate-limiter end
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#http-request track-sc0 src
#http-request deny deny_status 503 if { sc_http_req_rate(0) gt 20 }
acl host_test hdr(host) -i test.xxx.ac.id
#acl host_testhttp hdr(host) -i test.xxx.ac.id
#redirect scheme https if !{ ssl_fc }
#acl host_testhttp dst_port 8080
use_backend testnodes if host_test
#use_backend testhttp if host_testhttp
backend testnodes
mode http
#balance random
balance roundrobin
option httpclose
option forwardfor
cookie SERVER insert indirect nocache
# 104, 105, 106 cek mountpath0 dan remount dari nfs33
#server srvtest104 test:443 ssl verify none maxconn 400 check cookie srvtest104
#server srvtest105 test:443 ssl verify none maxconn 500 check inter 10s cookie srvtest105
#server srvtest106 test6:443 ssl verify none maxconn 500 check inter 10s cookie srvtest106
server srvtest107 test:443 ssl verify none maxconn 500 check inter 10s cookie srvtest107
server srvtest108 test:443 ssl verify none maxconn 500 check inter 10s cookie srvtest108
#server srvtest109 test:443 ssl verify none maxconn 500 check inter 10s cookie srvtest109
#backend testhttp
#mode http
#balance roundrobin
#option httpclose
#option forwardfor
#cookie SERVER insert indirect nocache
#server srvtest104 test:8080 none maxconn 400 check cookie srvtest104
#server srvtest801 test:443 ssl verify none maxconn 400 check cookie srvtest801
#server srvtest802 test:443 ssl verify none maxconn 400 check inter 10s cookie srvtest802
#server srvwsi803 test:443 ssl verify none maxconn 400 check inter 10s cookie srvtest803
backend peripfilter
stick-table type ip size 1m expire 15m store conn_rate(3s),conn_cur,gpc0,http_req_rate(10s),http_err_rate(20s)
http-request track-sc0 src table peripfilter
http-request deny deny_status 503 if { sc_http_req_rate(0) gt 50 }
##END CONFIG##
# errorfile 400 /etc/haproxy/errors/400.http
# errorfile 403 /etc/haproxy/errors/403.http
# errorfile 408 /etc/haproxy/errors/408.http
# errorfile 500 /etc/haproxy/errors/500.http
# errorfile 502 /etc/haproxy/errors/502.http
# errorfile 503 /etc/haproxy/errors/503.http
# errorfile 504 /etc/haproxy/errors/504.http
No comments