diff options
Diffstat (limited to 'baserock_frontend/haproxy.cfg')
-rw-r--r-- | baserock_frontend/haproxy.cfg | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/baserock_frontend/haproxy.cfg b/baserock_frontend/haproxy.cfg new file mode 100644 index 00000000..bb0120cc --- /dev/null +++ b/baserock_frontend/haproxy.cfg @@ -0,0 +1,122 @@ +# HAProxy configuration for Baserock Project front-end proxy. + +global + maxconn 4000 + + daemon + pidfile /var/run/haproxy.pid + user haproxy + group haproxy + + log /dev/log local0 + stats socket /var/lib/haproxy/stats + + # Maximum number of bits used when generating temporary + # keys for DHE key exchange. Higher values involve more CPU + # usage, lower values are less secure. HAProxy's default is + # 1024, which is too low and HAProxy actually warns if you use + # the default. + tune.ssl.default-dh-param 2048 + + ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + +defaults + mode http + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + + log global + option httplog + +frontend http-in + # All HTTP traffic is redirected to HTTPS using the '301 Moved' HTTP code. + bind *:80 + redirect scheme https code 301 + +frontend https-in + # We do 'SSL termination' with HAProxy. So secure requests are received in + # the frontend, then decrypted and sent over HTTP on the internal network. + # This means we only need to have the certificate in one place, and the + # configuration of the other instances is simpler. It does mean that we + # need to avoid having any insecure machines in the cloud. + bind *:443 ssl no-sslv3 crt /etc/pki/tls/private/baserock.pem + reqadd X-Forwarded-Proto:\ https + + # Rules below here implement the URL-based forwarding to the + # appropriate instance. The hdr(host) call means 'extract the + # first Host header from the HTTP request or response', the '-m beg' + # switch means 'match against the beginning of it' and the '-i' flag + # makes the match case-insensitive. + # + # See <https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7> + # for more documentation than you ever dreamed of. + + acl host_gerrit hdr(host) -m beg -i gerrit + use_backend baserock_gerrit_http if host_gerrit + + acl host_irclogs hdr(host) -m beg -i irclogs + use_backend baserock_irclogs_http if host_irclogs + + acl host_mason_x86_32 hdr(host) -m beg -i mason-x86-32 + use_backend baserock_mason_x86_32_http if host_mason_x86_32 + + acl host_mason_x86_64 hdr(host) -m beg -i mason-x86-64 + use_backend baserock_mason_x86_64_http if host_mason_x86_64 + + acl host_download hdr(host) -m beg -i download + use_backend baserock_webserver_http if host_download + + acl host_docs hdr(host) -m beg -i docs + use_backend baserock_webserver_http if host_docs + + acl host_opengrok hdr(host) -m beg -i opengrok + use_backend baserock_opengrok_http if host_opengrok + + use_backend baserock_openid_provider_http if { hdr(host) -m beg -i openid } + +frontend ssh-in: + # FIXME: it'd be better if we could limit traffic on port 29418 to + # gerrit.baserock.org. There's no way of knowing from an SSH request + # which subdomain the user tried to connect to, so for now they can + # clone repos from 'ssh://openid.baserock.org:29418' and such like. + # For this reason it's probably worth pointing gerrit.baserock.org to + # a different floating IP that serves only the gerrit instance. + mode tcp + bind *:29418 + default_backend baserock_gerrit_ssh + + # It's very annoying for 'gerrit stream-events' to have disconnection + # after 50 seconds! + timeout client 1h + +# Entries here locate each server backend. + +backend baserock_gerrit_http + server baserock_gerrit 192.168.222.69:8080 + +backend baserock_gerrit_ssh + mode tcp + server baserock_gerrit 192.168.222.69:29418 + + # It's very annoying for 'gerrit stream-events' to have disconnection + # after 50 seconds! + timeout server 1h + +backend baserock_irclogs_http + server baserock_irclogs 192.168.222.74:80 + +backend baserock_mason_x86_32_http + server baserock_mason_x86_32 192.168.222.81:80 + +backend baserock_mason_x86_64_http + server baserock_mason_x86_64 192.168.222.80:80 + +backend baserock_openid_provider_http + server baserock_openid_provider 192.168.222.144:80 + +backend baserock_webserver_http + server baserock_webserver 192.168.222.127:80 + +backend baserock_opengrok_http + server baserock_opengrok 192.168.222.149:8080 |