blob: 128b37247c74f8780d025463ddfcc70946aa44d6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
# HAProxy configuration for Baserock Project front-end proxy.
global
maxconn 4000
daemon
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
log /dev/log local0
stats socket /var/lib/haproxy/stats
# Maximum number of bits used when generating temporary
# keys for DHE key exchange. Higher values involve more CPU
# usage, lower values are less secure. HAProxy's default is
# 1024, which is too low and HAProxy actually warns if you use
# the default.
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
log global
option httplog
frontend http-in
# All HTTP traffic is redirected to HTTPS using the '301 Moved' HTTP code.
bind *:80
redirect scheme https code 301
frontend https-in
# We do 'SSL termination' with HAProxy. So secure requests are received in
# the frontend, then decrypted and sent over HTTP on the internal network.
# This means we only need to have the certificate in one place, and the
# configuration of the other instances is simpler. It does mean that we
# need to avoid having any insecure machines in the cloud.
bind *:443 ssl no-sslv3 crt /etc/pki/tls/private/baserock.pem
reqadd X-Forwarded-Proto:\ https
# Rules below here implement the URL-based forwarding to the
# appropriate instance. The hdr(host) call means 'extract the
# first Host header from the HTTP request or response', the '-m beg'
# switch means 'match against the beginning of it' and the '-i' flag
# makes the match case-insensitive.
#
# See <https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7>
# for more documentation than you ever dreamed of.
acl host_irclogs hdr(host) -m beg -i irclogs
use_backend baserock_webserver_http if host_irclogs
acl host_spec hdr(host) -m beg -i spec
acl host_spec hdr(host) -m beg -i docs
use_backend baserock_spec_http if host_spec
acl host_download hdr(host) -m beg -i download
use_backend baserock_webserver_http if host_download
acl host_ostree hdr(host) -m beg -i ostree
acl host_ostree hdr(host) -m beg -i cache
use_backend baserock_ostree_http if host_ostree
frontend ssh-in:
# FIXME: it'd be better if we could limit traffic on port 22200 to
# ostree.baserock.org. There's no way of knowing from an SSH request
# which subdomain the user tried to connect to though.
mode tcp
bind *:22200
default_backend baserock_ostree_ssh
# Uploading artifacts can be slow; need a long timeout.
timeout client 12h
# Entries here locate each server backend.
backend baserock_spec_http
# Point to Gitlab pages url. This repository has to have configured
# alternative domain names in order to make this redirection work.
# Otherwise Gitlab will just show a 404 page
server baserock_spec baserock.gitlab.io:80
backend baserock_ostree_http
server baserock_ostree 10.3.0.12:80
backend baserock_ostree_ssh
mode tcp
server baserock_ostree 10.3.0.12:22
# Uploading artifacts can be slow; need a long timeout.
timeout client 12h
backend baserock_webserver_http
server baserock_webserver 10.3.0.13:80
|
