HAProxy/Frontend: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
(Created page with "==HAProxy » Reconfig== <syntaxhighlight lang="bash"> cat <<'EXE'| sudo bash if [ -x "$(command -v curl)" ];then export HAPROXY_ETC_BASE=/etc/haproxy bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/haproxy/1.0.0-ubuntu-24.04.sh.txt') curl -fsSL https://cdn.chorke.org/exec/cli/bash/install/haproxy/1.0.0-ubuntu-24.04.sh.txt|tee ${HAPROXY_ETC_BASE}/proxy-scripts/reconfig >/dev/null chmod u+x ${HAPROXY_ETC_BASE}/proxy-scripts/reconfig else printf 'curl \0...")
 
Line 9: Line 9:
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi
EXE
EXE
</syntaxhighlight>
==HAProxy » Defaults==
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/global.cfg >/dev/null
global
  log            /dev/log  local0
  log            /dev/log  local1 notice
  chroot          /var/lib/haproxy
  stats          socket    /run/haproxy/admin.sock mode 660 level admin
  stats          timeout    30s
  user            haproxy
  group          haproxy
  daemon
CFG
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/default-ssl.cfg >/dev/null
  # default ssl material locations
  ca-base        /etc/ssl/certs
  crt-base        /etc/ssl/private
  # see: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
  ssl-default-bind-ciphers      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  ssl-default-bind-options      ssl-min-ver TLSv1.2 no-tls-tickets
CFG
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/default-http.cfg >/dev/null
defaults
  log            global
  option          httplog
  option          dontlognull
  timeout        connect 5000
  timeout        client  50000
  timeout        server  50000
  errorfile      400 /etc/haproxy/errors/400.http
  errorfile      403 /etc/haproxy/errors/403.http
  errorfile      408 /etc/haproxy/errors/408.http
  errorfile      500 /etc/haproxy/errors/500.http
  errorfile      502 /etc/haproxy/errors/502.http
  errorfile      503 /etc/haproxy/errors/503.http
  errorfile      504 /etc/haproxy/errors/504.http
CFG
</syntaxhighlight>
==HAProxy » Frontend » HTTP==
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null
# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend          fnt_shahed
  bind            *:80
  mode            http
  acl            host-is-cid-chorke-org          hdr(host) -i cid.chorke.org
  acl            host-is-dev-chorke-org          hdr(host) -i dev.chorke.org
  acl            path-is-artifactory              path_beg /artifactory
  acl            path-is-jenkins                  path_beg /jenkins
  acl            path-is-gitlab                  path_beg /gitlab
  acl            path-is-nexus                    path_beg /nexus
  use_backend    bck_cid_chorke_org_artifactory  if host-is-cid-chorke-org path-is-artifactory
  use_backend    bck_cid_chorke_org_jenkins      if host-is-cid-chorke-org path-is-jenkins
  use_backend    bck_cid_chorke_org_gitlab        if host-is-cid-chorke-org path-is-gitlab
  use_backend    bck_cid_chorke_org_nexus        if host-is-cid-chorke-org path-is-nexus
  default_backend bck_cid_chorke_org
backend            bck_cid_chorke_org_artifactory
  server          shahed_ah_artifactory 10.20.40.8:8084 check
  mode            http
backend            bck_cid_chorke_org_jenkins
  server          shahed_ah_jenkins 10.20.40.8:8080 check
  mode            http
backend            bck_cid_chorke_org_gitlab
  server          shahed_af_gitlab 10.20.40.6:80 check
  mode            http
backend            bck_cid_chorke_org_nexus
  server          shahed_ah_nexus 10.20.40.8:8081 check
  mode            http
backend            bck_cid_chorke_org
  server          shahed_am_apache2 10.20.40.13:80 check
  mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg \
          /etc/haproxy/proxy-enabled/shahed.biz-http-all.cfg
</syntaxhighlight>
==HAProxy » Frontend » TCP » VPN==
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg >/dev/null
# ##############################################################################
# tcp frontend config for vpn.shahed.biz:1194
# this config added by chorke academia, inc
# udp mode not supported, please go with iptables forward
# cat <<'EXE'| sudo bash
# echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
# echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
# apt-get -y install iptables-persistent && apt-get clean cache
# EXE
# cat <<'EXE'| sudo bash
# iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 10.20.40.9:1194
# iptables -A FORWARD -p udp -d 10.20.40.9 --dport 1194 -j ACCEPT
# EXE
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg \
          /etc/haproxy/proxy-enabled/shahed.biz-tcp-vpn.cfg
</syntaxhighlight>
==HAProxy » Frontend » TCP » Git==
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg >/dev/null
# ##############################################################################
# tcp frontend config for git.shahed.biz:4321
# this config added by chorke academia, inc
frontend          fnt_git_shahed_biz_gitlab_ssh
  bind            *:4321
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_git_shahed_biz_gitlab_ssh
backend            bck_git_shahed_biz_gitlab_ssh
  server          shahed_af_gitlab 10.20.40.6:4321 check
  mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg \
          /etc/haproxy/proxy-enabled/shahed.biz-tcp-git.cfg
</syntaxhighlight>
==HAProxy » Frontend » TCP » Mail==
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null
# ##############################################################################
# tcp frontend config for mail.shahed.biz:25,587,110,995,143,993,465,4190
# this config added by chorke academia, inc
# haproxy:        mail.shahed.biz:25
frontend          fnt_mail_shahed_biz_smtp_25
  bind            *:25
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_mail_shahed_biz_smtp_25
backend            bck_mail_shahed_biz_smtp_25
  server          shahed_va 10.20.40.200:25 check
  mode            tcp
# haproxy:        mail.shahed.biz:587
frontend          fnt_mail_shahed_biz_smtp_587
  bind            *:587
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_mail_shahed_biz_smtp_587
backend            bck_mail_shahed_biz_smtp_587
  server          shahed_va 10.20.40.200:587 check
  mode            tcp
# haproxy:        mail.shahed.biz:110
frontend          fnt_mail_shahed_biz_pop3_110
  bind            *:110
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_mail_shahed_biz_pop3_110
backend            bck_mail_shahed_biz_pop3_110
  server          shahed_va 10.20.40.200:110 check
  mode            tcp
# haproxy:        mail.shahed.biz:995
frontend          fnt_mail_shahed_biz_pop3_995
  bind            *:995
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_mail_shahed_biz_pop3_995
backend            bck_mail_shahed_biz_pop3_995
  server          shahed_va 10.20.40.200:995 check
  mode            tcp
# haproxy:        mail.shahed.biz:143
frontend          fnt_mail_shahed_biz_imap_143
  bind            *:143
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_mail_shahed_biz_imap_143
backend            bck_mail_shahed_biz_imap_143
  server          shahed_va 10.20.40.200:143 check
  mode            tcp
# haproxy:        mail.shahed.biz:993
frontend          fnt_mail_shahed_biz_imap_993
  bind            *:993
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_mail_shahed_biz_imap_993
backend            bck_mail_shahed_biz_imap_993
  server          shahed_va 10.20.40.200:993 check
  mode            tcp
# haproxy:        mail.shahed.biz:465
frontend          fnt_mail_shahed_biz_smtps_465
  bind            *:465
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_mail_shahed_biz_smtps_465
backend            bck_mail_shahed_biz_smtps_465
  server          shahed_va 10.20.40.200:465 check
  mode            tcp
# haproxy:        mail.shahed.biz:4190
frontend          fnt_mail_shahed_biz_sieve_4190
  bind            *:4190
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_mail_shahed_biz_sieve_4190
backend            bck_mail_shahed_biz_sieve_4190
  server          shahed_va 10.20.40.200:4190 check
  mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg \
          /etc/haproxy/proxy-enabled/shahed.biz-tcp-mail.cfg
</syntaxhighlight>
</syntaxhighlight>


Revision as of 12:48, 5 March 2025

HAProxy » Reconfig

cat <<'EXE'| sudo bash
if [ -x "$(command -v curl)" ];then
export HAPROXY_ETC_BASE=/etc/haproxy
bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/haproxy/1.0.0-ubuntu-24.04.sh.txt')
curl      -fsSL https://cdn.chorke.org/exec/cli/bash/install/haproxy/1.0.0-ubuntu-24.04.sh.txt|tee ${HAPROXY_ETC_BASE}/proxy-scripts/reconfig >/dev/null
chmod   u+x ${HAPROXY_ETC_BASE}/proxy-scripts/reconfig
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi
EXE

HAProxy » Defaults

cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/global.cfg >/dev/null
global
   log             /dev/log   local0
   log             /dev/log   local1 notice
   chroot          /var/lib/haproxy
   stats           socket     /run/haproxy/admin.sock mode 660 level admin
   stats           timeout    30s
   user            haproxy
   group           haproxy
   daemon
CFG

cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/default-ssl.cfg >/dev/null

   # default ssl material locations
   ca-base         /etc/ssl/certs
   crt-base        /etc/ssl/private

   # see: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
   ssl-default-bind-ciphers      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
   ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
   ssl-default-bind-options      ssl-min-ver TLSv1.2 no-tls-tickets
CFG

cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/default-http.cfg >/dev/null

defaults
   log             global
   option          httplog
   option          dontlognull
   timeout         connect 5000
   timeout         client  50000
   timeout         server  50000
   errorfile       400 /etc/haproxy/errors/400.http
   errorfile       403 /etc/haproxy/errors/403.http
   errorfile       408 /etc/haproxy/errors/408.http
   errorfile       500 /etc/haproxy/errors/500.http
   errorfile       502 /etc/haproxy/errors/502.http
   errorfile       503 /etc/haproxy/errors/503.http
   errorfile       504 /etc/haproxy/errors/504.http
CFG

HAProxy » Frontend » HTTP

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null


# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed
   bind            *:80
   mode            http

   acl             host-is-cid-chorke-org           hdr(host) -i cid.chorke.org
   acl             host-is-dev-chorke-org           hdr(host) -i dev.chorke.org
 
   acl             path-is-artifactory              path_beg /artifactory
   acl             path-is-jenkins                  path_beg /jenkins
   acl             path-is-gitlab                   path_beg /gitlab
   acl             path-is-nexus                    path_beg /nexus

   use_backend     bck_cid_chorke_org_artifactory   if host-is-cid-chorke-org path-is-artifactory
   use_backend     bck_cid_chorke_org_jenkins       if host-is-cid-chorke-org path-is-jenkins
   use_backend     bck_cid_chorke_org_gitlab        if host-is-cid-chorke-org path-is-gitlab
   use_backend     bck_cid_chorke_org_nexus         if host-is-cid-chorke-org path-is-nexus
   default_backend bck_cid_chorke_org

backend            bck_cid_chorke_org_artifactory
   server          shahed_ah_artifactory 10.20.40.8:8084 check
   mode            http

backend            bck_cid_chorke_org_jenkins
   server          shahed_ah_jenkins 10.20.40.8:8080 check
   mode            http

backend            bck_cid_chorke_org_gitlab
   server          shahed_af_gitlab 10.20.40.6:80 check
   mode            http

backend            bck_cid_chorke_org_nexus
   server          shahed_ah_nexus 10.20.40.8:8081 check
   mode            http

backend            bck_cid_chorke_org
   server          shahed_am_apache2 10.20.40.13:80 check
   mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg \
           /etc/haproxy/proxy-enabled/shahed.biz-http-all.cfg

HAProxy » Frontend » TCP » VPN

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg >/dev/null


# ##############################################################################
# tcp frontend config for vpn.shahed.biz:1194
# this config added by chorke academia, inc

# udp mode not supported, please go with iptables forward

# cat <<'EXE'| sudo bash
# echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
# echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
# apt-get -y install iptables-persistent && apt-get clean cache
# EXE

# cat <<'EXE'| sudo bash
# iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 10.20.40.9:1194
# iptables -A FORWARD -p udp -d 10.20.40.9 --dport 1194 -j ACCEPT
# EXE
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg \
           /etc/haproxy/proxy-enabled/shahed.biz-tcp-vpn.cfg

HAProxy » Frontend » TCP » Git

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg >/dev/null


# ##############################################################################
# tcp frontend config for git.shahed.biz:4321
# this config added by chorke academia, inc

frontend           fnt_git_shahed_biz_gitlab_ssh
   bind            *:4321
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_git_shahed_biz_gitlab_ssh

backend            bck_git_shahed_biz_gitlab_ssh
   server          shahed_af_gitlab 10.20.40.6:4321 check
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg \
           /etc/haproxy/proxy-enabled/shahed.biz-tcp-git.cfg

HAProxy » Frontend » TCP » Mail

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null


# ##############################################################################
# tcp frontend config for mail.shahed.biz:25,587,110,995,143,993,465,4190
# this config added by chorke academia, inc

# haproxy:         mail.shahed.biz:25
frontend           fnt_mail_shahed_biz_smtp_25
   bind            *:25
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_mail_shahed_biz_smtp_25

backend            bck_mail_shahed_biz_smtp_25
   server          shahed_va 10.20.40.200:25 check
   mode            tcp

# haproxy:         mail.shahed.biz:587
frontend           fnt_mail_shahed_biz_smtp_587
   bind            *:587
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_mail_shahed_biz_smtp_587

backend            bck_mail_shahed_biz_smtp_587
   server          shahed_va 10.20.40.200:587 check
   mode            tcp

# haproxy:         mail.shahed.biz:110
frontend           fnt_mail_shahed_biz_pop3_110
   bind            *:110
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_mail_shahed_biz_pop3_110

backend            bck_mail_shahed_biz_pop3_110
   server          shahed_va 10.20.40.200:110 check
   mode            tcp

# haproxy:         mail.shahed.biz:995
frontend           fnt_mail_shahed_biz_pop3_995
   bind            *:995
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_mail_shahed_biz_pop3_995

backend            bck_mail_shahed_biz_pop3_995
   server          shahed_va 10.20.40.200:995 check
   mode            tcp

# haproxy:         mail.shahed.biz:143
frontend           fnt_mail_shahed_biz_imap_143
   bind            *:143
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_mail_shahed_biz_imap_143

backend            bck_mail_shahed_biz_imap_143
   server          shahed_va 10.20.40.200:143 check
   mode            tcp

# haproxy:         mail.shahed.biz:993
frontend           fnt_mail_shahed_biz_imap_993
   bind            *:993
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_mail_shahed_biz_imap_993

backend            bck_mail_shahed_biz_imap_993
   server          shahed_va 10.20.40.200:993 check
   mode            tcp

# haproxy:         mail.shahed.biz:465
frontend           fnt_mail_shahed_biz_smtps_465
   bind            *:465
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_mail_shahed_biz_smtps_465

backend            bck_mail_shahed_biz_smtps_465
   server          shahed_va 10.20.40.200:465 check
   mode            tcp

# haproxy:         mail.shahed.biz:4190
frontend           fnt_mail_shahed_biz_sieve_4190
   bind            *:4190
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_mail_shahed_biz_sieve_4190

backend            bck_mail_shahed_biz_sieve_4190
   server          shahed_va 10.20.40.200:4190 check
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg \
           /etc/haproxy/proxy-enabled/shahed.biz-tcp-mail.cfg

References

Retrieved from "https://cdn.chorke.org/weke/index.php?title=HAProxy/Frontend&oldid=14234"