haproxy/haproxy.yaml.example at master · brycelarge/haproxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
global:
  - maxconn 10000
  - tune.bufsize 32768
  - tune.maxrewrite 8192
  - tune.ssl.cachesize 100000
  - tune.ssl.lifetime 300

defaults:
  - option http-keep-alive
  - timeout client 30s
  - timeout connect 5s
  - timeout server 240s
  - timeout tunnel 43200s # 12 hour timeout for websocket

frontend:
  https:
    domains:
      - backend: frontend-offloading
        patterns:
          - .example.com
          - .company.org
          - .internal.local
  https-offloading-ip-protection:
    raw:
      - acl network_allowed_src src 192.168.1.100
      - acl network_allowed_xff hdr_ip(X-Forwarded-For) 192.168.1.100
      - http-request deny unless network_allowed_src or network_allowed_xff
    domains:
      - backend: frontend-offloading-ip-protection
        patterns:
          - restricted.example.com
          - admin.company.org
          - internal.company.org
  https-offloading:
    raw:
      - http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'"

domain_mappings:
  # Example 1: Single domain in array format
  - domains:
    - restricted.example.com
    frontend: https-offloading-ip-protection
    backend: protected-service

  # Example 2: Multiple domains for the same backend
  - domains:
    - admin.company.org
    - internal.company.org
    - secure.company.org
    frontend: https-offloading-ip-protection
    backend: admin-panel

  # Example 3: Multiple subdomains for the same service
  - domains:
    - api.example.com
    - www.example.com
    - app.example.com
    frontend: https-offloading
    backend: web-service

  # Example 4: App and dashboard on the same backend
  - domains:
    - app.company.org
    - dashboard.company.org
    frontend: https-offloading
    backend: dashboard

backends:
  # Default backends for SSL passthrough
  - name: web-default
    mode: http
    cache: false
    hosts:
      - host: "192.168.1.10:80"
        check:
          disabled: true

  - name: ssl-passthrough
    mode: tcp
    cache: false
    hosts:
      - host: "192.168.1.10:443"
        check:
          disabled: true
    use_send_proxy: true
    ssl: false
    ssl_verify: false

  # IP-restricted backends
  - name: protected-service
    mode: http
    cache: true
    hosts:
      - host: "192.168.1.20:8080"
        check:
          type: http
          uri: "/health"
          interval: 2000
          fall: 3
          rise: 2

  - name: admin-panel
    mode: http
    cache: false
    hosts:
      - host: "192.168.1.20:8081"
        check:
          type: http
          uri: "/status"
          interval: 5000
          fall: 3
          rise: 2

  - name: internal-app
    mode: http
    hosts:
      - host: "192.168.1.20:8082"
        check:
          type: tcp
          interval: 3000
          fall: 2
          rise: 2

  # Regular backends
  - name: web-service
    mode: http
    enable_h2: true
    hosts:
      - "192.168.1.30:80"

  - name: api-service
    mode: http
    enable_h2: true
    options:
      - "httpchk GET /health"
      - "allbackups"  # Use all backup servers simultaneously when active
    http_check:
      - "expect status 200"
    raw:
      - "http-request set-header Host api.example.com"
    hosts:
      - host: "192.168.1.30:8090"  # Primary server
        check:
          type: tcp
          interval: 1000
          fall: 2
          rise: 1
          slowstart: "10s"
      - "192.168.1.30:80 backup"  # Simple backup syntax
      - host: "192.168.1.30:8091"  # Object syntax with backup
        backup: true
      - host: "192.168.1.30:8092"  # Backup with weight
        backup: true
        weight: 20  # Higher weight gets more traffic when active

  # Mixed HTTP/2 configuration example
  - name: app-service
    mode: http
    enable_h2: false  # HTTP/2 disabled by default
    hosts:
      - host: "192.168.1.40:8080"  # No HTTP/2
        check:
          type: http
          uri: "/health"
      - host: "192.168.1.40:8081"
        enable_h2: true  # HTTP/2 enabled just for this host
        check:
          type: http
          uri: "/health"
      - "192.168.1.40:8082"  # No HTTP/2 (inherits from backend)

  # SSL backend example
  - name: dashboard
    mode: http
    hosts:
      - "192.168.1.50:443"
    ssl: true
    ssl_verify: false