From c01ce5ad0284b1ce111c0570dae1001de7f0efaa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 9 Oct 2022 23:14:27 +0200 Subject: [PATCH] code snippets --- snippets/haproxy.cfg | 158 +++++++++++++++++++++++++++++++++++++++++++ snippets/shell.sh | 12 ++++ snippets/varnish.vcl | 31 +++++++++ 3 files changed, 201 insertions(+) create mode 100644 snippets/haproxy.cfg create mode 100644 snippets/shell.sh create mode 100644 snippets/varnish.vcl diff --git a/snippets/haproxy.cfg b/snippets/haproxy.cfg new file mode 100644 index 0000000..0242a78 --- /dev/null +++ b/snippets/haproxy.cfg @@ -0,0 +1,158 @@ +frontend external + acl example_com_domains hdr(host) -i example.com + acl foo_bar_domains hdr(host) -i foo-bar.com foo-bar.org + […] + use_backend example_com if example_com_domains + use_backend foo_bar if foo_bar_domains +---- +backend varnish + option httpchk HEAD /varnishcheck + server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2 +---- +frontend external + # Is the request routable to Varnish ? + acl varnish_available nbsrv(varnish) gt 0 + + # Use Varnish if available + use_backend varnish if varnish_available + + # … or use normal backend + use_backend default_backend + +backend varnish + option httpchk HEAD /varnishcheck + server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2 + +backend default_backend + server example-hostname 1.2.3.4:443 check observe layer4 ssl +---- +frontend external + acl example_com_domains hdr(host) -i example.com + […] + use_backend varnish if example_com_domains +---- +frontend external + acl use_cache if hdr(host) -f /etc/haproxy/cached_domains + […] + use_backend varnish if use_cache +---- +frontend external + acl varnish_http_verb method GET HEAD PURGE + […] + use_backend varnish if varnish_http_verb +---- +backend varnish + server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2 + +frontend internal + bind /run/haproxy-frontend-default.sock user root mode 666 accept-proxy + +backend example_com + server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none send-proxy-v2 +---- +frontend external + bind 0.0.0.0:80,:::80 + bind 0.0.0.0:443,:::443 ssl […] + + option forwardfor + + http-request set-header X-Forwarded-Port %[dst_port] + + http-request set-header X-Forwarded-Proto http if !{ ssl_fc } + http-request set-header X-Forwarded-Proto https if { ssl_fc } +---- +frontend external + […] + http-request set-header X-Unique-ID %[uuid()] unless { hdr(X-Unique-ID) -m found } +---- +frontend external + […] + http-request add-header X-Boost-Step1 haproxy-external + + http-response add-header X-Boost-Step1 "haproxy-external; client-https" if { ssl_fc } + http-response add-header X-Boost-Step1 "haproxy-external; client-http" if !{ ssl_fc } + http-response set-header X-Boost-Server my-hostname +---- +frontend internal + […] + http-request add-header X-Boost-Step3 haproxy-internal + + http-response add-header X-Boost-Step3 "haproxy-internal; SSL to backend" if { ssl_bc } + http-response add-header X-Boost-Step3 "haproxy-internal; no SSL to backend" if !{ ssl_bc } +---- +backend example_com + […] + http-response set-header X-Boost-Proto https if { ssl_bc } + http-response set-header X-Boost-Proto http if !{ ssl_bc } + server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none +---- +frontend external + http-response add-header X-Haproxy-Log-external "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" + +frontend internal + http-response add-header X-Haproxy-Log-Internal "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" +---- +frontend external + […] + # Reject the request at the TCP level if source is in the denylist + tcp-request connection reject if { src -f /etc/haproxy/deny_ips } +---- +frontend external + […] + # List of IP that will not go the maintenance backend + acl maintenance_ips src -f /etc/haproxy/maintenance_ips + # Go to maintenance backend, unless your IP is whitelisted + use_backend maintenance if !maintenance_ips + +backend maintenance + http-request set-log-level silent + # Custom 503 error page + errorfile 503 /etc/haproxy/errors/maintenance.http + # With no server defined, a 503 is returned for every request +---- +frontend external + […] + # Is the request coming for the server itself (stats…) + acl self hdr(host) -i my-hostname my-hostname.domain.tld + acl munin hdr(host) -i munin + + # Detect Let's Encrypt challenge requests + acl letsencrypt path_dir -i /.well-known/acme-challenge + + use_backend local if self + use_backend local if munin + + use_backend letsencrypt if letsencrypt + +backend letsencrypt + # Use this if the challenge is managed locally + server localhost 127.0.0.1:81 send-proxy-v2 maxconn 10 + # Use this if the challenge is managed remotely + ### server my-certbot-challenge-manager 192.168.2.1:80 maxconn 10 + +backend local + option httpchk HEAD /haproxy-check + server localhost 127.0.0.1:81 send-proxy-v2 maxconn 10 +---- +frontend external + […] + # List of IP that will not go the maintenance backend + acl maintenance_ips src -f /etc/haproxy/maintenance_ips + # Go to maintenance backend, unless your IP is whitelisted + use_backend maintenance if !maintenance_ips + +backend maintenance + http-request set-log-level silent + # Custom 503 error page + errorfile 503 /etc/haproxy/errors/maintenance.http + # With no server defined, a 503 is returned for every request +---- +frontend external + […] + acl example_com_domains hdr(host) -i example.com + + acl maintenance_ips src -f /etc/haproxy/maintenance_ips + acl example_com_maintenance_ips src -f /etc/haproxy/example_com/maintenance_ips + + use_backend example_com_maintenance if example_com_domains !example_com_maintenance_ips !maintenance_ips +---- \ No newline at end of file diff --git a/snippets/shell.sh b/snippets/shell.sh new file mode 100644 index 0000000..6478c44 --- /dev/null +++ b/snippets/shell.sh @@ -0,0 +1,12 @@ +/usr/sbin/varnishd […] -a /run/varnish.sock,PROXY […] +---- +/usr/sbin/varnishd […] -a 127.0.0.1:82 […] +---- +curl --verbose \ + --resolve www.example.com:82:127.0.0.1 \ + --header "X-Forwarded-Proto: https" \ + http://www.example.com:82/foo/bar +---- ++X@Ike1sspdiNAko5YHK9HAAAAC4|GET /blog/ HTTP/1.1|user-agent:curl/7.64.0|accept:*/*|host:jeremy.lecour.fr|x-forwarded-for:1.2.3.4, 4,5,6,7|accept-encoding:gzip|x-varnish:65545|x-forwarded-port:443|x-forwarded-proto:http|connection:close +-X@Ike1sspdiNAko5YHK9HAAAAC4 +---- diff --git a/snippets/varnish.vcl b/snippets/varnish.vcl new file mode 100644 index 0000000..c5029e0 --- /dev/null +++ b/snippets/varnish.vcl @@ -0,0 +1,31 @@ +sub vcl_recv { + # HAProxy check + if (req.url == "/varnishcheck") { + return(synth(200, "Hi HAProxy, I'm fine!")); + } + […] +} +---- +backend default { + .path = "/run/haproxy-frontend-default.sock"; + .proxy_header = 1; + […] +} +---- +sub vcl_recv { + […] + set req.http.X-Boost-Step2 = "varnish"; +} +---- +sub vcl_deliver { + […] + if (resp.http.Set-Cookie && resp.http.Cache-Control) { + set resp.http.X-Boost-Step2 = "varnish WITH set-cookie AND cache-control on backend server"; + } elseif (resp.http.Set-Cookie) { + set resp.http.X-Boost-Step2 = "varnish WITH set-cookie and NO cache-control on backend server"; + } elseif (resp.http.Cache-Control) { + set resp.http.X-Boost-Step2 = "varnish with NO set-cookie and WITH cache-control on backend server"; + } else { + set resp.http.X-Boost-Step2 = "varnish with NO set-cookie and NO cache-control on backend server"; + } +---- \ No newline at end of file