code snippets
This commit is contained in:
parent
96bd9a1bf9
commit
c01ce5ad02
158
snippets/haproxy.cfg
Normal file
158
snippets/haproxy.cfg
Normal file
|
@ -0,0 +1,158 @@
|
||||||
|
frontend external
|
||||||
|
acl example_com_domains hdr(host) -i example.com
|
||||||
|
acl foo_bar_domains hdr(host) -i foo-bar.com foo-bar.org
|
||||||
|
[…]
|
||||||
|
use_backend example_com if example_com_domains
|
||||||
|
use_backend foo_bar if foo_bar_domains
|
||||||
|
----
|
||||||
|
backend varnish
|
||||||
|
option httpchk HEAD /varnishcheck
|
||||||
|
server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
# Is the request routable to Varnish ?
|
||||||
|
acl varnish_available nbsrv(varnish) gt 0
|
||||||
|
|
||||||
|
# Use Varnish if available
|
||||||
|
use_backend varnish if varnish_available
|
||||||
|
|
||||||
|
# … or use normal backend
|
||||||
|
use_backend default_backend
|
||||||
|
|
||||||
|
backend varnish
|
||||||
|
option httpchk HEAD /varnishcheck
|
||||||
|
server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
|
||||||
|
|
||||||
|
backend default_backend
|
||||||
|
server example-hostname 1.2.3.4:443 check observe layer4 ssl
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
acl example_com_domains hdr(host) -i example.com
|
||||||
|
[…]
|
||||||
|
use_backend varnish if example_com_domains
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
acl use_cache if hdr(host) -f /etc/haproxy/cached_domains
|
||||||
|
[…]
|
||||||
|
use_backend varnish if use_cache
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
acl varnish_http_verb method GET HEAD PURGE
|
||||||
|
[…]
|
||||||
|
use_backend varnish if varnish_http_verb
|
||||||
|
----
|
||||||
|
backend varnish
|
||||||
|
server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
|
||||||
|
|
||||||
|
frontend internal
|
||||||
|
bind /run/haproxy-frontend-default.sock user root mode 666 accept-proxy
|
||||||
|
|
||||||
|
backend example_com
|
||||||
|
server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none send-proxy-v2
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
bind 0.0.0.0:80,:::80
|
||||||
|
bind 0.0.0.0:443,:::443 ssl […]
|
||||||
|
|
||||||
|
option forwardfor
|
||||||
|
|
||||||
|
http-request set-header X-Forwarded-Port %[dst_port]
|
||||||
|
|
||||||
|
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
||||||
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
[…]
|
||||||
|
http-request set-header X-Unique-ID %[uuid()] unless { hdr(X-Unique-ID) -m found }
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
[…]
|
||||||
|
http-request add-header X-Boost-Step1 haproxy-external
|
||||||
|
|
||||||
|
http-response add-header X-Boost-Step1 "haproxy-external; client-https" if { ssl_fc }
|
||||||
|
http-response add-header X-Boost-Step1 "haproxy-external; client-http" if !{ ssl_fc }
|
||||||
|
http-response set-header X-Boost-Server my-hostname
|
||||||
|
----
|
||||||
|
frontend internal
|
||||||
|
[…]
|
||||||
|
http-request add-header X-Boost-Step3 haproxy-internal
|
||||||
|
|
||||||
|
http-response add-header X-Boost-Step3 "haproxy-internal; SSL to backend" if { ssl_bc }
|
||||||
|
http-response add-header X-Boost-Step3 "haproxy-internal; no SSL to backend" if !{ ssl_bc }
|
||||||
|
----
|
||||||
|
backend example_com
|
||||||
|
[…]
|
||||||
|
http-response set-header X-Boost-Proto https if { ssl_bc }
|
||||||
|
http-response set-header X-Boost-Proto http if !{ ssl_bc }
|
||||||
|
server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
http-response add-header X-Haproxy-Log-external "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||||
|
|
||||||
|
frontend internal
|
||||||
|
http-response add-header X-Haproxy-Log-Internal "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
[…]
|
||||||
|
# Reject the request at the TCP level if source is in the denylist
|
||||||
|
tcp-request connection reject if { src -f /etc/haproxy/deny_ips }
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
[…]
|
||||||
|
# List of IP that will not go the maintenance backend
|
||||||
|
acl maintenance_ips src -f /etc/haproxy/maintenance_ips
|
||||||
|
# Go to maintenance backend, unless your IP is whitelisted
|
||||||
|
use_backend maintenance if !maintenance_ips
|
||||||
|
|
||||||
|
backend maintenance
|
||||||
|
http-request set-log-level silent
|
||||||
|
# Custom 503 error page
|
||||||
|
errorfile 503 /etc/haproxy/errors/maintenance.http
|
||||||
|
# With no server defined, a 503 is returned for every request
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
[…]
|
||||||
|
# Is the request coming for the server itself (stats…)
|
||||||
|
acl self hdr(host) -i my-hostname my-hostname.domain.tld
|
||||||
|
acl munin hdr(host) -i munin
|
||||||
|
|
||||||
|
# Detect Let's Encrypt challenge requests
|
||||||
|
acl letsencrypt path_dir -i /.well-known/acme-challenge
|
||||||
|
|
||||||
|
use_backend local if self
|
||||||
|
use_backend local if munin
|
||||||
|
|
||||||
|
use_backend letsencrypt if letsencrypt
|
||||||
|
|
||||||
|
backend letsencrypt
|
||||||
|
# Use this if the challenge is managed locally
|
||||||
|
server localhost 127.0.0.1:81 send-proxy-v2 maxconn 10
|
||||||
|
# Use this if the challenge is managed remotely
|
||||||
|
### server my-certbot-challenge-manager 192.168.2.1:80 maxconn 10
|
||||||
|
|
||||||
|
backend local
|
||||||
|
option httpchk HEAD /haproxy-check
|
||||||
|
server localhost 127.0.0.1:81 send-proxy-v2 maxconn 10
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
[…]
|
||||||
|
# List of IP that will not go the maintenance backend
|
||||||
|
acl maintenance_ips src -f /etc/haproxy/maintenance_ips
|
||||||
|
# Go to maintenance backend, unless your IP is whitelisted
|
||||||
|
use_backend maintenance if !maintenance_ips
|
||||||
|
|
||||||
|
backend maintenance
|
||||||
|
http-request set-log-level silent
|
||||||
|
# Custom 503 error page
|
||||||
|
errorfile 503 /etc/haproxy/errors/maintenance.http
|
||||||
|
# With no server defined, a 503 is returned for every request
|
||||||
|
----
|
||||||
|
frontend external
|
||||||
|
[…]
|
||||||
|
acl example_com_domains hdr(host) -i example.com
|
||||||
|
|
||||||
|
acl maintenance_ips src -f /etc/haproxy/maintenance_ips
|
||||||
|
acl example_com_maintenance_ips src -f /etc/haproxy/example_com/maintenance_ips
|
||||||
|
|
||||||
|
use_backend example_com_maintenance if example_com_domains !example_com_maintenance_ips !maintenance_ips
|
||||||
|
----
|
12
snippets/shell.sh
Normal file
12
snippets/shell.sh
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
/usr/sbin/varnishd […] -a /run/varnish.sock,PROXY […]
|
||||||
|
----
|
||||||
|
/usr/sbin/varnishd […] -a 127.0.0.1:82 […]
|
||||||
|
----
|
||||||
|
curl --verbose \
|
||||||
|
--resolve www.example.com:82:127.0.0.1 \
|
||||||
|
--header "X-Forwarded-Proto: https" \
|
||||||
|
http://www.example.com:82/foo/bar
|
||||||
|
----
|
||||||
|
+X@Ike1sspdiNAko5YHK9HAAAAC4|GET /blog/ HTTP/1.1|user-agent:curl/7.64.0|accept:*/*|host:jeremy.lecour.fr|x-forwarded-for:1.2.3.4, 4,5,6,7|accept-encoding:gzip|x-varnish:65545|x-forwarded-port:443|x-forwarded-proto:http|connection:close
|
||||||
|
-X@Ike1sspdiNAko5YHK9HAAAAC4
|
||||||
|
----
|
31
snippets/varnish.vcl
Normal file
31
snippets/varnish.vcl
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
sub vcl_recv {
|
||||||
|
# HAProxy check
|
||||||
|
if (req.url == "/varnishcheck") {
|
||||||
|
return(synth(200, "Hi HAProxy, I'm fine!"));
|
||||||
|
}
|
||||||
|
[…]
|
||||||
|
}
|
||||||
|
----
|
||||||
|
backend default {
|
||||||
|
.path = "/run/haproxy-frontend-default.sock";
|
||||||
|
.proxy_header = 1;
|
||||||
|
[…]
|
||||||
|
}
|
||||||
|
----
|
||||||
|
sub vcl_recv {
|
||||||
|
[…]
|
||||||
|
set req.http.X-Boost-Step2 = "varnish";
|
||||||
|
}
|
||||||
|
----
|
||||||
|
sub vcl_deliver {
|
||||||
|
[…]
|
||||||
|
if (resp.http.Set-Cookie && resp.http.Cache-Control) {
|
||||||
|
set resp.http.X-Boost-Step2 = "varnish WITH set-cookie AND cache-control on backend server";
|
||||||
|
} elseif (resp.http.Set-Cookie) {
|
||||||
|
set resp.http.X-Boost-Step2 = "varnish WITH set-cookie and NO cache-control on backend server";
|
||||||
|
} elseif (resp.http.Cache-Control) {
|
||||||
|
set resp.http.X-Boost-Step2 = "varnish with NO set-cookie and WITH cache-control on backend server";
|
||||||
|
} else {
|
||||||
|
set resp.http.X-Boost-Step2 = "varnish with NO set-cookie and NO cache-control on backend server";
|
||||||
|
}
|
||||||
|
----
|
Loading…
Reference in a new issue