-
Notifications
You must be signed in to change notification settings - Fork 2
/
haproxy.cfg.example
90 lines (73 loc) · 3.11 KB
/
haproxy.cfg.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
global
insecure-fork-wanted
log stdout format raw local0 debug
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
timeout connect 5s
timeout client 60s
timeout server 60s
timeout check 60s
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
default-server init-addr last,libc,none
frontend stats
bind *:9101
mode http
stats enable
stats uri /stats
stats refresh 10s
http-request auth unless { http_auth(mycredentials) }
userlist mycredentials
user stats password $5$eD.zS8VZq0MaisXv$MAnVQCdWObOxpPEX2Jozyq5Fzc.3nOE/Tzm0SSmLgH/
frontend proxy_in
bind *:9100
mode http
option http-use-proxy-header
option accept-invalid-http-request
# Set the max connections to the frontend higher than the default 2000
maxconn 5000
# These two ACLs are used to split game traffic to the paid proxies
acl ptc_auth hdr_dom(host) -i access.pokemon.com
# These are used to split the traffic on the paid proxies
use_backend proxy_ptc if ptc_auth
# This line is used to send all traffic not related to ptc to the Squid proxy on the intranet.
default_backend squid
backend squid
balance source
fullconn 5000
mode http
server squid squid:3128
backend proxy_ptc
balance roundrobin
# Set the max connections for each server to 1000 so you don't drop data
# This defauls to 10% of maxconn or 10% of the default (which limits it to 200 connections)
fullconn 1000
# The `http-request add-header Proxy-Authorization` is only needed if your proxies require authentication
## Replace BASE64ENCODEDAUTH with your base64-encoded "user:password"
## One way to encode it is to run `echo -n 'user:password' | base64`
#http-request add-header Proxy-Authorization "Basic xxxxxxxxxx=="
# The `check inter 20s fall 3 rise 2` setting will run the ban script every 20 seconds.
# If an address fails 3 times, it will be taken down and the other addresses will get its traffic.
# It will be put back into rotation if it passes the checker twice in a row.
# Below are example proxy lines. Add them in the following format:
server proxy1 1.2.3.4:3128 check inter 20s fall 3 rise 2
server proxy2 5.6.7.8:3128 check inter 20s fall 3 rise 2